Created question in FIWARE Q/A platform on 08-05-2016 at 00:05
Please, ANSWER this question AT https://stackoverflow.com/questions/37094473/fiware-keyrock-scim-api-bug-check-allowed-to-get-and-assign-got-an-unexpecte

Question:
Fiware KeyRock SCIM API bug: _check_allowed_to_get_and_assign() got an unexpected keyword argument 'userName'

Description:
We want to use the FIWARE IdM, both Keystone and Horizon. Specifically during sign-up we want to

create a user
add that user to an organisation
authorise the user for an application

We have installed Keystone and Horizon using the latest KeyRock docker image on the docker hub (https://hub.docker.com/r/fiware/idm/).

Because the KeyRock web interface creates Cloud organisations, community users in regions like Spain etc i decided to try to use the SCIM API to create and authorize users:

Note: The SCIM API documents (http://docs.keyrock.apiary.io/#reference/scim-2.0) imply the SCIM calls are on the KeyRock server port, however they are available on the Keystone server port. The SCIM documentation would be clearer if it mentioned http://[keystone server]/v3/OS-SCIM/v2/Users/ instead of http://keyrock/v3/OS-SCIM/v2/Users/

Lets say we have an application (SCIM consumer) with application_id=app1. This application is created using the Horizon front-end, or using the

POST /v3/OS-OAUTH2/consumers

call. I am not aware of a difference between the two ways of creating an application although i have not tried the latter yet. This is a one-time operation, so we used the web interface to create the application and associated role.

so we have a role for the application = role1

and we create a user using SCIM

POST /v3/OS-SCIM/v2/Users/

that yields user_id=user1

When i try to authorize him for our application with

PUT /v3/OS-ROLES/users/user1/applications/app1/roles/role1

i get the following error:

{
"error":

}

The next step would be to obtain a resource owner token through KeyRock using

POST [KeyStone server]/oauth2/token

But that is moot because of the above error.

Logging into the KeyRock user interface with user1 gives the error:
"You are not authorized for any projects." I assume this is because user1 is not authorized for an organisation. user1 is invisible to other users or the admin in the KeyRock user interface so i cannot assign the necessary authorizations.

Any ideas anyone?
Which roles does user1 still need to have and how to assign them so that KeyRock is satisfied?