SCIM Connector

Important

Connectors continue to be released outside the IDM release. For the latest documentation, refer to the ICF documentation.

The SCIM connector is based on the Simple Cloud Identity Management (SCIM) protocol and enables you to manage user and group accounts on any SCIM-compliant resource provider, such as Slack or Facebook. The SCIM connector implements both 1.1 and 2.0 endpoints. The SCIM connector is bundled with IDM in the connectors/ directory.

The SCIM connector uses the Apache HTTP client, which leverages the HTTP client connection pool, not the ICF connector pool.

  1. Copy /path/to/openidm/samples/example-configurations/provisioners/provisioner.openicf-scim.json to your project's conf/ directory.

  2. Edit conf/provisioner.openicf-scim.json, as necessary. The following changes are required:

    • "enabled" : true

    • To specify the connection details to the SCIM resource provider, set the configurationProperties. The required properties vary, based on the authenticationMethod:

      OAUTH

      The minimum required properties are grantType, SCIMEndpoint, tokenEndpoint, clientId, and clientSecret.

      BASIC

      The minimum required properties are user and password.

      TOKEN

      The minimum required property is authToken.

    "configurationProperties" : {
        "SCIMEndpoint" : "https://example.com/scim",
        "SCIMVersion" : 1,
        "authenticationMethod" : "OAUTH",
        "user" : null,
        "password" : null,
        "tokenEndpoint" : "https://example.com/oauth2/token",
        "clientId" : "Kdvl...................j3fka",
        "clientSecret" : "xxxxxxxxxxxxxxxxxx",
        "acceptSelfSignedCertificates" : true,
        "grantType" : "client_credentials",
        "disableHostNameVerifier" : true,
        "maximumConnections" : 10,
        "httpProxyHost" : null,
        "httpProxyPort" : null
    }

    Note

    On startup, IDM encrypts the value of the clientSecret.

After the connector is properly configured, you can test its status:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request POST \
"http://localhost:8080/openidm/system?_action=test"
[
  {
    "name": "SCIM",
    "enabled": true,
    "config": "config/provisioner.openicf/SCIM",
    "connectorRef": {
      "bundleName": "org.forgerock.openicf.connectors.scim-connector",
      "connectorName": "org.forgerock.openicf.connectors.scim.ScimConnector",
      "bundleVersion": "1.5.20.12"
    },
    "displayName": "Scim Connector",
    "objectTypes": [
      "__ACCOUNT__",
      "__ALL__",
      "__GROUP__"
    ],
    "ok": true
  }
]

A status of "ok": true indicates that the SCIM connector can reach the configured resource provider.

Implementation Specifics

For PATCH requests, a connector can potentially add, remove, or replace an attribute value. The SCIM connector does not implement the add or remove operations, so a PATCH request always replaces the entire attribute value with the new value.

Using the SCIM Connector With a Proxy Server

If the IDM server is hosted behind a firewall and requests to the resource provider are routed through a proxy, you must specify the proxy host and port in the connector configuration.

To specify the proxy server details, set the httpProxyHost, and httpProxyPort properties in the connector configuration. For example:

"configurationProperties": {
    ...
    "httpProxyHost": "myproxy.home.com",
    "httpProxyPort": 8080,
    ...
},

OpenICF Interfaces Implemented by the Scim Connector

The Scim Connector implements the following OpenICF interfaces.

Create

Creates an object and its uid.

Delete

Deletes an object, referenced by its uid.

Schema

Describes the object types, operations, and options that the connector supports.

Script on Connector

Enables an application to run a script in the context of the connector. Any script that runs on the connector has the following characteristics:

  • The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access.

  • The script has access to a connector variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration.

  • The script has access to any script-arguments passed in by the application.

Search

Searches the target resource for all objects that match the specified object class and filter.

Sync

Polls the target resource for synchronization events, that is, native changes to objects on the target resource.

Test

Tests the connector configuration. Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid.

This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out).

You can invoke the test operation before a connector configuration has been validated.

Update

Updates (modifies or replaces) objects on a target resource.

Scim Connector Configuration

The Scim Connector has the following configurable properties.

Basic Configuration Properties

PropertyTypeDefault Encrypted [a] Required [b]
SCIMEndpoint String null

The HTTP URL defining the root for the SCIM endpoint (https://myserver.com/service/scim)

SCIMVersion Integer 1

Defines the SCIM protocol version. Values can be either 1 or 2. Default is 1

authenticationMethod String OAUTH

Defines which method is to be used to authenticate on the remote server. Options are BASIC (username/password), OAUTH (Client id/secret) or TOKEN (static token). Defaults to OAUTH

user String null

In case of BASIC authentication type, this property defines the remote user.

password GuardedString null

In case of BASIC authentication type, this property defines the remote password.

tokenEndpoint String null

When using OAuth, this property defines the endpoint where a new access token should be requested (https://myserver.com/oauth2/token)

clientId String null

Secure client identifier for OAuth2

clientSecret GuardedString null

Secure client secret for OAuth2

authToken GuardedString null

Some service providers (Slack for instance) use static authentication tokens.

refreshToken GuardedString null

Used by the refresh_token grant type

grantType String null

The OAuth2 grant type to use (client_credentials or refresh_token)

scope String null

The OAuth2 scope to use.

acceptSelfSignedCertificates boolean false

To be used for debug/test purposes. To be avoided in production. Defaults to false.

disableHostNameVerifier boolean false

To be used for debug/test purposes. To be avoided in production. Defaults to false.

disableHttpCompression boolean false

Content compression is enabled by default. Set this property to true to disable it. Defaults to false.

clientCertAlias String null

If TLS Mutual Auth is needed, set this to the certificate alias from the keystore.

clientCertPassword GuardedString null

If TLS Mutual Auth is needed and the client certificate (private key) password is different than the keystore password, set this to the client private key password.

maximumConnections Integer 10

Defines the max size of the http connection pool used. Defaults to 10.

httpProxyHost String null

Defines the Hostname if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null.

httpProxyPort Integer null

Defines the Port if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null.

httpProxyUsername String null

Defines Proxy Username if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null.

httpProxyPassword GuardedString null

Defines Proxy Password if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null.

connectionTimeout int 30

Defines a timeout for the underlying http connection in seconds. Defaults to 30.

authorizationTokenPrefix String Bearer

The prefix to be used in the Authorization HTTP header for Token authentication. Defaults to "Bearer".

useBasicAuthForOauthTokenNeg boolean true

Description is not available

readRateLimit String null

Define throttling for read operations either per seconds ("30/sec") or per minute ("100/min").

acceptHeader String null

The connector is using "application/json" by default. SCIM V2 Service Provider may require "application/scim+json". It can be overwritten with this property

contentTypeHeader String null

The connector is using "application/json" by default. SCIM V2 Service Provider may require "application/scim+json". It can be overwritten with this property

writeRateLimit String null

Define throttling for write operations (create/update/delete) either per second ("30/sec") or per minute ("100/min").

[a] Indicates whether the property value is considered confidential, and therefore encrypted in OpenIDM.

[b] A list of operations in this column indicates that the property is required for those operations.

Read a different version of :