SCIM connector
Connectors continue to be released outside the IDM release. For the latest documentation, refer to the ICF documentation. |
The SCIM connector is based on the Simple Cloud Identity Management (SCIM) protocol and lets you manage user and group accounts on any SCIM-compliant resource provider, such as Slack or Facebook. The SCIM connector implements both 1.1 and 2.0 endpoints.
The SCIM connector uses the Apache HTTP client, which leverages the HTTP client connection pool, not the ICF connector pool.
You cannot configure the SCIM connector through the UI. Configure the connector over REST, as described in Configure Connectors Over REST.
Create a connector configuration file in your project’s conf
directory:
Configure the SCIM Connector Using the Filesystem
-
Copy
/path/to/openidm/samples/example-configurations/provisioners/provisioner.openicf-scim.json
to your project’sconf/
directory. -
Edit
conf/provisioner.openicf-scim.json
, as necessary. The following changes are required:-
"enabled" : true
-
To specify the connection details to the SCIM resource provider, set the
configurationProperties
. The required properties vary, based on theauthenticationMethod
:OAUTH
-
The minimum required properties are
grantType
,SCIMEndpoint
,tokenEndpoint
,clientId
, andclientSecret
. BASIC
-
The minimum required properties are
user
andpassword
. TOKEN
-
The minimum required property is
authToken
.
Sample Configuration Using OAUTH
"configurationProperties" : { "SCIMEndpoint" : "https://example.com/scim", "SCIMVersion" : 1, "authenticationMethod" : "OAUTH", "user" : null, "password" : null, "tokenEndpoint" : "https://example.com/oauth2/token", "clientId" : "Kdvl...................j3fka", "clientSecret" : "xxxxxxxxxxxxxxxxxx", "acceptSelfSignedCertificates" : true, "grantType" : "client_credentials", "disableHostNameVerifier" : true, "connectionTimeout" : 30, "maximumConnections" : 10, "httpProxyHost" : null, "httpProxyPort" : null }
On startup, IDM encrypts the value of the clientSecret
. -
After the connector is properly configured, you can test its status:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/system?_action=test" [ { "name": "SCIM", "enabled": true, "config": "config/provisioner.openicf/SCIM", "connectorRef": { "bundleName": "org.forgerock.openicf.connectors.scim-connector", "connectorName": "org.forgerock.openicf.connectors.scim.ScimConnector", "bundleVersion": "[1.5.0.0,1.6.0.0)" }, "displayName": "Scim Connector", "objectTypes": [ "__ACCOUNT__", "__ALL__", "__GROUP__" ], "ok": true } ]
A status of "ok": true
indicates that the SCIM connector can reach the configured resource provider.
Implementation specifics
For PATCH requests, a connector can potentially add, remove, or replace an attribute value. The SCIM connector does not implement the add or remove operations, so a PATCH request always replaces the entire attribute value with the new value.
Using the SCIM connector with a proxy server
If the IDM server is hosted behind a firewall and requests to the resource provider are routed through a proxy, you must specify the proxy host and port in the connector configuration.
To specify the proxy server details, set the httpProxyHost
, and httpProxyPort
properties in the connector configuration. For example:
"configurationProperties": {
...
"httpProxyHost": "myproxy.home.com",
"httpProxyPort": 8080,
...
},
OpenICF Interfaces Implemented by the Scim Connector
The Scim Connector implements the following OpenICF interfaces. For additional details, see ICF interfaces:
- Create
-
Creates an object and its
uid
. - Delete
-
Deletes an object, referenced by its
uid
. - Schema
-
Describes the object types, operations, and options that the connector supports.
- Script on Connector
-
Enables an application to run a script in the context of the connector.
Any script that runs on the connector has the following characteristics:
-
The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access.
-
The script has access to a
connector
variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration. -
The script has access to any script arguments passed in by the application.
-
- Search
-
Searches the target resource for all objects that match the specified object class and filter.
