Summary

Zabbix has a great capability to provide just-in-time user provisioning via LDAP, SAML. Unfortunately there are few pain points that limit Zabbix users:

1. User media is limited to one provisioned value (e.g. one email address);
2. No editing of provisioned user media attributes (e.g. working hours or severity), they are set enabled 24*7 for all severities;
3. User has no possibility to add alternative email/phone number which is not registered in IdP (identity provider), like additional support person's email or private number for specific occasion (which should not be added to corporate IdP);
4. No user media attribute updates with SCIM;
5. Incorrect re-creation of Zabbix user profile when primary email/login name has changed in SAML IdP; 
6. Current SAML implementation has limited functionality for IdP's that use complex response structures and various name ID formats.

All above pain points basically comes from 2 deficiencies:

1. There is no attribute indicator to specify source (manually entered, IdP provisioned) for user media;
2. Zabbix SCIM/SAML request filter parser needs to be improved to gain better compatibility with 3rd party IdP's and be more flexible with data retrieval from these IdP's.

Use case

1. As a user I want to:
   1. add additional media types (e.g. alternative email) besides provisioned ones;
   2. provision all my email addresses from IdP and keep first as an active primary one;
   3. set custom working hours, severity for user media, also with enabled identity provisioning;
   4. receive correct user attribute updates from SAML IdP's.