Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

SCIM is a standard interface to manage Users/Roles/Groups. It is based on REST. The interface is described in http://www.simplecloud.info/

CoreOne can connect to other systems using SCIM and provision there users and groups. The other system has to implement SCIM correctly - there are many small discrepencies between existing implementations. Please check below implementation details to see if your system supports SCIM.

Set up target system

...

Target system attribute

...

Description

...

SCIM base URL

...

Specification of the base URL of the SCIM API interface, incl. schema, domain and path (like https://localhost:44319/scim)

...

SCIM login URL

...

Specification of the URL for token endpoint (username and password is only supported authentication method for now).

CoreOne uses the token to authenticate in SCIM endpoint

...

SCIM login username

...

Username to be used for login

...

SCIM login password

...

Password to be used for login

...

Disable SSL handshake

...

Introduction

As described in SCIM System Connector, the connector tightly follows https://datatracker.ietf.org/doc/html/rfc7643 with it’s implementation. Nonetheless there are some definitions that leave some room for interpretation. This page gives you some guidance and examples of areas where a SCIM application might diverge from the standard as well as some of the limitations that the CoreOne Suite SCIM Connector has at the moment (Version 5.9).

Operations

Below you can find what are exact some of the requests that CoreOne will make to other a SCIM system. Please check if your system supports them.

...

  • userName,

  • name.givenName,

  • name.familyName,

  • emails.value

SCIM allows for multivalue multi value attributes - like email but it is not supported by CoreOne for now.

Create user

URL

/scim/users

HTTP Verb

POST

Body

Code Block
{
  "userName":"John Novak",
  "name":  {
    "givenName":"John",
    "familyName":"Novak"
    },
  "emails":[{
    "value":"john.novak@swiss.ch",
    "primary":true
  }]
}

Remarks

As you can see the primary subattribute sub attribute was added. CoreOne does not support multivalue multi value and will only work with primary values.

In response CoreOne should get the newly created user data. The only attribute that it needs is id that will be written in CoreOne database.

Update user

URL

/scim/users/{user_id}

HTTP Verb

PATCH

Body

Code Block
{
"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
  "Path":"userName",
  "Op":"Replace",
  "Value":"NewUserName"
  },
  {
  "Path":"name.givenName",
  "Op":"Replace",
  "Value":"NewGivenName"
  },
  {
  "Path":"emails[primary eq true].value",
  "Op":"Replace",
  "Value":"updatedMail@swiss.ch"
  }]
}

Remarks

SCIM allows to do update in a few ways (with path /without path, with full attribute name or short one).

CoreOne specifies all changes as separate operations. All operations have Path property with short name of attribute to change and Op property equals to Replace.

For multivalue attributes (like email) the change is applied to the item with Primary property set to true.

Only the attributes that changed will be send to the target system.

Select users

URL

/scim/users

HTTP Verb

GET

Body

-

Remarks

Should return the collection of users according to SCIM specification.

To check if attributes are unique CoreOne uses /?filter={propertyName} eq "{value}"

To get matching users based on username CoreOne uses /?filter=userName co "{searchValue}"&startIndex=1&count={maxResult}

Select user

URL

/scim/users/{user_id}

HTTP Verb

GET

...

Body

-

Remarks

Should return the collection of users according to SCIM specification.

To get the groups assigned to user CoreOne uses /?attributes=groups

Delete user

URL

/scim/users/{user_id}

HTTP Verb

DELETE

...

Create group

...

Body

-

Remarks

-

CRUD group

Group support is similar to users. When querying groups target system should return members attribute.

Assign Member

URL

/scim/groups/{group_id}

HTTP Verb

PATCH

Body

Code Block
{
"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
    "op": "add",
    "path": "members",
    "value": [{"value": "c6eda4fd-e7ab-490a-a1e6-17fbca28b2ed"}]
}]
}

Remarks

value.value in above example holds user id

Remove Member

URL

/scim/groups/{group_id}

...

HTTP Verb

PATCH

Body

Code Block
{
"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
    "op": "remove",
    "path": "members",
    "value": [{"value": "c6eda4fd-e7ab-490a-a1e6-17fbca28b2ed"}]
}]
}

Remarks

value.value in above example holds user id