The server, server, and server support an extension to the SCIM 1.1 standard called the Identity Access API. The Identity Access API provides an alternative to LDAP by supporting CRUD (create, read, update, and delete) operations to access server data over an HTTP connection.
SCIM 1.1 and the Identity Access API are provided as a unified service through the SCIM
HTTP Servlet Extension. The SCIM HTTP Servlet Extension can be configured to only enable
core SCIM resources (for example, 'Users' and 'Groups'), only LDAP object classes (for
groupOfUniqueNames), or both. Because SCIM and the Identity Access API
have different schemas, if both are enabled, there can be two representations with
different schemas for any resources defined in the scim-resources.xml
file: the SCIM representation and the raw LDAP representation. Likewise, because resources
are exposed by an LDAP object class, and because these are hierarchical (e.g.,
inetOrgPerson, etc.), a
client application can access an entry in multiple ways due to the different paths/URIs to
a given resource.
This chapter provides information on configuring the SCIM and the Identity Access API services on the server.