This documentation is for WSO2 Identity Server 5.1.0 . View documentation for the latest release.
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

WSO2 Identity Server can be configured to behave as a SCIM service provider for the primary user store. See the topic on Identity Server as a SCIM Provider for more information on how this can be achieved. This topic provides instructions on how the Identity Server can be configured as a SCIM Service Provider for a secondary user store.

When a user or a group is created with SCIM, there are set of specific values which needs to be saved along with the user or group. Some of these values are as follows.

  • urn:scim:schemas:core:1.0:userName
  • urn:scim:schemas:core:1.0:meta.location
  • urn:scim:schemas:core:1.0:meta.created
  • urn:scim:schemas:core:1.0:meta.lastModified
  • urn:scim:schemas:core:1.0:id

Unless your user store is a JDBC user store or the embedded LDAP (which comes with IS), you need to map how these values are stored in your user store. This mapping can be done in the claim mapping setup in the Identity Server. You can do the claim mapping for any primary user store. This process is explained here.

Now lets assume you have an AD user store as the primary user store and you have done the claim mappings for the SCIM attributes. Then you need to add a secondary user store and this will be an OpenLDAP. In this scenario, claim mappings done for AD may not be suited for OpenLDAP attributes. Therefore it should be possible to map claim attributes to the secondary user store. For this you need to change the "Mapped Attribute" value as indicated below.

  1. Log into the WSO2 Identity Server and access the management console.
  2. In the Configure Menu of the management console, click Claim Management. See here for more information on claim management.
  3. Click one of the available claims or click Add New Claim Dialect if the claim you wish to modify is not available.
  4. Modify the Mapped Attribute field in the resulting page.
    {primary-attribute};{secondary user store domain}/{secondary-attribute}

Now you can perform SCIM operations to secondary user store as below.

User Creation

curl -v -k --user admin:admin --data "{"schemas":[],"name":{"familyName":"kahawala","givenName":"venura"},"userName":'demo.com/venura',"password":"testPwd123"}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users

Update User

curl -v -k --user admin:admin -X PUT -d "{"schemas":[],"name":{"familyName":"kahawala","givenName":"venura"},"userName":'demo.com/venura',"emails":[{"value":"[email protected]","type":"work"},{"value":"[email protected]","type":"home"}]}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users/334d988a-5e68-4594-8b96-356adeec29f1

Filter User

curl -v -k --user admin:admin https://localhost:9443/wso2/scim/Users?filter=userNameEqdemo.com/venura

Create Group

curl -v -k --user admin:admin --data "{"displayName": 'demo.com/Engineer',"members": [{"value":"334d988a-5e68-4594-8b96-356adeec29f1","display": "venura"}]}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups

Update Group

curl -v -k --user admin:admin -X PUT -d "{"displayName": 'demo.com/Engineer' ,"members": [{"value":"334d988a-5e68-4594-8b96-356adeec29f1","display": "venura"}, {"value":"p09okhyt-5e68-4594-8mkj-356ade12we34","display": "testUser"}]}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups/c4f6c973-bae6-4a03-b09f-2ad8629f406c

Filter Group

curl -v -k --user admin:admin https://localhost:9443/wso2/scim/Groups?filter=displayNameEqdemo.com/Engineer

If a mapped attribute matches with the secondary user store, then it is not necessary to repeat the attribute value in the claim mapping for the secondary domain.

  • No labels