Introduction

The System for Cross-domain Identity Management is a well-known standard for provisioning and managing users accross multiple domains. In a nutshell, it specifies a restful API that an application or a system has to expose that other systems then can use for provisioning and information retrieval purposes. The standard on a high-level is documented on the projects website (http://www.simplecloud.info/ ) and in a more detailed and technical fashion in the appropriate IEFT SCIM Core Schema documentation (https://datatracker.ietf.org/doc/html/rfc7643 ).

The CoreOne Suite SCIM System Connector allows you to provision users to any system that supports the SCIM standard. So if you are thinking about implementing an API for user management for your own applications and systems, SCIM is an easy way to do so that allows you to integrate easily with the CoreOne Suite while following a defined standard that might be used by other applications or systems as well.

System Identity Types

The following system identity types are supported:

Identity Type	Description

Identity Type	Description
`SCIM User`	A default SCIM user with the properties defined in section Section 4.1 of rfc7643 (Standard User Schema) and Section 4.3 of rfc7643 (Enterprise User Schema). You can extend those properties by creation system identity type attributes in the CoreOne Suite Admin UI.

SCIM User

The following user attributes can be manged by default:

SCIM supports complex and multi value attributes. Attributes in the CoreOne Suite are - by default - flat objects. To simplify this use case the system identity type attributes follow a simple transformation. The complex SCIM name conists of a familyName, givenName and so on. Within the CoreOne Suite we simply track them as name.familyName, name.givenName and so on.

Attribute	Description

Attribute	Description
`userName`	The username of the user
`name.formatted`	The formatted name, similar to the display name
`name.familyName`	The family name of the user
`name.givenName`	The given name of the user
`name.middleName`	The middle name of the user
`name.honorificPrefix`	The honorific prefix(es) of the user
`name.honorificSuffix`	The honorific suffix(es) of the User
`displayName`	The display name of the user
`nickName`	The nick name of the user
`profileUrl`	An URI that locates a users profile
`title`	The title of the user
`userType`	The type of a user should an application or system support that
`preferredLanguage`	The prefered language in the format of Section 5.3.5 of rfc7231.
`locale`	The users default location as specified in https://datatracker.ietf.org/doc/html/rfc5646
`timezone`	The users time zone as specified in https://datatracker.ietf.org/doc/html/rfc6557
`active`	An indication whether the user is active or not
`emails`	A `multivalue` field with the users email addresses
`phoneNumbers`	A `multivalue` field with the users phone numbers
`ims`	A `multivalue` field with the users instanst messaging services
`photos`	A `multivalue` field with the users photos
`addresses`	A `multivalue` field with the users addresses

Note that the section 4.1.2 of rfc 7643 specifies a groups, entitlements and a roles attribute on the user. Those are managed via the assigned resources and not directly on the user itself.

System Resource Types

The following system resource types are supported:

Identity Type	Description

Identity Type	Description
`SCIM Group`	A SCIM Group according to section 4.2 of rfc 7643

Target System Parameters

Whenever you connect a SCIM system to the CoreOne Suite you will need to specify the following parameters.

Parameter	Mandatory	Example	Description

Parameter	Example	Description
`API base url`	https://scim.webapp.com	The base url of the SCIM endpoint
`Login base url`	https://scim.webapp.com/login	The endpoint where the authentication for the SCIM endpoint has to be performed This URL gets called together with the Username and Password as HTTP Basic Authentication request and has to return a Bearer Token in the form of { Token: ““ }
`Login username`	svc_cos	The user name to be used for authentication
`Login password`	* * * * * * *	The password of the user
`Disable SSL Handshake`	false	If the SSL handshake can not be performed because of invalid certificates. Be very cautions with this and only disable it if really necessary.
`Scim operation mode - identity`	Updates done via PATCH method	Defines with which HTTP method identity updates should be sent. Currently PATCH and PUT are supported
`Scim operation mode - resource`	Updates done via PATCH method	Defines with which HTTP method resource updates should be sent. Currently PATCH and PUT are supported
`Scim default missing values`	false	If true, sets all the missing attributes on the entity sent back by the target system to the default values of their respective data types. Usually the target system sends back the whole entity with all attributes so this doesn’t need to be enabled.
`Scim OAuth parameters`		JSON-serizalized dictionary of parameters used when using OAuth authentication

SCIM Authentication

There are different ways to authenticate to SCIM. It depends on combination of 3 paramters Login base url, Login username, Login password, Scim OAuth parameters.

