SCIM Connector
Important
Connectors continue to be released outside the IDM release. For the latest documentation, refer to the ICF documentation.
The SCIM connector is based on the Simple Cloud Identity Management (SCIM) protocol and enables you to manage user and group accounts on any SCIM-compliant resource provider, such as Slack or Facebook. The SCIM connector implements both 1.1 and 2.0 endpoints. The SCIM connector is bundled with IDM in the connectors/
directory.
The SCIM connector uses the Apache HTTP client, which leverages the HTTP client connection pool, not the ICF connector pool.
Copy
/path/to/openidm/samples/example-configurations/provisioners/provisioner.openicf-scim.json
to your project'sconf/
directory.Edit
conf/provisioner.openicf-scim.json
, as necessary. The following changes are required:"enabled" : true
To specify the connection details to the SCIM resource provider, set the
configurationProperties
. The required properties vary, based on theauthenticationMethod
:OAUTH
The minimum required properties are
grantType
,SCIMEndpoint
,tokenEndpoint
,clientId
, andclientSecret
.BASIC
The minimum required properties are
user
andpassword
.TOKEN
The minimum required property is
authToken
.
"configurationProperties" : { "SCIMEndpoint" : "https://example.com/scim", "SCIMVersion" : 1, "authenticationMethod" : "OAUTH", "user" : null, "password" : null, "tokenEndpoint" : "https://example.com/oauth2/token", "clientId" : "Kdvl...................j3fka", "clientSecret" : "xxxxxxxxxxxxxxxxxx", "acceptSelfSignedCertificates" : true, "grantType" : "client_credentials", "disableHostNameVerifier" : true, "maximumConnections" : 10, "httpProxyHost" : null, "httpProxyPort" : null }
Note
On startup, IDM encrypts the value of the
clientSecret
.
After the connector is properly configured, you can test its status:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/system?_action=test"
[ { "name": "SCIM", "enabled": true, "config": "config/provisioner.openicf/SCIM", "connectorRef": { "bundleName": "org.forgerock.openicf.connectors.scim-connector", "connectorName": "org.forgerock.openicf.connectors.scim.ScimConnector", "bundleVersion": "1.5.20.12" }, "displayName": "Scim Connector", "objectTypes": [ "__ACCOUNT__", "__ALL__", "__GROUP__" ], "ok": true } ]
A status of "ok": true
indicates that the SCIM connector can reach the configured resource provider.
Implementation Specifics
For PATCH requests, a connector can potentially add, remove, or replace an attribute value. The SCIM connector does not implement the add or remove operations, so a PATCH request always replaces the entire attribute value with the new value.
Using the SCIM Connector With a Proxy Server
If the IDM server is hosted behind a firewall and requests to the resource provider are routed through a proxy, you must specify the proxy host and port in the connector configuration.
To specify the proxy server details, set the httpProxyHost
, and httpProxyPort
properties in the connector configuration. For example:
"configurationProperties": { ... "httpProxyHost": "myproxy.home.com", "httpProxyPort": 8080, ... },
OpenICF Interfaces Implemented by the Scim Connector
The Scim Connector implements the following OpenICF interfaces.
- Create
Creates an object and its
uid
.- Delete
Deletes an object, referenced by its
uid
.- Schema
Describes the object types, operations, and options that the connector supports.
- Script on Connector
Enables an application to run a script in the context of the connector. Any script that runs on the connector has the following characteristics:
The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access.
The script has access to a
connector
variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration.The script has access to any script-arguments passed in by the application.
- Search
Searches the target resource for all objects that match the specified object class and filter.
- Sync
Polls the target resource for synchronization events, that is, native changes to objects on the target resource.
- Test
Tests the connector configuration. Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid.
This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out).
You can invoke the test operation before a connector configuration has been validated.
- Update
Updates (modifies or replaces) objects on a target resource.
Scim Connector Configuration
The Scim Connector has the following configurable properties.
