Synchronize Data Between IDM and a SCIM Provider

This sample demonstrates bidirectional synchronization between IDM and accounts configured to the System for Cross-domain Identity Management. As noted on their website, "The System for Cross-domain Identity Management (SCIM) specification is designed to make managing user identities in cloud-based applications and services easier."

While this sample has been built to comply with SCIM 2.0 standards, it's been tested with a SCIM 1.1 provider.

This sample assumes you've configured SCIM on a third-party system. From that system you'll need the following configuration properties:

  • OAuth 2.0 Client ID

  • OAuth 2.0 Client Secret

  • OAuth 2.0 Token

  • SCIM Endpoint

  • SCIM Version

  • Properties that you want to reconcile from the SCIM provider

Note

Depending on your provider, you may want to modify the sync.json file for this sample to match the properties from the SCIM provider to appropriate properties for IDM.

For more information on the SCIM connector, including properties for the provisioner.openicf-scim.json file, see "SCIM Connector".

Run the Sample

In this section, you will do the following:

  • Start IDM with the sample configuration.

  • Configure the SCIM connector and test your connection to the third-party SCIM provider.

  • Reconcile your SCIM accounts with the IDM managed user repository.

  • Change a user in IDM and reconcile the changes back to the third-party SCIM provider.

  • Reconcile your SCIM roles with the IDM managed role repository.

The mapping configuration file (sync.json) for this sample includes four mappings, which you'll use to reconcile users and roles:

  • systemScimAccount_managedUser

  • managedUser_systemScimAccount

  • systemScimGroup_managedRole

  • managedRole_systemScimGroup

  1. Start IDM with the configuration for the SCIM sample:

    /path/to/openidm/startup.sh -p samples/sync-with-scim
  2. Configure the SCIM connector, in the following configuration file: samples/sync-with-scim/conf/provisioner.openicf-scim.json.

    Note

    Depending on the requirements of your third-party SCIM provider, it may be acceptable to have a null value for properties such as user, password, and tokenEndpoint.

  3. Test the connection to your third-party SCIM provider with the following command:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --request POST \
    "http://localhost:8080/openidm/system?_action=test"
     [
      {
        "name": "scim",
        "enabled": true,
        "config": "config/provisioner.openicf/scim",
        "connectorRef": {
          "bundleVersion": "1.5.8.0",
          "bundleName": "org.forgerock.openicf.connectors.scim-connector",
          "connectorName": "org.forgerock.openicf.connectors.scim.ScimConnector"
        },
        "displayName": "Scim Connector",
        "objectTypes": [
          "__ALL__",
          "account",
          "group"
        ],
        "ok": true
      }
    ]

    A status of "ok": true indicates that the connector can connect to your third-party SCIM provider.

  4. Reconcile your existing third-party SCIM users with the IDM managed user repository with the following command:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --request POST \
    "http://localhost:8080/openidm/recon?_action=recon&mapping=systemScimAccount_managedUser&waitForCompletion=true"
    {
      "_id": "bdba3003-0c8a-4543-9efb-26269c78fa8b-96949",
      "state": "SUCCESS"
    }

    Alternatively, in the Admin UI, select Configure > Mappings, and select Reconcile on the systemScimAccount_managedUser mapping.

  5. In the Admin UI, select Manage > User and verify that the users from the third-party SCIM provider have been created as IDM managed users.

  6. Edit one of the newly created managed users in IDM.

    The easiest way to do this is to select Manage > User, select a user to edit, and change one of the user properties.

  7. Reconcile the users in the managed user repository with your SCIM users with the following command:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --request POST \
    "http://localhost:8080/openidm/recon?_action=recon&mapping=managedUser_systemScimAccount&waitForCompletion=true"
    {
      "_id": "bdba3003-0c8a-4543-9efb-26269c78fa8b-104117",
      "state": "SUCCESS"
    }

    Alternatively, in the Admin UI, select Configure > Mappings, and select Reconcile on the managedUser_systemScimAccount mapping.

  8. Verify that the contact was updated correctly on your third-party SCIM provider.

  9. Repeat the process with roles. Reconcile existing third-party SCIM roles with IDM managed roles with the following command:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --request POST \
    "http://localhost:8080/openidm/recon?_action=recon&mapping=systemScimGroup_managedRole&waitForCompletion=true"
    {
      "_id": "7dac3ea9-c6be-4ff9-ae46-d8a0431949b3-7745",
      "state": "SUCCESS"
    }

    Alternatively, in the Admin UI, select Configure > Mappings, and select Reconcile on the systemScimGroup_managedRole mapping.

  10. Edit one of the newly created managed roles in IDM.

    The easiest way to do this is to select Manage > Role, select a role to edit, and add a user to that role.

  11. Reconcile the roles in the managed user repository with your SCIM users with the following command:

    curl \
    --header "X-OpenIDM-Username: openidm-admin" \
    --header "X-OpenIDM-Password: openidm-admin" \
    --header "Accept-API-Version: resource=1.0" \
    --request POST \
    "http://localhost:8080/openidm/recon?_action=recon&mapping=managedRole_systemScimGroup&waitForCompletion=true"
    {
      "_id": "bdba3003-0c8a-4543-9efb-26269c78fa8b-112074",
      "state": "SUCCESS"
    }

    Alternatively, in the Admin UI, select Configure > Mappings, and select Reconcile on the managedRole_systemScimGroup mapping.

  12. Verify that the role was updated correctly on your third-party SCIM provider.

Read a different version of :