SCIM connector
The SCIM connector is based on the Simple Cloud Identity Management (SCIM) protocol and lets you manage user and group accounts on any SCIM-compliant resource provider, such as Slack or Facebook. The SCIM connector implements both 1.1 and 2.0 endpoints.
Ping strongly recommends that you do not use the SCIM connector to connect to Salesforce systems. Use the Salesforce connector. |
The SCIM connector uses the Apache HTTP client, which leverages the HTTP client connection pool, not the ICF connector pool.
Install the SCIM connector
If you are looking for the Advanced Identity Cloud application for this connector, refer to: |
You can download any connector from Backstage, but some are included in the default deployment for Advanced Identity Cloud, IDM, or RCS. When using an included connector, you can skip installing it and move directly to configuration.
Connector | IDM | RCS |
---|---|---|
Yes |
Yes |
Download the connector .jar file from Backstage.
-
If you are running the connector locally, place it in the
/path/to/openidm/connectors
directory, for example:mv ~/Downloads/scim-connector-1.5.20.23.jar /path/to/openidm/connectors/
-
If you are using a remote connector server (RCS), place it in the
/path/to/openicf/connectors
directory on the RCS.
Configure the SCIM connector
SCIM V2 supports a "path" attribute value describing the target of the operation. The attribute value is optional for patch "add" and "replace" operations. If the SCIM resource provider requires this configuration, do one of the following:
|
Create a connector configuration using the IDM admin UI:
-
From the navigation bar, click Configure > Connectors.
-
On the Connectors page, click New Connector.
-
On the New Connector page, type a Connector Name.
-
From the Connector Type drop-down list, select SCIM Connector - 1.5.20.23.
-
Complete the Base Connector Details.
For a list of all configuration properties, refer to SCIM Connector Configuration -
Click Save.
When your connector is configured correctly, the connector displays as Active in the admin UI.
Refer to this procedure to create a connector configuration over REST.
Configure the SCIM connector using the filesystem
Alternatively, create a connector configuration file in your project’s conf
directory:
-
Copy
/path/to/openidm/samples/example-configurations/provisioners/provisioner.openicf-scim.json
to your project’sconf/
directory. -
Edit
conf/provisioner.openicf-scim.json
, as necessary. The following changes are required:-
"enabled" : true
-
To specify the connection details to the SCIM resource provider, set the
configurationProperties
. The required properties vary, based on theauthenticationMethod
:OAUTH
-
The minimum required properties are
grantType
,SCIMEndpoint
,tokenEndpoint
,clientId
, andclientSecret
. BASIC
-
The minimum required properties are
user
andpassword
. TOKEN
-
The minimum required property is
authToken
.
Sample Configuration Using OAUTH
"configurationProperties" : { "SCIMEndpoint" : "https://example.com/scim", "SCIMVersion" : 1, "authenticationMethod" : "OAUTH", "user" : null, "password" : null, "tokenEndpoint" : "https://example.com/oauth2/token", "clientId" : "Kdvl...................j3fka", "clientSecret" : "xxxxxxxxxxxxxxxxxx", "acceptSelfSignedCertificates" : true, "grantType" : "client_credentials", "disableHostNameVerifier" : true, "connectionTimeout" : 30, "maximumConnections" : 10, "httpProxyHost" : null, "httpProxyPort" : null }
On startup, IDM encrypts the value of the clientSecret
. -
Test the SCIM connector
After the connector is properly configured, you can test its status:
curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/system?_action=test" [ { "name": "SCIM", "enabled": true, "config": "config/provisioner.openicf/SCIM", "connectorRef": { "bundleName": "org.forgerock.openicf.connectors.scim-connector", "connectorName": "org.forgerock.openicf.connectors.scim.ScimConnector", "bundleVersion": "[1.5.0.0,1.6.0.0)" }, "displayName": "Scim Connector", "objectTypes": [ "__ACCOUNT__", "__ALL__", "__GROUP__" ], "ok": true } ]
A status of "ok": true
indicates that the SCIM connector can reach the configured resource provider.
SCIM remote connector
If you want to run this connector outside of PingOne Advanced Identity Cloud or IDM, you can configure the SCIM connector as a remote connector. Java Connectors installed remotely on a Java Connector Server function identically to those bundled locally within PingOne Advanced Identity Cloud or installed locally on IDM.
You can download the SCIM connector from here.
Refer to Remote connectors for configuring the SCIM remote connector.
Implementation specifics
For PATCH requests, a connector can potentially add, remove, or replace an attribute value. The SCIM connector does not implement the add or remove operations, so a PATCH request always replaces the entire attribute value with the new value.
Using the SCIM connector with a proxy server
If the IDM server is hosted behind a firewall and requests to the resource provider are routed through a proxy, you must specify the proxy host and port in the connector configuration.
To specify the proxy server details, set the httpProxyHost
, and httpProxyPort
properties in the connector configuration. For example:
"configurationProperties": {
...
