SCIM System Connector - Implementation pitfalls and limitations
- Witold Wabik
- Silvan Grüter
- Marc Burkhard
Introduction
As described in SCIM System Connector, the connector tightly follows RFC 7643: System for Cross-domain Identity Management: Core Schema with it’s implementation. Nonetheless there are some definitions that leave some room for interpretation. This page gives you some guidance and examples of areas where a SCIM application might diverge from the standard as well as some of the limitations that the CoreOne Suite SCIM Connector has at the moment (Version 5.9).
Operations
Below you can find some of the requests that CoreOne will make to a SCIM system. Please check if your system supports them.
Let’s assume we provision some standard attributes:
userName,
name.givenName,
name.familyName,
emails.value
SCIM allows for multi value attributes - like email but it is not supported by CoreOne for now.
Create user
URL | /scim/users |
HTTP Verb | POST |
Body | {
"userName":"John Novak",
"name": {
"givenName":"John",
"familyName":"Novak"
},
"emails":[{
"value":"john.novak@swiss.ch",
"primary":true
}]
} |
Remarks | As you can see the primary sub attribute was added. CoreOne does not support multi value and will only work with primary values. In response CoreOne should get the newly created user data. The only attribute that it needs is id that will be written in CoreOne database. |
Update user
URL | /scim/users/{user_id} |
HTTP Verb | PATCH |
Body | {
"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"Path":"userName",
"Op":"Replace",
"Value":"NewUserName"
},
{
"Path":"name.givenName",
"Op":"Replace",
"Value":"NewGivenName"
},
{
"Path":"emails[primary eq true].value",
"Op":"Replace",
"Value":"updatedMail@swiss.ch"
}]
} |
Remarks | SCIM allows to do update in a few ways (with path /without path, with full attribute name or short one). CoreOne specifies all changes as separate operations. All operations have Path property with short name of attribute to change and Op property equals to Replace. For multivalue attributes (like email) the change is applied to the item with Primary property set to true. Only the attributes that changed will be send to the target system. |
Select users
URL | /scim/users |
HTTP Verb | GET |
Body | - |
Remarks | Should return the collection of users according to SCIM specification. To check if attributes are unique CoreOne uses To get matching users based on username CoreOne uses |
Select user
URL | /scim/users/{user_id} |
HTTP Verb | GET |
Body | - |
Remarks | Should return the collection of users according to SCIM specification. To get the groups assigned to user CoreOne uses |
Delete user
URL | /scim/users/{user_id} |
HTTP Verb | DELETE |
Body | - |
Remarks | - |
CRUD group
Group support is similar to users. When querying groups target system should return members attribute.
Assign Member
URL | /scim/groups/{group_id} |
HTTP Verb | PATCH |
Body | {
"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{
"op": "add",
"path": "members",
"value": [{"value": "c6eda4fd-e7ab-490a-a1e6-17fbca28b2ed"}]
}]
} |
Remarks | value.value in above example holds user id |
Remove Member
URL | /scim/groups/{group_id} |
HTTP Verb | PATCH |
Body | |
Remarks | value.value in above example holds user id |
© ITSENSE AG. Alle Rechte vorbehalten. ITSENSE und CoreOne sind eingetragene Marken der ITSENSE AG.