Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

Introduction

The System for Cross-domain Identity Management is a well-known standard for provisioning and managing users accross multiple domains. In a nutshell, it specifies a restful API that an application or a system has to expose that other systems then can use for provisioning and information retrieval purposes. The standard on a high-level is documented on the projects website (http://www.simplecloud.info/ ) and in a more detailed and technical fashion in the appropriate IEFT SCIM Core Schema documentation (https://datatracker.ietf.org/doc/html/rfc7643 ).

The CoreOne Suite SCIM System Connector allows you to provision users to any system that supports the SCIM standard. So if you are thinking about implementing an API for user management for your own applications and systems, SCIM is an easy way to do so that allows you to integrate easily with the CoreOne Suite while following a defined standard that might be used by other applications or systems as well.

System Identity Types

The following system identity types are supported:

Identity Type

Description

SCIM User

A default SCIM user with the properties defined in section Section 4.1 of rfc7643 (Standard User Schema) and Section 4.3 of rfc7643 (Enterprise User Schema). You can extend those properties by creation system identity type attributes in the CoreOne Suite Admin UI.

SCIM User

The following user attributes can be manged by default:

SCIM supports complex and multi value attributes. Attributes in the CoreOne Suite are - by default - flat objects. To simplify this use case the system identity type attributes follow a simple transformation. The complex SCIM name conists of a familyName, givenName and so on. Within the CoreOne Suite we simply track them as name.familyName, name.givenName and so on.

Attribute

Description

userName

The username of the user

name.formatted

The formatted name, similar to the display name

name.familyName

The family name of the user

name.givenName

The given name of the user

name.middleName

The middle name of the user

name.honorificPrefix

The honorific prefix(es) of the user

name.honorificSuffix

The honorific suffix(es) of the User

displayName

The display name of the user

nickName

The nick name of the user

profileUrl

An URI that locates a users profile

title

The title of the user

userType

The type of a user should an application or system support that

preferredLanguage

The prefered language in the format of Section 5.3.5 of rfc7231.

locale

The users default location as specified in https://datatracker.ietf.org/doc/html/rfc5646

timezone

The users time zone as specified in https://datatracker.ietf.org/doc/html/rfc6557

active

An indication whether the user is active or not

emails

A multivalue field with the users email addresses

phoneNumbers

A multivalue field with the users phone numbers

ims

A multivalue field with the users instanst messaging services

photos

A multivalue field with the users photos

addresses

A multivalue field with the users addresses

Note that the section 4.1.2 of rfc 7643 specifies a groups, entitlements and a roles attribute on the user. Those are managed via the assigned resources and not directly on the user itself.

System Resource Types

The following system resource types are supported:

Identity Type

Description

SCIM Group

A SCIM Group according to section 4.2 of rfc 7643

Target System Parameters

Whenever you connect a SAP system to the CoreOne Suite you will need to specify the following parameters.

Parameter

Mandatory

Example

Description

API base url

https://scim.webapp.com

The base url of the SCIM endpoint

Login base url

https://scim.webapp.com/login

The endpoint where the authentication for the SCIM endpoint has to be performed

This URL gets called together with the Username and Password as HTTP Basic Authentication request and has to return a Bearer Token in the form of { Token: ““ }

Login username

svc_cos

The user name to be used for authentication

Login passowrd

🔑 * * * * * * *

The password of the user

Disable SSL Handshake

false

If the SSL handshake can not be performed because of invalid certificates. Be very cautions with this and only disable it if really necessary.

Scim operation mode - identity

Updates done via PATCH method

Defines with which HTTP method identity updates should be sent. Currently PATCH and PUT are supported

Scim operation mode - resource

Updates done via PATCH method

Defines with which HTTP method resource updates should be sent. Currently PATCH and PUT are supported

Scim default missing values

false

If true, sets all the missing attributes on the entity sent back by the target system to the default values of their respective data types. Usually the target system sends back the whole entity with all attributes so this doesn’t need to be enabled.

Context Assignment

The SCIM Connector supports the assignment context as described here. As this assignment context is not part of the standard definition in SCIM, we made use of SCIMs capability to extend the schema. Whenever an assignment is made with a context, first the assignment context transformations are applied and then they are provisioned in as the relations property.

This is done by calling the ressource endpoint with a PATCH request. The content of the patch is shown below. As you can see, an array of members will be passed to the relations path as well as to the members path. The difference is, that the array passed to the relations path, also contains the full context. In this case the user and the ressource, whereas the later identifies the context. In this example, we patch the taxes group and add the same user twice. Once in the context of BestRun Inc. (line 29) and once in the context of ITSENSE AG (Line 34).

curl --request PATCH \
  --url http://your.scimapplication.com/groups/taxes\
  --header 'Content-Type: application/json' \
  --data '{
         "Schemas": [
                   "urn:ietf:params:scim:api:messages:2.0:PatchOp",
                   "urn:ietf:params:scim:schemas:core:2.0:Group"
         ],
         "Operations": [
                   {
                            "Path": "members",
                            "Op": "Add",
                            "Value": [
                                      {
                                               "Value": "1233443"
                                      },
                                      {
                                               "Value": "1233443"
                                      }
                            ]
                   },
                   {
                            "Path": "relations",
                            "Op": "Add",
                            "Value": [
                                      {
                                               "User": "1233443",
                                               "Type": "Any",
                                               "Resource": "BestRun Inc."
                                      },
                                      {
                                               "User": "1233443",
                                               "Type": "Any",
                                               "Resource": "ITSENSE AG"
                                      }
                            ]
                   }
         ]
}'

Note: We still pass the members path, even if the system supports the context. The regular members path should be ignored by the system.

Identity functions

The following identity functions are supported:

Function (task feature)

Supported

create/delete identities

provisioning identities 

update identities          

provisioning identity updates   

deprovision identities  

cleanup of inactive identities active

-

check password changed active

-

Resources functions

The following resource functions are supported:

Function (task feature)

Supported

create/delete resources

provision resources     

update resources         

provisioning resource changes 

deprovisioning resources         

provisioning resource allocations         

deprovisioning resource allocations     

provisioning resources-resource allocations     

-

Deprovisioning resource resource allocations   

-

 

Cleanup functions

The following cleanup functions are supported:

Function (task feature)

Supported

Is available in the expected/actual comparison log          

Clean up expected/actual

-

Read back user account properties

-

Resource identity assignments Target system cleanup  

-

Resource-resource assignments Target system cleanup 

-

  • No labels