--- title: Synchronize data between IDM and a SCIM provider description: "This sample demonstrates bidirectional synchronization between IDM and accounts configured to the System for Cross-domain Identity Management. As noted on their website, \"The System for Cross-domain Identity Management (SCIM) specification is designed to make managing user identities in cloud-based applications and services easier.\"" component: pingidm version: 8.1 page_id: pingidm:samples-guide:sync-with-scim canonical_url: https://docs.pingidentity.com/pingidm/8.1/samples-guide/sync-with-scim.html keywords: ["Samples", "Synchronization", "SCIM"] section_ids: sample-scim-running: Run the sample --- # Synchronize data between IDM and a SCIM provider This sample demonstrates bidirectional synchronization between IDM and accounts configured to the [System for Cross-domain Identity Management](http://www.simplecloud.info/). As noted on their website, "The System for Cross-domain Identity Management (SCIM) specification is designed to make managing user identities in cloud-based applications and services easier." While this sample has been built to comply with SCIM 2.0 standards, it's been tested with a SCIM 1.1 provider. This sample assumes you've configured SCIM on a third-party system. From that system you'll need the following configuration properties: * OAuth 2.0 Client ID * OAuth 2.0 Client Secret * OAuth 2.0 Token * SCIM Endpoint * SCIM Version * Properties that you want to reconcile from the SCIM provider | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Depending on your provider, you may want to modify the `sync.json` file for this sample to match the properties from the SCIM provider to appropriate properties for IDM. | For more information on the SCIM connector, including properties for the `provisioner.openicf-scim.json` file, refer to [SCIM connector](https://docs.pingidentity.com/openicf/connector-reference/scim.html#scim). ## Run the sample | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Starting with IDM 8.1, the [legacy admin UI is deprecated](../release-notes/deprecated-functionality.html#legacy-admin-ui-deprecated) and is no longer bundled with IDM. New deployments should use the [Platform admin UI](../setup-guide/platform-admin-ui.html), which is the replacement for the legacy admin UI.Both UIs are available as separate downloads from the [Backstage download site](https://backstage.forgerock.com/downloads):- To install the Platform admin UI, follow the steps in [Install the Platform admin UI for standalone IDM](../setup-guide/platform-admin-ui.html). - To continue using the legacy admin UI, follow the steps in [Install the legacy admin UI](../setup-guide/legacy-admin-ui.html). | In this section, you will do the following: * Start IDM with the sample configuration. * Configure the SCIM connector and test your connection to the third-party SCIM provider. * Reconcile your SCIM accounts with the IDM managed user repository. * Change a user in IDM and reconcile the changes back to the third-party SCIM provider. * Reconcile your SCIM roles with the IDM managed role repository. The mapping configuration file (`sync.json`) for this sample includes four mappings, which you'll use to reconcile users and roles: * `systemScimAccount_managedUser` * `managedUser_systemScimAccount` * `systemScimGroup_managedRole` * `managedRole_systemScimGroup` 1. [Set up DS](start-here.html#ldap-server-config) without importing any LDIF file or [select another repository](../install-guide/chap-repository.html) for the sample. 2. Start IDM with the configuration for the SCIM sample: ``` cd /path/to/openidm/ ./startup.sh -p samples/sync-with-scim ``` 3. Configure the SCIM connector, in the following configuration file: `samples/sync-with-scim/conf/provisioner.openicf-scim.json` . | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Depending on the requirements of your third-party SCIM provider, it may be acceptable to have a `null` value for properties such as `user`, `password`, and `tokenEndpoint`. | 4. Test the connection to your third-party SCIM provider with the following command: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/system?_action=test" [ { "name": "scim", "enabled": true, "config": "config/provisioner.openicf/scim", "connectorRef": { "bundleVersion": "1.5.20.31", "bundleName": "org.forgerock.openicf.connectors.scim-connector", "connectorName": "org.forgerock.openicf.connectors.scim.ScimConnector" }, "displayName": "Scim Connector", "objectTypes": [ "__ALL__", "account", "group" ], "ok": true } ] ``` A status of `"ok": true` indicates that the connector can connect to your third-party SCIM provider. 5. To reconcile your existing third-party SCIM users with the IDM managed user repository, do one of the following: * Run the command: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/recon?_action=recon&mapping=systemScimAccount_managedUser&waitForCompletion=true" { "_id": "bdba3003-0c8a-4543-9efb-26269c78fa8b-96949", "state": "SUCCESS" } ``` * In the admin UI, select Configure > Mappings, and select Reconcile on the `systemScimAccount_managedUser` mapping. 6. In the admin UI, select Manage > User and verify that the users from the third-party SCIM provider have been created as IDM managed users. 7. In the admin UI, select Manage > User, select a user to edit, and change one of the user properties. 8. To reconcile the users in the managed user repository with your SCIM users, do one of the following: * Run the command: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/recon?_action=recon&mapping=managedUser_systemScimAccount&waitForCompletion=true" { "_id": "bdba3003-0c8a-4543-9efb-26269c78fa8b-104117", "state": "SUCCESS" } ``` * In the admin UI, select Configure > Mappings, and then select Reconcile on the `managedUser_systemScimAccount` mapping. 9. Verify that the contact was updated on your third-party SCIM provider. 10. Repeat the process with roles. To reconcile existing third-party SCIM roles with IDM managed roles, do one of the following: * Run the command: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/recon?_action=recon&mapping=systemScimGroup_managedRole&waitForCompletion=true" { "_id": "7dac3ea9-c6be-4ff9-ae46-d8a0431949b3-7745", "state": "SUCCESS" } ``` * In the admin UI, select Configure > Mappings, and select Reconcile on the `systemScimGroup_managedRole` mapping. 11. In the admin UI, select Manage > Role, select a role to edit, and add a user to that role. 12. To reconcile the roles in the managed user repository with your SCIM users, do one of the following: * Run the command:: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/recon?_action=recon&mapping=managedRole_systemScimGroup&waitForCompletion=true" { "_id": "bdba3003-0c8a-4543-9efb-26269c78fa8b-112074", "state": "SUCCESS" } ``` * In the admin UI, select Configure > Mappings, and select Reconcile on the `managedRole_systemScimGroup` mapping. 13. Verify that the role was updated on your third-party SCIM provider.