Basic Configuration Properties
Property | Type | Default | Encrypted [a] | Required [b] |
---|---|---|---|---|
SCIMEndpoint | String | null | ||
The HTTP URL defining the root for the SCIM endpoint (https://myserver.com/service/scim) | ||||
| ||||
SCIMVersion | Integer | 1 | ||
Defines the SCIM protocol version. Values can be either 1 or 2. Default is 1 | ||||
| ||||
authenticationMethod | String | OAUTH | ||
Defines which method is to be used to authenticate on the remote server. Options are BASIC (username/password), OAUTH (Client id/secret) or TOKEN (static token). Defaults to OAUTH | ||||
| ||||
user | String | null | ||
In case of BASIC authentication type, this property defines the remote user. | ||||
| ||||
password | GuardedString | null | ||
In case of BASIC authentication type, this property defines the remote password. | ||||
| ||||
tokenEndpoint | String | null | ||
When using OAuth, this property defines the endpoint where a new access token should be requested (https://myserver.com/oauth2/token) | ||||
| ||||
clientId | String | null | ||
Secure client identifier for OAuth2 | ||||
| ||||
clientSecret | GuardedString | null | ||
Secure client secret for OAuth2 | ||||
| ||||
authToken | GuardedString | null | ||
Some service providers (Slack for instance) use static authentication tokens. | ||||
| ||||
refreshToken | GuardedString | null | ||
Used by the refresh_token grant type | ||||
| ||||
grantType | String | null | ||
The OAuth2 grant type to use (client_credentials or refresh_token) | ||||
| ||||
scope | String | null | ||
The OAuth2 scope to use. | ||||
| ||||
acceptSelfSignedCertificates | boolean | false | ||
To be used for debug/test purposes. To be avoided in production. Defaults to false. | ||||
| ||||
disableHostNameVerifier | boolean | false | ||
To be used for debug/test purposes. To be avoided in production. Defaults to false. | ||||
| ||||
disableHttpCompression | boolean | false | ||
Content compression is enabled by default. Set this property to true to disable it. Defaults to false. | ||||
| ||||
clientCertAlias | String | null | ||
If TLS Mutual Auth is needed, set this to the certificate alias from the keystore. | ||||
| ||||
clientCertPassword | GuardedString | null | ||
If TLS Mutual Auth is needed and the client certificate (private key) password is different than the keystore password, set this to the client private key password. | ||||
| ||||
maximumConnections | Integer | 10 | ||
Defines the max size of the http connection pool used. Defaults to 10. | ||||
| ||||
httpProxyHost | String | null | ||
Defines the Hostname if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null. | ||||
| ||||
httpProxyPort | Integer | null | ||
Defines the Port if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null. | ||||
| ||||
httpProxyUsername | String | null | ||
Defines Proxy Username if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null. | ||||
| ||||
httpProxyPassword | GuardedString | null | ||
Defines Proxy Password if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null. | ||||
| ||||
connectionTimeout | int | 30 | ||
Defines a timeout for the underlying http connection in seconds. Defaults to 30. | ||||
| ||||
authorizationTokenPrefix | String | Bearer | ||
The prefix to be used in the Authorization HTTP header for Token authentication. Defaults to "Bearer". | ||||
| ||||
useBasicAuthForOauthTokenNeg | boolean | true | ||
Description is not available | ||||
| ||||
readRateLimit | String | null | ||
Define throttling for read operations either per seconds ("30/sec") or per minute ("100/min"). | ||||
| ||||
acceptHeader | String | null | ||
The connector is using "application/json" by default. SCIM V2 Service Provider may require "application/scim+json". It can be overwritten with this property | ||||
| ||||
contentTypeHeader | String | null | ||
The connector is using "application/json" by default. SCIM V2 Service Provider may require "application/scim+json". It can be overwritten with this property | ||||
| ||||
writeRateLimit | String | null | ||
Define throttling for write operations (create/update/delete) either per second ("30/sec") or per minute ("100/min"). | ||||
| ||||
[a] Indicates whether the property value is considered confidential, and therefore encrypted in OpenIDM. [b] A list of operations in this column indicates that the property is required for those operations. |