From 075944abba3d1d4614d28b14ae065899983e61af Mon Sep 17 00:00:00 2001
From: "Jens L." <jens@goauthentik.io>
Date: Mon, 14 Oct 2024 17:03:58 +0200
Subject: [PATCH] providers/scim: add option to ignore SCIM server cert
 (#11437)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 authentik/providers/scim/api/providers.py      |  1 +
 authentik/providers/scim/clients/base.py       |  1 +
 .../0010_scimprovider_verify_certificates.py   | 18 ++++++++++++++++++
 authentik/providers/scim/models.py             |  1 +
 blueprints/schema.json                         |  4 ++++
 schema.yml                                     |  6 ++++++
 .../admin/providers/scim/SCIMProviderForm.ts   | 17 +++++++++++++++++
 7 files changed, 48 insertions(+)
 create mode 100644 authentik/providers/scim/migrations/0010_scimprovider_verify_certificates.py

diff --git a/authentik/providers/scim/api/providers.py b/authentik/providers/scim/api/providers.py
index 731077e6aa64..bda38e063c7a 100644
--- a/authentik/providers/scim/api/providers.py
+++ b/authentik/providers/scim/api/providers.py
@@ -26,6 +26,7 @@ class Meta:
             "verbose_name_plural",
             "meta_model_name",
             "url",
+            "verify_certificates",
             "token",
             "exclude_users_service_account",
             "filter_group",
diff --git a/authentik/providers/scim/clients/base.py b/authentik/providers/scim/clients/base.py
index d6d20f1e371b..246520114c83 100644
--- a/authentik/providers/scim/clients/base.py
+++ b/authentik/providers/scim/clients/base.py
@@ -42,6 +42,7 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](
     def __init__(self, provider: SCIMProvider):
         super().__init__(provider)
         self._session = get_http_session()
+        self._session.verify = provider.verify_certificates
         self.provider = provider
         # Remove trailing slashes as we assume the URL doesn't have any
         base_url = provider.url
diff --git a/authentik/providers/scim/migrations/0010_scimprovider_verify_certificates.py b/authentik/providers/scim/migrations/0010_scimprovider_verify_certificates.py
new file mode 100644
index 000000000000..5a78e2ae04b4
--- /dev/null
+++ b/authentik/providers/scim/migrations/0010_scimprovider_verify_certificates.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.0.9 on 2024-09-19 14:02
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_providers_scim", "0009_alter_scimmapping_options"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="scimprovider",
+            name="verify_certificates",
+            field=models.BooleanField(default=True),
+        ),
+    ]
diff --git a/authentik/providers/scim/models.py b/authentik/providers/scim/models.py
index 8f940deebcc1..db6e2086b297 100644
--- a/authentik/providers/scim/models.py
+++ b/authentik/providers/scim/models.py
@@ -68,6 +68,7 @@ class SCIMProvider(OutgoingSyncProvider, BackchannelProvider):
 
     url = models.TextField(help_text=_("Base URL to SCIM requests, usually ends in /v2"))
     token = models.TextField(help_text=_("Authentication token"))
+    verify_certificates = models.BooleanField(default=True)
 
     property_mappings_group = models.ManyToManyField(
         PropertyMapping,
diff --git a/blueprints/schema.json b/blueprints/schema.json
index 25836f1d06e1..7d8bcc8e6b0c 100644
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@@ -5956,6 +5956,10 @@
                     "title": "Url",
                     "description": "Base URL to SCIM requests, usually ends in /v2"
                 },
+                "verify_certificates": {
+                    "type": "boolean",
+                    "title": "Verify certificates"
+                },
                 "token": {
                     "type": "string",
                     "minLength": 1,
diff --git a/schema.yml b/schema.yml
index 2eb347b4d234..3b8f749eadaf 100644
--- a/schema.yml
+++ b/schema.yml
@@ -47257,6 +47257,8 @@ components:
           type: string
           minLength: 1
           description: Base URL to SCIM requests, usually ends in /v2
+        verify_certificates:
+          type: boolean
         token:
           type: string
           minLength: 1
@@ -50479,6 +50481,8 @@ components:
         url:
           type: string
           description: Base URL to SCIM requests, usually ends in /v2
+        verify_certificates:
+          type: boolean
         token:
           type: string
           description: Authentication token
@@ -50562,6 +50566,8 @@ components:
           type: string
           minLength: 1
           description: Base URL to SCIM requests, usually ends in /v2
+        verify_certificates:
+          type: boolean
         token:
           type: string
           minLength: 1
diff --git a/web/src/admin/providers/scim/SCIMProviderForm.ts b/web/src/admin/providers/scim/SCIMProviderForm.ts
index 8fc923af4f6c..0d82688ad37d 100644
--- a/web/src/admin/providers/scim/SCIMProviderForm.ts
+++ b/web/src/admin/providers/scim/SCIMProviderForm.ts
@@ -90,6 +90,23 @@ export class SCIMProviderFormPage extends BaseProviderForm<SCIMProvider> {
                             ${msg("SCIM base url, usually ends in /v2.")}
                         </p>
                     </ak-form-element-horizontal>
+                    <ak-form-element-horizontal name="verifyCertificates">
+                        <label class="pf-c-switch">
+                            <input
+                                class="pf-c-switch__input"
+                                type="checkbox"
+                                ?checked=${first(this.instance?.verifyCertificates, true)}
+                            />
+                            <span class="pf-c-switch__toggle">
+                                <span class="pf-c-switch__toggle-icon">
+                                    <i class="fas fa-check" aria-hidden="true"></i>
+                                </span>
+                            </span>
+                            <span class="pf-c-switch__label"
+                                >${msg("Verify SCIM server's certificates")}</span
+                            >
+                        </label>
+                    </ak-form-element-horizontal>
                     <ak-form-element-horizontal
                         label=${msg("Token")}
                         ?required=${true}