Synchronize data between IDM and a SCIM provider

This sample demonstrates bidirectional synchronization between IDM and accounts configured to the System for Cross-domain Identity Management. As noted on their website, "The System for Cross-domain Identity Management (SCIM) specification is designed to make managing user identities in cloud-based applications and services easier."

While this sample has been built to comply with SCIM 2.0 standards, it’s been tested with a SCIM 1.1 provider.

This sample assumes you’ve configured SCIM on a third-party system. From that system you’ll need the following configuration properties:

OAuth 2.0 Client ID
OAuth 2.0 Client Secret
OAuth 2.0 Token
SCIM Endpoint
SCIM Version
Properties that you want to reconcile from the SCIM provider

Depending on your provider, you may want to modify the sync.json file for this sample to match the properties from the SCIM provider to appropriate properties for IDM.

For more information on the SCIM connector, including properties for the provisioner.openicf-scim.json file, see connector-reference:scim.adoc#scim.

Run the sample

In this section, you will do the following:

Start IDM with the sample configuration.
Configure the SCIM connector and test your connection to the third-party SCIM provider.
Reconcile your SCIM accounts with the IDM managed user repository.
Change a user in IDM and reconcile the changes back to the third-party SCIM provider.
Reconcile your SCIM roles with the IDM managed role repository.

The mapping configuration file (sync.json) for this sample includes four mappings, which you’ll use to reconcile users and roles:

systemScimAccount_managedUser
managedUser_systemScimAccount
systemScimGroup_managedRole
managedRole_systemScimGroup

Start IDM with the configuration for the SCIM sample:

cd /path/to/openidm/
./startup.sh -p samples/sync-with-scim

Configure the SCIM connector, in the following configuration file: samples/sync-with-scim/conf/provisioner.openicf-scim.json .

Depending on the requirements of your third-party SCIM provider, it may be acceptable to have a null value for properties such as user, password, and tokenEndpoint.

Test the connection to your third-party SCIM provider with the following command:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request POST \
"http://localhost:8080/openidm/system?_action=test"
[
  {
    "name": "scim",
    "enabled": true,
    "config": "config/provisioner.openicf/scim",
    "connectorRef": {
      "bundleVersion": "1.5.20.9",
      "bundleName": "org.forgerock.openicf.connectors.scim-connector",
      "connectorName": "org.forgerock.openicf.connectors.scim.ScimConnector"
    },
    "displayName": "Scim Connector",
    "objectTypes": [
      "__ALL__",
      "account",
      "group"
    ],
    "ok": true
  }
]

A status of "ok": true indicates that the connector can connect to your third-party SCIM provider.

To reconcile your existing third-party SCIM users with the IDM managed user repository, do one of the following:

Run the command:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request POST \
"http://localhost:8080/openidm/recon?_action=recon&mapping=systemScimAccount_managedUser&waitForCompletion=true"
{
  "_id": "bdba3003-0c8a-4543-9efb-26269c78fa8b-96949",
  "state": "SUCCESS"
}

In the admin UI, select Configure > Mappings, and select Reconcile on the systemScimAccount_managedUser mapping.

In the admin UI, select Manage > User and verify that the users from the third-party SCIM provider have been created as IDM managed users.
In the admin UI, select Manage > User, select a user to edit, and change one of the user properties.

To reconcile the users in the managed user repository with your SCIM users, do one of the following:

Run the command:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request POST \
"http://localhost:8080/openidm/recon?_action=recon&mapping=managedUser_systemScimAccount&waitForCompletion=true"
{
  "_id": "bdba3003-0c8a-4543-9efb-26269c78fa8b-104117",
  "state": "SUCCESS"
}

In the admin UI, select Configure > Mappings, and then select Reconcile on the managedUser_systemScimAccount mapping.

Verify that the contact was updated on your third-party SCIM provider.

Repeat the process with roles. To reconcile existing third-party SCIM roles with IDM managed roles, do one of the following:

Run the command:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request POST \
"http://localhost:8080/openidm/recon?_action=recon&mapping=systemScimGroup_managedRole&waitForCompletion=true"
{
  "_id": "7dac3ea9-c6be-4ff9-ae46-d8a0431949b3-7745",
  "state": "SUCCESS"
}

In the admin UI, select Configure > Mappings, and select Reconcile on the systemScimGroup_managedRole mapping.

In the admin UI, select Manage > Role, select a role to edit, and add a user to that role.

To reconcile the roles in the managed user repository with your SCIM users, do one of the following:

Run the command::

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request POST \
"http://localhost:8080/openidm/recon?_action=recon&mapping=managedRole_systemScimGroup&waitForCompletion=true"
{
  "_id": "bdba3003-0c8a-4543-9efb-26269c78fa8b-112074",
  "state": "SUCCESS"
}

In the admin UI, select Configure > Mappings, and select Reconcile on the managedRole_systemScimGroup mapping.

Verify that the role was updated on your third-party SCIM provider.

IDM 7.2.1

Synchronize data between IDM and a SCIM provider

Run the sample