SCIM System Connector
Introduction
The System for Cross-domain Identity Management is a well-known standard for provisioning and managing users accross multiple domains. In a nutshell, it specifies a restful API that an application or a system has to expose that other systems then can use for provisioning and information retrieval purposes. The standard on a high-level is documented on the projects website (SCIM: System for Cross-domain Identity Management ) and in a more detailed and technical fashion in the appropriate IEFT SCIM Core Schema documentation (https://datatracker.ietf.org/doc/html/rfc7643 ).
The CoreOne Suite SCIM System Connector allows you to provision users to any system that supports the SCIM standard. So if you are thinking about implementing an API for user management for your own applications and systems, SCIM is an easy way to do so that allows you to integrate easily with the CoreOne Suite while following a defined standard that might be used by other applications or systems as well.
System Identity Types
The following system identity types are supported:
Identity Type | Description |
---|---|
| A default SCIM user with the properties defined in section Section 4.1 of rfc7643 (Standard User Schema) and Section 4.3 of rfc7643 (Enterprise User Schema). You can extend those properties by creation system identity type attributes in the CoreOne Suite Admin UI. |
SCIM User
The following user attributes can be manged by default:
SCIM supports complex and multi value attributes. Attributes in the CoreOne Suite are - by default - flat objects. To simplify this use case the system identity type attributes follow a simple transformation. The complex SCIM name conists of a familyName, givenName and so on. Within the CoreOne Suite we simply track them as name.familyName, name.givenName and so on.
Attribute | Description |
---|---|
| The username of the user |
| The formatted name, similar to the display name |
| The family name of the user |
| The given name of the user |
| The middle name of the user |
| The honorific prefix(es) of the user |
| The honorific suffix(es) of the User |
| The display name of the user |
| The nick name of the user |
| An URI that locates a users profile |
| The title of the user |
| The type of a user should an application or system support that |
| The prefered language in the format of Section 5.3.5 of rfc7231. |
| The users default location as specified in https://datatracker.ietf.org/doc/html/rfc5646 |
| The users time zone as specified in https://datatracker.ietf.org/doc/html/rfc6557 |
| An indication whether the user is active or not |
| A |
| A |
| A |
| A |
| A |
Note that the section 4.1.2 of rfc 7643 specifies a groups
, entitlements
and a roles
attribute on the user. Those are managed via the assigned resources and not directly on the user itself.
System Resource Types
The following system resource types are supported:
Identity Type | Description |
---|---|
| A SCIM Group according to section 4.2 of rfc 7643 |
Target System Parameters
Whenever you connect a SCIM system to the CoreOne Suite you will need to specify the following parameters.
Parameter | Mandatory | Example | Description |
---|---|---|---|
|
| https://scim.webapp.com | The base url of the SCIM endpoint |
|
| https://scim.webapp.com/login | The endpoint where the authentication for the SCIM endpoint has to be performed This URL gets called together with the Username and Password as HTTP Basic Authentication request and has to return a Bearer Token in the form of { Token: ““ } |
|
| svc_cos | The user name to be used for authentication |
|
| * * * * * * * | The password of the user |
|
| false | If the SSL handshake can not be performed because of invalid certificates. Be very cautions with this and only disable it if really necessary. |
|
| Updates done via PATCH method | Defines with which HTTP method identity updates should be sent. Currently PATCH and PUT are supported |
|
| Updates done via PATCH method | Defines with which HTTP method resource updates should be sent. Currently PATCH and PUT are supported |
|
| false | If true, sets all the missing attributes on the entity sent back by the target system to the default values of their respective data types. Usually the target system sends back the whole entity with all attributes so this doesn’t need to be enabled. |
|
|
| JSON-serizalized dictionary of parameters used when using OAuth authentication |
SCIM Authentication
There are different ways to authenticate to SCIM. It depends on combination of 3 paramters Login base url
, Login username
, Login password
, Scim OAuth parameters
.
Authentication | Description | Parameters |
---|---|---|
Anonymous | No authentication header sent with the request to SCIM | All ( |
Basic | Basic authentication header is sent with username and password |
|
Token with Basic | Basic authentication header is sent with username and password to the Obtained token will be send as Bearer token with request to SCIM |
|
Token with OAuth | Oauth request with parameters from Obtained token is sent as Bearer token with request to SCIM As of writing this option was not used by customers so it may contain bugs - use with caution |
|
Context Assignment
The SCIM Connector supports the assignment context as described here. As this assignment context is not part of the standard definition in SCIM, we made use of SCIMs capability to extend the schema. Whenever an assignment is made with a context, first the assignment context transformations are applied and then they are provisioned in as the relations
property.
This is done by calling the ressource endpoint with a PATCH request. The content of the patch is shown below. As you can see, an array of members will be passed to the relations
path as well as to the members
path. The difference is, that the array passed to the relations
path, also contains the full context. In this case the user
and the ressource
, whereas the later identifies the context. In this example, we patch the taxes
group and add the same user twice. Once in the context of BestRun Inc.
(line 29) and once in the context of ITSENSE AG
(Line 34).
curl --request PATCH \
--url http://your.scimapplication.com/groups/taxes\
--header 'Content-Type: application/json' \
--data '{
"Schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp",
"urn:ietf:params:scim:schemas:core:2.0:Group"
],
"Operations": [
{
"Path": "members",
"Op": "Add",
"Value": [
{
"Value": "1233443"
},
{
"Value": "1233443"
}
]
},
{
"Path": "relations",
"Op": "Add",
"Value": [
{
"User": "1233443",
"Type": "Any",
"Resource": "BestRun Inc."
},
{
"User": "1233443",
"Type": "Any",
"Resource": "ITSENSE AG"
}
]
}
]
}'
Identity functions
The following identity functions are supported:
Supported | |
create/delete identities | |
provisioning identities | |
update identities | |
provisioning identity updates | |
deprovision identities | |
cleanup of inactive identities active | - |
check password changed active | - |
Resources functions
The following resource functions are supported:
Supported | |
create/delete resources | |
provision resources | |
update resources | |
provisioning resource changes | |
deprovisioning resources | |
provisioning resource allocations | |
deprovisioning resource allocations | |
provisioning resources-resource allocations | - |
Deprovisioning resource resource allocations | - |
Cleanup functions
The following cleanup functions are supported:
Supported | |
In the should-actual Log available | |
Should be - Actually is - cleanup | - |
Read back account properties | - |
Resource identity member target system clean up | - |
Resource resource member target system clean up | - |
© ITSENSE AG. Alle Rechte vorbehalten. ITSENSE und CoreOne sind eingetragene Marken der ITSENSE AG.