This tutorial describes how to develop a set of access-control policies for the PingAuthorize Server's built-in System for Cross-domain Identity Management (SCIM) REST API.
In the previous section, you used PingAuthorize Server to filter data that an external REST API returned.
While PingAuthorize Server's API security gateway protects existing REST APIs, PingAuthorize Server's built-in SCIM service provides a REST API for accessing and protecting identity data that might be contained in datastores like LDAP and relational databases.
PingAuthorize Server uses SCIM in the following ways:
- Internally, user identities are represented as SCIM identities by way of one or more SCIM resource types and schemas. This approach includes access token subjects, which are always mapped to a SCIM identity.
- A SCIM REST API service provides access to user identities through HTTP.
You will now design a set of policies to control access to the SCIM REST API by using OAuth 2 access token rules.
Before proceeding, make a test request to generate a SCIM REST API response to a request when only the default policies are in place. As in the previous section, a mock access token is used.
curl --insecure -X GET https://localhost:7443/scim/v2/Me -H 'Authorization: Bearer {"active": true, "sub": "user.1", "scope": "nonexistent.scope", "client_id": "nonexistent.client"}'
Although the precise attribute values might vary, the response returns the SCIM resource that corresponds to user.1.
{"mail":["user.1@example.com"],"initials":["RJV"],"homePhone":["+1 091 438 1890"],
"pager":["+1 472 824 8704"],"givenName":["Romina"],"employeeNumber":"1","telephoneNumber":["+1 319 624 9982"],
"mobile":["+1 650 622 7719"],"sn":["Valerio"],"cn":["Romina Valerio"],
"description":["This is the description for Romina Valerio."],"street":["84095 Maple Street"],
"st":["NE"],"postalAddress":["Romina Valerio$84095 Maple Street$Alexandria, NE 39160"],
"uid":["user.1"],"l":["Alexandria"],"postalCode":["39160"],"entryUUID":"355a133d-58ea-3827-8e8d-b39cf74ddb3e",
"objectClass":["top","person","organizationalPerson","inetOrgPerson"],"entryDN":"uid=user.1,ou=people,o=yeah",
"meta":{"resourceType":"Users",
"location":"https://localhost:7443/scim/v2/Users/355a133d-58ea-3827-8e8d-b39cf74ddb3e"},
"id":"355a133d-58ea-3827-8e8d-b39cf74ddb3e","schemas":["urn:pingidentity:schemas:store:2.0:UserStoreAdapter"]}
This response is a success response, although it is preferred that it not be one, because it shows that any active access token referencing a valid user can be used to access any data.
Scenario
In this tutorial, you use OIDC-like scopes email
and
profile
to limit data access of the requestor to specific attributes
of the profile that granted the access token.
Also, you create a scope scimAdmin
that has full access to SCIM-based
User
resources.
Tasks
This tutorial walks you through these tasks.
- Create a basic policy structure for scope-based access to SCIM resources.
- Create a policy for the
email
scope that only allows access to the subject'smail
attributes. - Create a policy for the
profile
scope that only allows access to a few other profile attributes. - Create a policy for the
scimAdmin
scope that allows access to all attributes.
The following sections provide the details for completing these tasks.