"httpProxyHost": "myproxy.home.com",
"httpProxyPort": 8080,
...
},
OpenICF Interfaces Implemented by the Scim Connector
The Scim Connector implements the following OpenICF interfaces. For additional details, see ICF interfaces:
- Create
-
Creates an object and its
uid
. - Delete
-
Deletes an object, referenced by its
uid
. - Schema
-
Describes the object types, operations, and options that the connector supports.
- Script on Connector
-
Enables an application to run a script in the context of the connector.
Any script that runs on the connector has the following characteristics:
-
The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access.
-
The script has access to a
connector
variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration. -
The script has access to any script arguments passed in by the application.
-
- Search
-
Searches the target resource for all objects that match the specified object class and filter.
- Sync
-
Polls the target resource for synchronization events, that is, native changes to objects on the target resource.
- Test
-
Tests the connector configuration.
Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid.
This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out).
You can invoke the test operation before a connector configuration has been validated.
- Update
-
Updates (modifies or replaces) objects on a target resource.
Scim Connector Configuration
The Scim Connector has the following configurable properties:
Basic Configuration Properties
Property | Type | Default | Encrypted(1) | Required(2) |
---|---|---|---|---|
|
|
|
|
Yes |
The HTTP URL defining the root for the SCIM endpoint (https://myserver.com/service/scim). |
||||
|
|
|
|
Yes |
Defines the SCIM protocol version. Values can be either 1 or 2. Default is 1. |
||||
|
|
|
|
Yes |
Defines which method is to be used to authenticate on the remote server. Options are BASIC (username/password), OAUTH (Client id/secret) or TOKEN (static token). Defaults to OAUTH. |
||||
|
|
|
|
Yes |
In case of BASIC authentication type, this property defines the remote user. |
||||
|
|
|
Yes |
No |
In case of BASIC authentication type, this property defines the remote password. |
||||
|
|
|
|
No |
When using OAuth, this property defines the endpoint where a new access token should be requested (https://myserver.com/oauth2/token). |
||||
|
|
|
|
Yes |
Secure client identifier for OAuth2. |
||||
|
|
|
Yes |
No |
Secure client secret for OAuth2. |
||||
|
|
|
Yes |
No |
Some service providers (Slack for instance) use static authentication tokens. |
||||
|
|
|
|
Yes |
Used by the refresh_token grant type. |
||||
|
|
|
|
No |
The OAuth2 grant type to use (client_credentials or refresh_token). |
||||
|
|
|
|
No |
The OAuth2 scope to use. |
||||
|
|
|
|
Yes |
To be used for debug/test purposes. To be avoided in production. Defaults to false. |
||||
|
|
|
|
Yes |
To be used for debug/test purposes. To be avoided in production. Defaults to false. |
||||
|
|
|
|
Yes |
Content compression is enabled by default. Set this property to true to disable it. Defaults to false. |
||||
|
|
|
|
Yes |
If TLS Mutual Auth is needed, set this to the certificate alias from the keystore. |
||||
|
|
|
Yes |
Yes |
If TLS Mutual Auth is needed and the client certificate (private key) password is different than the keystore password, set this to the client private key password. |
||||
|
|
|
|
Yes |
Defines the max size of the http connection pool used. Defaults to 10. |
||||
|
|
|
|
Yes |
Defines the Hostname if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null. |
||||
|
|
|
|
Yes |
Defines the Port if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null. |
||||
|
|
|
|
Yes |
Defines Proxy Username if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null. |
||||
|
|
|
Yes |
Yes |
Defines Proxy Password if an HTTP proxy is used between the connector and the SCIM service provider. Defaults to null. |
||||
|
|
|
|
No |
Defines a timeout for the underlying http connection in seconds. Defaults to 30. |
||||
|
|
|
|
No |
The prefix to be used in the Authorization HTTP header for Token authentication. Defaults to "Bearer." |
||||
|
|
|
|
Yes |
Client Id and Client Secret are sent in the Header when this is unchecked. Defaults to true. |
||||
|
|
|
|
No |
Defines throttling for read operations either per seconds ("30/sec") or per minute ("100/min"). |
||||
|
|
|
|
No |
The connector is using "application/json" by default. SCIM V2 Service Provider may require "application/scim+json". It can be overwritten with this property. |
||||
|
|
|
|
No |
The connector is using "application/json" by default. SCIM V2 Service Provider may require "application/scim+json". It can be overwritten with this property. |
||||
|
|
|
|
No |
Defines throttling for write operations (create/update/delete) either per second ("30/sec") or per minute ("100/min"). |
||||
|
|
|
|
No |
If true, then "path" will always be included in Patch add or replace operations. If false, it will only be used for remove operations. Defaults to false. |
||||
|
|
|
|
No |
If true, the connector will read the schema from the server. If false, the connector will provide a default schema based on the object classes in the configuration. This property must be true in order to use extended object classes. Defaults to false. |
(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.
(2) A list of operations in this column indicates that the property is required for those operations.