IDM 7.2.2

SCIM connector

Connectors continue to be released outside the IDM release. For the latest documentation, refer to the ICF documentation.

The SCIM connector is based on the Simple Cloud Identity Management (SCIM) protocol and lets you manage user and group accounts on any SCIM-compliant resource provider, such as Slack or Facebook. The SCIM connector implements both 1.1 and 2.0 endpoints.

The SCIM connector uses the Apache HTTP client, which leverages the HTTP client connection pool, not the ICF connector pool.

You cannot configure the SCIM connector through the UI. Configure the connector over REST, as described in Configure Connectors Over REST.

Create a connector configuration file in your project’s conf directory:

Configure the SCIM Connector Using the Filesystem
  1. Copy /path/to/openidm/samples/example-configurations/provisioners/provisioner.openicf-scim.json to your project’s conf/ directory.

  2. Edit conf/provisioner.openicf-scim.json , as necessary. The following changes are required:

    • "enabled" : true

    • To specify the connection details to the SCIM resource provider, set the configurationProperties. The required properties vary, based on the authenticationMethod:

      OAUTH

      The minimum required properties are grantType, SCIMEndpoint, tokenEndpoint, clientId, and clientSecret.

      BASIC

      The minimum required properties are user and password.

      TOKEN

      The minimum required property is authToken.

    Sample Configuration Using OAUTH
    "configurationProperties" : {
        "SCIMEndpoint" : "https://example.com/scim",
        "SCIMVersion" : 1,
        "authenticationMethod" : "OAUTH",
        "user" : null,
        "password" : null,
        "tokenEndpoint" : "https://example.com/oauth2/token",
        "clientId" : "Kdvl...................j3fka",
        "clientSecret" : "xxxxxxxxxxxxxxxxxx",
        "acceptSelfSignedCertificates" : true,
        "grantType" : "client_credentials",
        "disableHostNameVerifier" : true,
        "connectionTimeout" : 30,
        "maximumConnections" : 10,
        "httpProxyHost" : null,
        "httpProxyPort" : null
    }
    On startup, IDM encrypts the value of the clientSecret.

After the connector is properly configured, you can test its status:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request POST \
"http://localhost:8080/openidm/system?_action=test"
[
  {
    "name": "SCIM",
    "enabled": true,
    "config": "config/provisioner.openicf/SCIM",
    "connectorRef": {
      "bundleName": "org.forgerock.openicf.connectors.scim-connector",
      "connectorName": "org.forgerock.openicf.connectors.scim.ScimConnector",
      "bundleVersion": "[1.5.0.0,1.6.0.0)"
    },
    "displayName": "Scim Connector",
    "objectTypes": [
      "__ACCOUNT__",
      "__ALL__",
      "__GROUP__"
    ],
    "ok": true
  }
]

A status of "ok": true indicates that the SCIM connector can reach the configured resource provider.

Implementation specifics

For PATCH requests, a connector can potentially add, remove, or replace an attribute value. The SCIM connector does not implement the add or remove operations, so a PATCH request always replaces the entire attribute value with the new value.

Using the SCIM connector with a proxy server

If the IDM server is hosted behind a firewall and requests to the resource provider are routed through a proxy, you must specify the proxy host and port in the connector configuration.

To specify the proxy server details, set the httpProxyHost, and httpProxyPort properties in the connector configuration. For example:

"configurationProperties": {
    ...
    "httpProxyHost": "myproxy.home.com",
    "httpProxyPort": 8080,
    ...
},

OpenICF Interfaces Implemented by the Scim Connector

The Scim Connector implements the following OpenICF interfaces. For additional details, see ICF interfaces:

Create

Creates an object and its uid.

Delete

Deletes an object, referenced by its uid.

Schema

Describes the object types, operations, and options that the connector supports.

Script on Connector

Enables an application to run a script in the context of the connector.

Any script that runs on the connector has the following characteristics:

  • The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access.

  • The script has access to a connector variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration.

  • The script has access to any script arguments passed in by the application.

