SCIM

Overview

The SCIM connector bundle is designed to manage provisioning through the SCIM 1.1 and 2.0 specifications.

Two different connectors are actually available within this bundle:

  1. net.tirasa.connid.bundles.scim.v11.SCIMv11Connector

  2. net.tirasa.connid.bundles.scim.v2.SCIMv2Connector

Supported operations

  • Create

  • Delete

  • Update

  • Search

  • Test

  • Schema

Configuration

Configuration Properties

The following table describes all of the properties that you can specify for the configuration:

Configuration Property

Type

Required

Description

Configuration Property

Type

Required

Description

baseAddress

String

X

Base address of the SCIM REST service.
E.g. https://mydomain.com/api/scim/v1/ for 1.1 version and https://mydomain.com/api/scim/v2/ for 2.0 version

username

String

 

Username for authentication to the target RESTful service

password

GuardedString

 

Password for authentication to the target RESTful service

accept

String

X

Value for the HTTP Accept header; defaults to application/json

contentType

String

X

Value for the HTTP Content-Type header; defaults to application/json

clientId

String

 

Client id for authentication to the target RESTful service

clientSecret

String

 

Client secret for authentication to the target RESTful service

accessTokenNodeId

String

 

Field id of the JSON object node, returned from target Access Token RESTful service, that contains token value; defaults to access_token

accessTokenBaseAddress

String

 

Base address of the target RESTful service used to obtain access token

accessTokenContentType

String

 

Value for the HTTP Content-Type header for the target Access Token RESTful service; defaults to application/x-www-form-urlencoded

customAttributesJSON

String

 

SCIM Resource Schema representation in JSON format, used to specify custom attributes. See here as reference

updateMethod

 

String

 

Method used for updates (PATCH or PUT); defaults to PATCH for 1.1 version. Must be set to PUT for 2.0 version until the PATCH will be implemented

updateGroupMethod

 

String

 

Method used for updates on Groups (PATCH or PUT); defaults to PATCH

scimProvider

 

String

 

Defines the SCIM server implementation to which the connector is connecting to. Default value is STANDARD.

Admitted values are: AWS, WSO2, SALESFORCE, STANDARD

This information is needed since some providers implementations like Salesforce or AWS differ a bit from the current SCIM standard exposed in RFC-7643 and RFC-7644

manageComplexEntitlements

 

Boolean

 

Whether to manage entitlements other than the default one (SCIM v1.1 only supports the default entitlement)

explicitGroupAddOnCreate

 

Boolean

 

Whether to perform an additional update on group after user create to add the user.

genericComplexType

String

 

Some provider don't store information about the type of the complex attributes, is possible to define a default one

addressesType

 

String

 

Some provider don't store information about the type of the addresses attribute, is possible to define a default one.

 

A sample value for customAttributesJSON parameter that includes some custom attributes you want the Connector to handle:

{ "id": "urn:scim:schemas:core:1.0:User", "name": "User", "description": "Core User", "schema": "urn:scim:schemas:core:1.0", "endpoint": "/Users", "attributes": [ { "name": "myCustomName", "type": "string", "multiValued": false, "description": "", "schema": "urn:scim:schemas:core:1.0", "readOnly": false, "required": false, "caseExact": false } ] }

The following, instead, is a sample for 2.0 version:

{ "id": "urn:mem:params:scim:schemas:extension:LuckyNumberExtension", "name": "LuckyNumbers", "description": "Lucky Numbers", "endpoint": "/Users", "attributes": [ { "name": "luckyNumber", "type": "integer", "multiValued": false, "description": "", "required": true, "caseExact": false, "mutability": "readWrite", "returned": "default", "uniqueness": "server" } ] }

The important parts are:

  • attributes;

  • all the name and schema property of each attribute.

Indeed, the resulting schema representation will use the same name convention used for other complex attributes, e.g.:

  • name.familyName

  • addresses.other.formatted

  • emails.work.primary

  • phoneNumbers.work.value

so in this case it will be:

  • urn:scim:schemas:core:1.0.myCustomName for version 1.1.

  • urn:mem:params:scim:schemas:extension:LuckyNumberExtension.luckyNumber for version 2.0.

To manage version 2.0 Enterprise User attributes just use the following attributes:

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.employeeNumber

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.organization

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.costCenter

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.organization

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.department

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.displayName

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.ref

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value

To manage version 1.1 Enterprise User attributes just use the following attributes:

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.employeeNumber

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.managerId

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.displayName

Important notes

 

About AWS there are some limitations described here on SCIM v2 API: they affect the current behavior of the connector, especially these 2 features are not available:

  • Group removal on update. If user has grp1 and grp2 and you remove grp2 and add grp3, useris going to have grp1, grp2 and grp3, i.e. grp2 is not going to be removed.

  • Group synchronization is not possible.

This because groups are not returned in the user result and there is no way to get group ids by user.