SCIM
OpenIAM provides an out-of-the-box SCIM connector to simplify integration with applications which support the SCIM standard for user life cycle management. A default "Managed System" configuration has been provided to simplify the configuration process. This configuration has been part of the out-of-the-box (OTB) configuration since version 4.1.8.
Unless you are familiar with OpenIAM, we recommend that you leverage the OTB configuration and modify it to suit your needs.
The steps provided below assume that you are creating a new configuration and not leveraging the existing configuration.
Connector Registration
Before you can use the SCIM connector, ensure that the connector has been registered with the OpenIAM application. Normally, the SCIM connector is installed as part of the installation process. You can validate the connector has registered by doing the following:
- Goto the Webconsole -> Provisioning -> Connectors
- Search for SCIM
You should see an entry in the list. If you don't, then follow the step below to register the connector
- Go to
Webconsole -> Provisioning -> Connectors - Click on
Create new connectoras shown in the image below:
Complete the form as described in the table below
| Field name | Description | Recommended Value |
|---|---|---|
| Connector Name | Name of the connector. They can be any user-friendly name | SCIM Connector |
| Metadata Grouping | Connectors are part of a metadata group which is used internally | Connector Type |
| Metadata Type name | The metadata type is used to define attributes and configurations | SCIM Connector |
| Connector Queue | Name of the RabbitMQ message queue which will be used by the connector to communicate with the other OpenIAM Services | SCIM_Connector_1 |
- Next, define the configuration parameters which will be used by the connector by using the
Connector configurationmenu on the sidebar. The following options should be enabled for the SCIM connector:
| Parameter Name | Is required |
|---|---|
| Add object rule | |
| Delete object rule | |
| Modify object rule | |
| Password rule | |
| Test connection object rule | |
| Search object rule | |
| Resume object rule | |
| Suspend object rule | |
| Object primary key for user | Y |
Add the following Custom Fields:
| Custom field name | Field type |
|---|---|
| AUTH_TYPE | Combo box |
| TOKEN | Text field |
| SCIM_VERSION | Combo box |
| TOKEN_TYPE | Combo box |
Define the Managed System Configuration
After the connector has been registered, you will need to define a managed system configuration. The managed system configuration will:
- Tell the connector how to connect to the end application using SCIM
- Determine which attributes will be Managed by OpenIAM during the provisioning/de-provisioning process
To configure a managed system, do the following:
- Go to
Webconsole -> Provisioning -> Managed System - Click on
Create Managed System
Complete the form as described below.
| Field name | Description | Value |
|---|---|---|
| Connector | This is the name of the connector as described above during the registration process | SCIM Connector |
| Managed system name | Descriptive name to represent this configuration | [ User defined ] |
| Active | Checkbox to indicate if this configuration is active. If it's unchecked, the connector will not communicate with the end-application | |
| Host URL | URL of the SCIM interface on the end-application: eg. https://api.atlassian.com/scim/directory/[ tenant id] | |
| Login ID | If the Authentication type is Token, Login Id is not needed as this will be replaced by the authentication token | 0001 |
| Password | If the Authentication type is Token, Password is not needed as this will be replaced by the authentication token | |
| Authentication type | Indicates the type of authentication | Token |
| Token | Value of the authentication token | Token |
| SCIM version | Version of the SCIM interface being used by the target application | 1.0 or 2.0 |
| Token Type | Type of authentication token being used | Bearer |
Examples
The images below show how to configure the SCIM connector for two popular SaaS solutions: Slack and Atlassian. The tokens have been blurred out for security reasons
Slack
Atlassian