Search

Searches the target resource for all objects that match the specified object class and filter.

Sync

Polls the target resource for synchronization events, that is, native changes to objects on the target resource.

Test

Tests the connector configuration.

Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid.

This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out).

You can invoke the test operation before a connector configuration has been validated.

Update

Updates (modifies or replaces) objects on a target resource.

Scim Connector Configuration

The Scim Connector has the following configurable properties:

Basic Configuration Properties

Property Type Default Encrypted(1) Required(2)

SCIMEndpoint

String

null

Yes

The HTTP URL defining the root for the SCIM endpoint (https://myserver.com/service/scim)

SCIMVersion

Integer

1

Yes

Defines the SCIM protocol version. Values can be either 1 or 2. Default is 1

authenticationMethod

String

OAUTH

Yes

Defines which method is to be used to authenticate on the remote server. Options are BASIC (username/password), OAUTH (Client id/secret) or TOKEN (static token). Defaults to OAUTH

user

String

null

Yes

In case of BASIC authentication type, this property defines the remote user.

password

GuardedString

null

Yes

No

In case of BASIC authentication type, this property defines the remote password.

tokenEndpoint

String

null

No

When using OAuth, this property defines the endpoint where a new access token should be requested (https://myserver.com/oauth2/token)

clientId

String

null

Yes

Secure client identifier for OAuth2

clientSecret

GuardedString

null

Yes

No

Secure client secret for OAuth2

authToken

GuardedString

null

Yes

No

Some service providers (Slack for instance) use static authentication tokens.

refreshToken

GuardedString

null

Yes

Used by the refresh_token grant type

grantType

String

null

No

The OAuth2 grant type to use (client_credentials or refresh_token)

scope

String

null

No

The OAuth2 scope to use.

acceptSelfSignedCertificates

boolean

false

Yes

To be used for debug/test purposes. To be avoided in production. Defaults to false.

disableHostNameVerifier

boolean

false

Yes

To be used for debug/test purposes. To be avoided in production. Defaults to false.

disableHttpCompression

boolean

false

Yes

Content compression is enabled by default. Set this property to true to disable it. Defaults to false.

clientCertAlias

String

null

Yes

If TLS Mutual Auth is needed, set this to the certificate alias from the keystore.

clientCertPassword

GuardedString

null

Yes

Yes

If TLS Mutual Auth is needed and the client certificate (private key) password is different than the keystore password, set this to the client private key password.

maximumConnections

Integer

10

Yes

Defines the max size of the http connection pool used. Defaults to 10.

httpProxyHost

String

null

Yes

Defines the Hostname if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null.

httpProxyPort

Integer

null

Yes

Defines the Port if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null.

httpProxyUsername

String

null

Yes

Defines Proxy Username if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null.

httpProxyPassword

GuardedString

null

Yes

Yes

Defines Proxy Password if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null.

connectionTimeout

int

30

No

Defines a timeout for the underlying http connection in seconds. Defaults to 30.

authorizationTokenPrefix

String

Bearer

No

The prefix to be used in the Authorization HTTP header for Token authentication. Defaults to "Bearer".

useBasicAuthForOauthTokenNeg

boolean

true

Yes

Client Id and Client Secret are sent in the Header when this is unchecked. Defaults to true.

readRateLimit

String

null

No

Defines throttling for read operations either per seconds ("30/sec") or per minute ("100/min").

acceptHeader

String

null

No

The connector is using "application/json" by default. SCIM V2 Service Provider may require "application/scim+json". It can be overwritten with this property

contentTypeHeader

String

null

No

The connector is using "application/json" by default. SCIM V2 Service Provider may require "application/scim+json". It can be overwritten with this property

writeRateLimit

String

null

No

Defines throttling for write operations (create/update/delete) either per second ("30/sec") or per minute ("100/min").

usePathForPatchV2

boolean

false

No

If true, then "path" will always be included in Patch add or replace operations. If false, it will only be used for remove operations. Defaults to false.

(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.

(2) A list of operations in this column indicates that the property is required for those operations.