Synchronize Data Between IDM and a SCIM Provider
This sample demonstrates bidirectional synchronization between IDM and accounts configured to the System for Cross-domain Identity Management. As noted on their website, "The System for Cross-domain Identity Management (SCIM) specification is designed to make managing user identities in cloud-based applications and services easier."
While this sample has been built to comply with SCIM 2.0 standards, it's been tested with a SCIM 1.1 provider.
This sample assumes you've configured SCIM on a third-party system. From that system you'll need the following configuration properties:
OAuth 2.0 Client ID
OAuth 2.0 Client Secret
OAuth 2.0 Token
SCIM Endpoint
SCIM Version
Properties that you want to reconcile from the SCIM provider
Note
Depending on your provider, you may want to modify the sync.json file for this sample to match the properties from the SCIM provider to appropriate properties for IDM.
For more information on the SCIM connector, including properties for the provisioner.openicf-scim.json file, see "SCIM Connector".
Run the Sample
In this section, you will do the following:
Start IDM with the sample configuration.
Configure the SCIM connector and test your connection to the third-party SCIM provider.
Reconcile your SCIM accounts with the IDM managed user repository.
Change a user in IDM and reconcile the changes back to the third-party SCIM provider.
Reconcile your SCIM roles with the IDM managed role repository.
The mapping configuration file (sync.json) for this sample includes four mappings, which you'll use to reconcile users and roles:
systemScimAccount_managedUsermanagedUser_systemScimAccountsystemScimGroup_managedRolemanagedRole_systemScimGroup
Start IDM with the configuration for the SCIM sample:
/path/to/openidm/startup.sh -p samples/sync-with-scimConfigure the SCIM connector, in the following configuration file:
samples/sync-with-scim/conf/provisioner.openicf-scim.json.Note
Depending on the requirements of your third-party SCIM provider, it may be acceptable to have a
nullvalue for properties such asuser,password, andtokenEndpoint.Test the connection to your third-party SCIM provider with the following command:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/system?_action=test"[ { "name": "scim", "enabled": true, "config": "config/provisioner.openicf/scim", "connectorRef": { "bundleVersion": "1.5.20.12", "bundleName": "org.forgerock.openicf.connectors.scim-connector", "connectorName": "org.forgerock.openicf.connectors.scim.ScimConnector" }, "displayName": "Scim Connector", "objectTypes": [ "__ALL__", "account", "group" ], "ok": true } ]A status of
"ok": trueindicates that the connector can connect to your third-party SCIM provider.Reconcile your existing third-party SCIM users with the IDM managed user repository with the following command:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/recon?_action=recon&mapping=systemScimAccount_managedUser&waitForCompletion=true"{ "_id": "bdba3003-0c8a-4543-9efb-26269c78fa8b-96949", "state": "SUCCESS" }Alternatively, in the Admin UI, select Configure > Mappings, and select Reconcile on the
systemScimAccount_managedUsermapping.In the Admin UI, select Manage > User and verify that the users from the third-party SCIM provider have been created as IDM managed users.
Edit one of the newly created managed users in IDM.
The easiest way to do this is to select Manage > User, select a user to edit, and change one of the user properties.
Reconcile the users in the managed user repository with your SCIM users with the following command:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/recon?_action=recon&mapping=managedUser_systemScimAccount&waitForCompletion=true"{ "_id": "bdba3003-0c8a-4543-9efb-26269c78fa8b-104117", "state": "SUCCESS" }Alternatively, in the Admin UI, select Configure > Mappings, and select Reconcile on the
managedUser_systemScimAccountmapping.Verify that the contact was updated correctly on your third-party SCIM provider.
Repeat the process with roles. Reconcile existing third-party SCIM roles with IDM managed roles with the following command:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/recon?_action=recon&mapping=systemScimGroup_managedRole&waitForCompletion=true"{ "_id": "7dac3ea9-c6be-4ff9-ae46-d8a0431949b3-7745", "state": "SUCCESS" }Alternatively, in the Admin UI, select Configure > Mappings, and select Reconcile on the
systemScimGroup_managedRolemapping.Edit one of the newly created managed roles in IDM.
The easiest way to do this is to select Manage > Role, select a role to edit, and add a user to that role.
Reconcile the roles in the managed user repository with your SCIM users with the following command:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/recon?_action=recon&mapping=managedRole_systemScimGroup&waitForCompletion=true"{ "_id": "bdba3003-0c8a-4543-9efb-26269c78fa8b-112074", "state": "SUCCESS" }Alternatively, in the Admin UI, select Configure > Mappings, and select Reconcile on the
managedRole_systemScimGroupmapping.Verify that the role was updated correctly on your third-party SCIM provider.