WSO2 Identity Server can act as a SCIM Provider and at the same time it can act as a SCIM consumer. You can test the WSO2 Identity Server's SCIM Provider API as described here. The WSO2 Identity Server build includes the ApacheDS embedded LDAP server. The LDAP server's schema is customized to have the mandatory SCIM attributes, therefore SCIM implementation works out-of-the-box with the WSO2 Identity Server.
However, when the WSO2 Identity Server is connected to an external LDAP or an Active Directory instance, they might not have these mandatory SCIM attributes in their schema. So the option is to map the SCIM claims to the existing attributes of the Active Directory.
Add a user with the username "john" and password "[email protected]". Here we have to map the userName (urn:scim:schemas:core:1.0:userName
) SCIM attribute to an existing claim in the Active Directory (e.g.: cn
). Furthermore, when a user is being added in SCIM, there are four more SCIM attributes being added behind the scene. Those are the location (urn:scim:schemas:core:1.0:meta.location
) SCIM attribute, created (urn:scim:schemas:core:1.0:meta.created
) SCIM attribute, lastModified (urn:scim:schemas:core:1.0:meta.lastModified
) SCIM attribute and finally the id (urn:scim:schemas:core:1.0:id
) SCIM attribute. So we need to map these to existing Active Directory user attributes.
When mapping claims to attributes, there are few things to be considered. The SCIM claim dialect (urn:scim:schemas:core:1.0:id
) uses String type to hold their values. So when mapping any SCIM claim to an attribute in the Active Directory, make sure to use the attributes which are having the String type. You can find all Active Directory attributes here. So given below is a plausible example for claim mapping,
SCIM CLAIM URI | WSO2 CLAIM URI | MAPPED ATTRIBUTE |
---|---|---|
urn:scim:schemas:core:1.0:userName | http://wso2.org/claims/username | cn |
urn:scim:schemas:core:1.0:meta.location | http://wso2.org/claims/location | streetAddress |
urn:scim:schemas:core:1.0:meta.lastModified | http://wso2.org/claims/modified | pager |
urn:scim:schemas:core:1.0:id | http://wso2.org/claims/userid | homePostalAddress |
This claim mapping can be done through the WSO2 Identity Server Claim Management Feature.
- Log in to WSO2 Identity Server using your credentials.
- Go to the Main menu in the Management Console menu and click List under Claims.
- Select
urn:scim:schemas:core:1.0
from the Available Claim Dialect list. - Search for userName from the list of claims and note down its Mapped Local Claim.
- Select
http://wso2.org/claims
from the Available Claim Dialect list. - Search for username from the list of claims and click Edit.
- Change the Mapped Attribute value to cn and click Update.
- Edit the other four claims in the same way.
Now the basic claim mapping is done. You can now add a user using the following curl command.
curl -v -k --user admin:admin --data "{"schemas":[],"userName":"john","password":"[email protected]"}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users
curl -v -k --user admin:admin --data "{"schemas":[],"userName":'wso2.com/uresh67',"password":"[email protected]"}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users
Note that the user name is preceded by the domain and is within single quotes 'wso2.com/uresh67'. Also note that 'wso2.com' here is a reference to a domain name.
In RestClient, the following header parameters must be added and the double quotations must be removed from the message body.
Content-Type: application/json
Accept: */*
Message body
{schemas:[],userName:'wso2.com/uresh67',password:[email protected]}You need to do the claim mapping for every SCIM claim you are using with user operations.
To find out how to enable extensions for extended attributes in SCIM, see Extensible SCIM User Schemas with WSO2 Identity Server