Authentication	Description	Parameters

Authentication	Description	Parameters
Anonymous	No authentication header sent with the request to SCIM	All (`Login base url`, `Login username`, `Login password`, `Scim OAuth parameters`) should be empty
Basic	Basic authentication header is sent with username and password	`Login base url` is empty `Login username`, `Login password` contains username and password `Scim OAuth parameters` is empty
Token with Basic	Basic authentication header is sent with username and password to the `Login base url` Obtained token will be send as Bearer token with request to SCIM	`Login base url` is contains authentication service `Login username`, `Login password` contains username and password `Scim OAuth parameters` is empty
Token with OAuth	Oauth request with parameters from `Scim OAuth parameters` is sent to `Login base url` Obtained token is sent as Bearer token with request to SCIM As of writing this option was not used by customers so it may contain bugs - use with caution	`Login base url` is contains authentication service `Login username`, `Login password` are empty `Scim OAuth parameters` contains JSON-serialized dictionary of parameters that will be sent to authentication service

Context Assignment

The SCIM Connector supports the assignment context as described here. As this assignment context is not part of the standard definition in SCIM, we made use of SCIMs capability to extend the schema. Whenever an assignment is made with a context, first the assignment context transformations are applied and then they are provisioned in as the relations property.

This is done by calling the ressource endpoint with a PATCH request. The content of the patch is shown below. As you can see, an array of members will be passed to the relations path as well as to the members path. The difference is, that the array passed to the relations path, also contains the full context. In this case the user and the ressource, whereas the later identifies the context. In this example, we patch the taxes group and add the same user twice. Once in the context of BestRun Inc. (line 29) and once in the context of ITSENSE AG (Line 34).

curl --request PATCH \
  --url http://your.scimapplication.com/groups/taxes\
  --header 'Content-Type: application/json' \
  --data '{
         "Schemas": [
                   "urn:ietf:params:scim:api:messages:2.0:PatchOp",
                   "urn:ietf:params:scim:schemas:core:2.0:Group"
         ],
         "Operations": [
                   {
                            "Path": "members",
                            "Op": "Add",
                            "Value": [
                                      {
                                               "Value": "1233443"
                                      },
                                      {
                                               "Value": "1233443"
                                      }
                            ]
                   },
                   {
                            "Path": "relations",
                            "Op": "Add",
                            "Value": [
                                      {
                                               "User": "1233443",
                                               "Type": "Any",
                                               "Resource": "BestRun Inc."
                                      },
                                      {
                                               "User": "1233443",
                                               "Type": "Any",
                                               "Resource": "ITSENSE AG"
                                      }
                            ]
                   }
         ]
}'

Identity functions

The following identity functions are supported:

System Connector task features	Supported
create/delete identities
provisioning identities
update identities
provisioning identity updates
deprovision identities
cleanup of inactive identities active	-
check password changed active	-

Resources functions

The following resource functions are supported:

System Connector task features	Supported
create/delete resources
provision resources
update resources
provisioning resource changes
deprovisioning resources
provisioning resource allocations
deprovisioning resource allocations
provisioning resources-resource allocations	-
Deprovisioning resource resource allocations	-

Cleanup functions

The following cleanup functions are supported:

System Connector task features	Supported
In the should-actual Log available
Should be - Actually is - cleanup	-
Read back account properties	-
Resource identity member target system clean up	-
Resource resource member target system clean up	-