Custom SCIM 2.0 attribute mappings for extended schemas
You can map custom attributes defined in extended schemas to System for Cross-domain Identity Management (SCIM) 2.0 sync destinations.
Consider the following example JSON that creates testUser
using SCIM 2.0 and includes the custom attributes workAnniversary
and employeeAge
from an extended schema:
{
"schemas": [
"urn:ietf:params:scim:schemas:extension:gluu:2.0:User",
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "7e929a2d-18d3-462f-8c32-653a9ed170e2",
"meta": {
"resourceType": "User",
"created": "2022-12-07T03:33:45.469Z",
"lastModified": "2022-12-07T03:34:45.830Z",
"location": "https://rhel8/identity/restv1/scim/v2/Users/7e929a2d-18d3-462f-8c32-653a9ed170e2"
},
"userName": "testUser",
"name": {
"familyName": "User",
"givenName": "Test",
"formatted": "Test User"
},
"active": true,
"displayName": "Test User",
"urn:ietf:params:scim:schemas:extension:gluu:2.0:User": {
"workAnniversary": "1994-12-16T10:32:00Z",
"employeeAge": 55
}
}
To map custom attributes for synchronization with the SCIM 2.0 destination, you must:
-
Create a composed complex attribute mapping with the custom schema URN
-
Define any custom attributes associated with the custom schema as sub-attributes of the complex attribute
For example, to map the custom attributes workAnniversary
and employeeAge
, use the following commands.
To map the sub-attribute employeeAge
:
dsconfig create-scim2-attribute-mapping \ --mapping-name urn:ietf:params:scim:schemas:extension:gluu:2.0:User.employeeAge \ --type number \ --set scim-attribute-name:employeeAge \ --set attribute-usage:create-during-realtime-sync \ --set attribute-usage:create-during-resync \ --set attribute-usage:update-during-realtime-sync \ --set attribute-usage:update-during-resync \ --set ldap-attribute-name:loginGraceLimit \ --set single-valued:true \ --set default-value:55
To map the sub-attribute workAnniversary
:
dsconfig create-scim2-attribute-mapping \ --mapping-name urn:ietf:params:scim:schemas:extension:gluu:2.0:User.workAnniversary \ --type date-time \ --set scim-attribute-name:workAnniversary \ --set attribute-usage:create-during-realtime-sync \ --set attribute-usage:create-during-resync \ --set attribute-usage:update-during-realtime-sync \ --set attribute-usage:update-during-resync \ --set ldap-attribute-name:loginTime \ --set single-valued:true \ --set default-value:1994-12-16T10:32:00Z
To map the composed complex attribute:
dsconfig create-scim2-attribute-mapping \ --mapping-name urn:ietf:params:scim:schemas:extension:gluu:2.0:User \ --type composed-complex \ --set scim-attribute-name:urn:ietf:params:scim:schemas:extension:gluu:2.0:User \ --set attribute-usage:create-during-realtime-sync \ --set attribute-usage:create-during-resync \ --set attribute-usage:fetch \ --set attribute-usage:update-during-realtime-sync \ --set attribute-usage:update-during-resync \ --set sub-attribute-mapping:urn:ietf:params:scim:schemas:extension:gluu:2.0:User.employeeAge \ --set sub-attribute-mapping:urn:ietf:params:scim:schemas:extension:gluu:2.0:User.workAnniversary
After running the previous example commands, you must add the composed complex attribute to the list of attribute mappings for the appropriate SCIM 2.0 endpoint mapping.