- Sync
-
Polls the target resource for synchronization events, that is, native changes to objects on the target resource.
- Test
-
Tests the connector configuration.
Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid.
This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out).
You can invoke the test operation before a connector configuration has been validated.
- Update
-
Updates (modifies or replaces) objects on a target resource.
Scim Connector Configuration
The Scim Connector has the following configurable properties:
Basic Configuration Properties
Property | Type | Default | Encrypted(1) | Required(2) |
---|---|---|---|---|
|
|
|
|
Yes |
The HTTP URL defining the root for the SCIM endpoint (https://myserver.com/service/scim) |
||||
|
|
|
|
Yes |
Defines the SCIM protocol version. Values can be either 1 or 2. Default is 1 |
||||
|
|
|
|
Yes |
Defines which method is to be used to authenticate on the remote server. Options are BASIC (username/password), OAUTH (Client id/secret) or TOKEN (static token). Defaults to OAUTH |
||||
|
|
|
|
Yes |
In case of BASIC authentication type, this property defines the remote user. |
||||
|
|
|
Yes |
No |
In case of BASIC authentication type, this property defines the remote password. |
||||
|
|
|
|
No |
When using OAuth, this property defines the endpoint where a new access token should be requested (https://myserver.com/oauth2/token) |
||||
|
|
|
|
Yes |
Secure client identifier for OAuth2 |
||||
|
|
|
Yes |
No |
Secure client secret for OAuth2 |
||||
|
|
|
Yes |
No |
Some service providers (Slack for instance) use static authentication tokens. |
||||
|
|
|
|
Yes |
Used by the refresh_token grant type |
||||
|
|
|
|
No |
The OAuth2 grant type to use (client_credentials or refresh_token) |
||||
|
|
|
|
No |
The OAuth2 scope to use. |
||||
|
|
|
|
Yes |
To be used for debug/test purposes. To be avoided in production. Defaults to false. |
||||
|
|
|
|
Yes |
To be used for debug/test purposes. To be avoided in production. Defaults to false. |
||||
|
|
|
|
Yes |
Content compression is enabled by default. Set this property to true to disable it. Defaults to false. |
||||
|
|
|
|
Yes |
If TLS Mutual Auth is needed, set this to the certificate alias from the keystore. |
||||
|
|
|
Yes |
Yes |
If TLS Mutual Auth is needed and the client certificate (private key) password is different than the keystore password, set this to the client private key password. |
||||
|
|
|
|
Yes |
Defines the max size of the http connection pool used. Defaults to 10. |
||||
|
|
|
|
Yes |
Defines the Hostname if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null. |
||||
|
|
|
|
Yes |
Defines the Port if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null. |
||||
|
|
|
|
Yes |
Defines Proxy Username if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null. |
||||
|
|
|
Yes |
Yes |
Defines Proxy Password if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null. |
||||
|
|
|
|
No |
Defines a timeout for the underlying http connection in seconds. Defaults to 30. |
||||
|
|
|
|
No |
The prefix to be used in the Authorization HTTP header for Token authentication. Defaults to "Bearer". |
||||
|
|
|
|
Yes |
Client Id and Client Secret are sent in the Header when this is unchecked. Defaults to true. |
||||
|
|
|
|
No |
Defines throttling for read operations either per seconds ("30/sec") or per minute ("100/min"). |
||||
|
|
|
|
No |
The connector is using "application/json" by default. SCIM V2 Service Provider may require "application/scim+json". It can be overwritten with this property |
||||
|
|
|
|
No |
The connector is using "application/json" by default. SCIM V2 Service Provider may require "application/scim+json". It can be overwritten with this property |
||||
|
|
|
|
No |
Defines throttling for write operations (create/update/delete) either per second ("30/sec") or per minute ("100/min"). |
||||
|
|
|
|
No |
If true, then "path" will always be included in Patch add or replace operations. If false, it will only be used for remove operations. Defaults to false. |
(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.
(2) A list of operations in this column indicates that the property is required for those operations.