fix: scim use first email or phone if no primary is set (#9236)

# Which Problems Are Solved
- scim v2 only maps the primary phone/email to the zitadel user, this
does not work if no primary is set

# How the Problems Are Solved
- the first phone / email is mapped if no primary is available

# Additional Context
Part of #8140

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>

internal/api/scim/integration_test/testdata/users_create_test_no_primary_email_phone.json

@@ -0,0 +1,21 @@
+{
+  "schemas": [
+    "urn:ietf:params:scim:schemas:core:2.0:User"
+  ],
+  "userName": "acmeUser1",
+  "name": {
+    "familyName": "Ross",
+    "givenName": "Bethany"
+  },
+  "emails": [
+    {
+      "value": "user1@example.com"
+    }
+  ],
+  "phoneNumbers": [
+    {
+      "value": "+41 71 123 45 67",
+      "type": "work"
+    }
+  ]
+}

internal/api/scim/integration_test/users_create_test.go

@@ -33,6 +33,9 @@ var (
 	//go:embed testdata/users_create_test_minimal_inactive.json
 	minimalInactiveUserJson []byte
 
+	//go:embed testdata/users_create_test_no_primary_email_phone.json
+	minimalNoPrimaryEmailPhoneUserJson []byte
+
 	//go:embed testdata/users_create_test_full.json
 	fullUserJson []byte
 
@@ -196,6 +199,24 @@ func TestCreateUser(t *testing.T) {
 			body: fullUserJson,
 			want: fullUser,
 		},
+		{
+			name: "no primary email and phone",
+			body: minimalNoPrimaryEmailPhoneUserJson,
+			want: &resources.ScimUser{
+				Emails: []*resources.ScimEmail{
+					{
+						Value:   "user1@example.com",
+						Primary: true,
+					},
+				},
+				PhoneNumbers: []*resources.ScimPhoneNumber{
+					{
+						Value:   "+41711234567",
+						Primary: true,
+					},
+				},
+			},
+		},
 		{
 			name:          "missing userName",
 			wantErr:       true,

internal/api/scim/resources/user_mapping.go

@@ -154,6 +154,15 @@ func (h *UsersHandler) mapPrimaryEmail(scimUser *ScimUser) (command.Email, error
 		}, nil
 	}
 
+	// if no primary email was found, the first email will be used
+	for _, email := range scimUser.Emails {
+		email.Primary = true
+		return command.Email{
+			Address:  domain.EmailAddress(email.Value),
+			Verified: h.config.EmailVerified,
+		}, nil
+	}
+
 	return command.Email{}, zerrors.ThrowInvalidArgument(nil, "SCIM-EM19", "Errors.User.Email.Empty")
 }
 
@@ -169,6 +178,15 @@ func (h *UsersHandler) mapPrimaryPhone(scimUser *ScimUser) *command.Phone {
 		}
 	}
 
+	// if no primary phone was found, the first phone will be used
+	for _, phone := range scimUser.PhoneNumbers {
+		phone.Primary = true
+		return &command.Phone{
+			Number:   domain.PhoneNumber(phone.Value),
+			Verified: h.config.PhoneVerified,
+		}
+	}
+
 	return nil
 }