Synchronize data between IDM and a SCIM provider
This sample demonstrates bidirectional synchronization between IDM and accounts configured to the System for Cross-domain Identity Management. As noted on their website, "The System for Cross-domain Identity Management (SCIM) specification is designed to make managing user identities in cloud-based applications and services easier."
While this sample has been built to comply with SCIM 2.0 standards, it’s been tested with a SCIM 1.1 provider.
This sample assumes you’ve configured SCIM on a third-party system. From that system you’ll need the following configuration properties:
-
OAuth 2.0 Client ID
-
OAuth 2.0 Client Secret
-
OAuth 2.0 Token
-
SCIM Endpoint
-
SCIM Version
-
Properties that you want to reconcile from the SCIM provider
Depending on your provider, you may want to modify the |
For more information on the SCIM connector, including properties for the provisioner.openicf-scim.json
file, see connector-reference:scim.adoc#scim.
Run the sample
In this section, you will do the following:
-
Start IDM with the sample configuration.
-
Configure the SCIM connector and test your connection to the third-party SCIM provider.
-
Reconcile your SCIM accounts with the IDM managed user repository.
-
Change a user in IDM and reconcile the changes back to the third-party SCIM provider.
-
Reconcile your SCIM roles with the IDM managed role repository.
The mapping configuration file (sync.json
) for this sample includes four mappings, which you’ll use to reconcile users and roles:
-
systemScimAccount_managedUser
-
managedUser_systemScimAccount
-
systemScimGroup_managedRole
-
managedRole_systemScimGroup
-
Start IDM with the configuration for the SCIM sample:
cd /path/to/openidm/ ./startup.sh -p samples/sync-with-scim
-
Configure the SCIM connector, in the following configuration file:
samples/sync-with-scim/conf/provisioner.openicf-scim.json
.Depending on the requirements of your third-party SCIM provider, it may be acceptable to have a null
value for properties such asuser
,password
, andtokenEndpoint
. -
Test the connection to your third-party SCIM provider with the following command:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/system?_action=test" [ { "name": "scim", "enabled": true, "config": "config/provisioner.openicf/scim", "connectorRef": { "bundleVersion": "1.5.20.15", "bundleName": "org.forgerock.openicf.connectors.scim-connector", "connectorName": "org.forgerock.openicf.connectors.scim.ScimConnector" }, "displayName": "Scim Connector", "objectTypes": [ "__ALL__", "account", "group" ], "ok": true } ]
A status of
"ok": true
indicates that the connector can connect to your third-party SCIM provider. -
To reconcile your existing third-party SCIM users with the IDM managed user repository, do one of the following:
-
Run the command:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/recon?_action=recon&mapping=systemScimAccount_managedUser&waitForCompletion=true" { "_id": "bdba3003-0c8a-4543-9efb-26269c78fa8b-96949", "state": "SUCCESS" }
-
In the admin UI, select Configure > Mappings, and select Reconcile on the
systemScimAccount_managedUser
mapping.
-
-
In the admin UI, select Manage > User and verify that the users from the third-party SCIM provider have been created as IDM managed users.
-
In the admin UI, select Manage > User, select a user to edit, and change one of the user properties.
-
To reconcile the users in the managed user repository with your SCIM users, do one of the following:
-
Run the command:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/recon?_action=recon&mapping=managedUser_systemScimAccount&waitForCompletion=true" { "_id": "bdba3003-0c8a-4543-9efb-26269c78fa8b-104117", "state": "SUCCESS" }
-
In the admin UI, select Configure > Mappings, and then select Reconcile on the
managedUser_systemScimAccount
mapping.
-
-
Verify that the contact was updated on your third-party SCIM provider.
-
Repeat the process with roles. To reconcile existing third-party SCIM roles with IDM managed roles, do one of the following:
-
Run the command:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/recon?_action=recon&mapping=systemScimGroup_managedRole&waitForCompletion=true" { "_id": "7dac3ea9-c6be-4ff9-ae46-d8a0431949b3-7745", "state": "SUCCESS" }
-
In the admin UI, select Configure > Mappings, and select Reconcile on the
systemScimGroup_managedRole
mapping.
-
-
In the admin UI, select Manage > Role, select a role to edit, and add a user to that role.
-
To reconcile the roles in the managed user repository with your SCIM users, do one of the following:
-
Run the command::
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/recon?_action=recon&mapping=managedRole_systemScimGroup&waitForCompletion=true" { "_id": "bdba3003-0c8a-4543-9efb-26269c78fa8b-112074", "state": "SUCCESS" }
-
In the admin UI, select Configure > Mappings, and select Reconcile on the
managedRole_systemScimGroup
mapping.
-
-
Verify that the role was updated on your third-party SCIM provider.