SCIM

Overview

The SCIM connector bundle is designed to manage provisioning through the SCIM 1.1 and 2.0 specifications.

Two different connectors are actually available within this bundle:

  1. net.tirasa.connid.bundles.scim.v11.SCIMv11Connector

  2. net.tirasa.connid.bundles.scim.v2.SCIMv2Connector

Supported operations

  • Create

  • Delete

  • Update

  • Search

  • Test

  • Schema

Configuration

Configuration Properties

The following table describes all of the properties that you can specify for the configuration:

Configuration Property

Type

Required

Description

Configuration Property

Type

Required

Description

baseAddress

String

X

Base address of the SCIM REST service.
E.g. https://mydomain.com/api/scim/v1/ for 1.1 version and https://mydomain.com/api/scim/v2/ for 2.0 version

username

String

 

Username for authentication to the target RESTful service

password

GuardedString

 

Password for authentication to the target RESTful service

String

X

Value for the HTTP Accept header; defaults to application/json

String

X

Value for the HTTP Content-Type header; defaults to application/json

String

 

Client id for authentication to the target RESTful service

String

 

Client secret for authentication to the target RESTful service

String

 

Bearer Token for authentication to the target SCIM service

String

 

Field id of the JSON object node, returned from target Access Token RESTful service, that contains token value; defaults to access_token

String

 

Value for the HTTP Accept header for the Access Token request; defaults to application/json

String

 

Base address of the target RESTful service used to obtain access token

String

 

Value for the HTTP Content-Type header for the target Access Token RESTful service; defaults to application/x-www-form-urlencoded

String

 

SCIM Resource Schema representation in JSON format, used to specify custom attributes. See here as reference

 

String

 

Method used for updates on Users (PATCH or PUT); defaults to PUTexplicitGroupAddOnCreate.

 

String

 

Method used for updates on Groups (PATCH or PUT); defaults to PATCH

 

String

 

Defines the SCIM server implementation to which the connector is connecting to. Default value is STANDARD.

Admitted values are: AWS, WSO2, SALESFORCE, STANDARD

This information is needed since some providers implementations like Salesforce or AWS differ a bit from the current SCIM standard exposed in RFC-7643 and RFC-7644

 

Boolean

 

Whether to manage entitlements other than the default one (SCIM v1.1 only supports the default entitlement)

 

Boolean

 

Whether to perform an additional update on group after user create to add the user.

String

 

Some provider don't store information about the type of the complex attributes, is possible to define a default one

 

String

 

Some provider don't store information about the type of the addresses attribute, is possible to define a default one.

Boolean

 

Whether to replace all group members on update

String

 

Specifies the type of the proxy server to use (if any) to access to the SCIM server, allowed values are HTTP and SOCKS

String

 

Specifies proxy host to connect to reach SCIM server

Integer

 

Specifies proxy port to connect to reach SCIM server

String

 

Specifies username to authenticate on proxy (optional, only Basic auth is supported)

String

 

Specifies password to authenticate on proxy

Boolean

 

Specifies whether the HTTP client should follow or not HTTP redirects like the “302 Found”

 

A sample value for customAttributesJSON parameter that includes some custom attributes you want the Connector to handle:

The following, instead, is a sample for 2.0 version:

The important parts are:

  • attributes;

  • all the name and schema property of each attribute.

Indeed, the resulting schema representation will use the same name convention used for other complex attributes, e.g.:

  • name.familyName

  • addresses.other.formatted

  • emails.work.primary

  • phoneNumbers.work.value

so in this case it will be:

  • urn:scim:schemas:core:1.0.myCustomName for version 1.1.

  • urn:mem:params:scim:schemas:extension:LuckyNumberExtension.luckyNumber for version 2.0.

To manage version 2.0 Enterprise User attributes just use the following attributes:

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.employeeNumber

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.organization

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.costCenter

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.organization

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.department

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.displayName

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.ref

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value

To manage version 1.1 Enterprise User attributes just use the following attributes:

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.employeeNumber

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.managerId

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.displayName

Important notes

 

About AWS there are some limitations described here on SCIM v2 API: they affect the current behavior of the connector, especially these 2 features are not available:

  • Group removal on update. If user has grp1 and grp2 and you remove grp2 and add grp3, useris going to have grp1, grp2 and grp3, i.e. grp2 is not going to be removed.

  • Group synchronization is not possible.

This because groups are not returned in the user result and there is no way to get group ids by user.