SCIM
Overview
The SCIM connector bundle is designed to manage provisioning through the SCIM 1.1 and 2.0 specifications.
Two different connectors are actually available within this bundle:
net.tirasa.connid.bundles.scim.v11.SCIMv11Connector
net.tirasa.connid.bundles.scim.v2.SCIMv2Connector
Supported operations
Create
Delete
Update
Search
Test
Schema
Configuration
Configuration Properties
The following table describes all of the properties that you can specify for the configuration:
Configuration Property | Type | Required | Description |
---|---|---|---|
baseAddress | String | X | Base address of the SCIM REST service. |
username | String |
| Username for authentication to the target RESTful service |
password | GuardedString |
| Password for authentication to the target RESTful service |
String | X | Value for the HTTP | |
String | X | Value for the HTTP | |
String |
| Client id for authentication to the target RESTful service | |
String |
| Client secret for authentication to the target RESTful service | |
String |
| Bearer Token for authentication to the target SCIM service | |
String |
| Field id of the JSON object node, returned from target Access Token RESTful service, that contains token value; defaults to access_token | |
String |
| Value for the HTTP Accept header for the Access Token request; defaults to application/json | |
String |
| Base address of the target RESTful service used to obtain access token | |
String |
| Value for the HTTP Content-Type header for the target Access Token RESTful service; defaults to application/x-www-form-urlencoded | |
String |
| SCIM Resource Schema representation in JSON format, used to specify custom attributes. See here as reference | |
| String |
| Method used for updates on Users ( |
| String |
| Method used for updates on Groups (PATCH or PUT); defaults to PATCH |
| String |
| Defines the SCIM server implementation to which the connector is connecting to. Default value is STANDARD. Admitted values are: AWS, WSO2, SALESFORCE, STANDARD This information is needed since some providers implementations like Salesforce or AWS differ a bit from the current SCIM standard exposed in RFC-7643 and RFC-7644 |
| Boolean |
| Whether to manage entitlements other than the default one (SCIM v1.1 only supports the default entitlement) |
| Boolean |
| Whether to perform an additional update on group after user create to add the user. |
String |
| Some provider don't store information about the type of the complex attributes, is possible to define a default one | |
| String |
| Some provider don't store information about the type of the addresses attribute, is possible to define a default one. |
Boolean |
| Whether to replace all group members on update | |
String |
| Specifies the type of the proxy server to use (if any) to access to the SCIM server, allowed values are HTTP and SOCKS | |
String |
| Specifies proxy host to connect to reach SCIM server | |
Integer |
| Specifies proxy port to connect to reach SCIM server | |
String |
| Specifies username to authenticate on proxy (optional, only Basic auth is supported) | |
String |
| Specifies password to authenticate on proxy | |
Boolean |
| Specifies whether the HTTP client should follow or not HTTP redirects like the “302 Found” |
A sample value for The following, instead, is a sample for 2.0 version: The important parts are:
Indeed, the resulting schema representation will use the same name convention used for other complex attributes, e.g.:
so in this case it will be:
To manage version 2.0 Enterprise User attributes just use the following attributes:
To manage version 1.1 Enterprise User attributes just use the following attributes:
|
Important notes
About AWS there are some limitations described here on SCIM v2 API: they affect the current behavior of the connector, especially these 2 features are not available:
Group removal on update. If user has grp1 and grp2 and you remove grp2 and add grp3, useris going to have grp1, grp2 and grp3, i.e. grp2 is not going to be removed.
Group synchronization is not possible.
This because groups are not returned in the user result and there is no way to get group ids by user.