From version 4.1, Identify includes an Identify*SCIM Service for provisioning users on Identify based on specification suite developed under IETF.
Safewhere*SCIM promises to reduce the cost and complexity of user provisioning operations by providing a common users and groups schema and a REST API for all the necessary CRUD operations.
SCIM SCHEMA
The first version of Identify*SCIM supports user resource only. It follows most of the definitions on the specification but there are some notices. The following section will point out which ones does not correspond to Identify concepts and how the others map to Identify user’s attributes
Attribute type | SCIM User Attribute | Identify User Attribute |
Common Schema Attributes | Id | Id |
ExternalId | Primary identified name (*) | |
Meta | created: <created date>lastModified: <modified date>location: “<tenantURL>/admin/scim/v1/Users/<Id>”version: nullattributes: null | |
Schemas | ||
Singular | Locale,Name, NickName,PreferredLanguage, Title, TimeZone, ProfileUrl | No corresponding concept |
Active | Enabled | |
Username | Primary identified name (*) | |
DisplayName | UserName | |
Password | Empty (**) | |
Multi-valued attributes | Entitlements, PhoneNumbers, Ims, Photos, Addresses, Roles | No corresponding concept |
Emails | Value of email claim which is specified on system setup | |
Scim enterprise user schema extension | EmployeeNumber, CostCenter, Division, Department, Manager | No corresponding concept |
Organization | Organization | |
Schema extensions | urn:scim:schemas:extension:mapping:hint:1.0 | Claim type which is specified as a hint to extract username |
urn:scim:schemas:extension:safewhere:identify:1.0.forceResetPasswordAfterFirstTimeLogin | ForceResetPasswordAfterFirstTimeLogin | |
urn:scim:schemas:extension:safewhere:identify:1.0.ActivationCode | Value of claim ActivationCode which is defined as “DeviceActivationCodeClaimDefinitionId” on System setup | |
urn:scim:schemas:extension:safewhere:identify:1.0.Claims | All claims of user |
(*)Primary identified name: The value of primary claim which is used for specifying a user.
- In order to map SCIM user to Identify user. There are 3 following steps
- Map by hint: If the attribute”urn:scim:schemas:extension:mapping:hint:1.0″ is not null, the system will try to use it as the primary claim type
- Map by combination: That mean the SCIM user’s username is a combination of claim type and its value. The separator is defined by “ScimUserNameCombinationSeparator” on system setup.
- Map by default: It will try to get the default username claim type which is specified as “ScimDefaultNameClaimType” on System setup
- In order to map Identify user to SCIM user. There are 3 following steps
- Try to get the claim which is primary
- Try to get claim whose the claim type is defined on “ScimDefaultNameClaimType”
- Try to get the first claim whose value is not null
(**) Password mapping: from Identify user to SCIM user, it will be empty. In contrast, it will use SCIM user’s password to update to Identify user object.
SCIM Authentication and Authorization
Identify*Scim service uses OAuth 2.0 token for authentication and authorization with scope “identify*scim”
OAuth protocol connection settings for SCIM:
Set the audience field of tokens which are issued for the application: fill in the token issuer URI, tenant_site/runtime/
SCIM APIs
Web service URL: <TenantUrl>/Admin/api/scim/v1/Users
Content-type: application/json
Content: Scim user json object
Commands | Description | Returns | Exceptions | Comment |
GET | Retrieving a known user resource by id or all users | Code (200) and json object | 404: Resource not found 500: Internal server error |
To retrieve a specific user, append the Web service URL with “/<id>“ |
POST | Create a completely new resource | Code (200) and the reflex scim user json object | 500: Internal server error | |
PUT | Perform a fully update | Code (200) and the reflex scim user json object | 404: Resource not found 500: Internal server error |
|
PATCH | Perform a partially update | Code (200) and the reflex scim user json object | 500: Internal server error | It supports deleting attributes as defined on specification. Therefore, it can be used for adding/updating or deleting claims normally. |
DELETE | Delete a user or perform a partially update | Code (200) | 404: Resource not found 500: Internal server error |
To delete a specific user, append the Web service URL with “/<id>“ |
QUERY | Retrieving users with specified attributes | Code (200) and the reflex scim user json objects | 500: Internal server error | * Attributes: It can be empty or a list of scim user’s attributes separated by comma. If being empty, a completed SCIM user json objects.** Filter & paginate are not supported on Identify*Scim 1.1 yet. |