Configuring SCIM for user and group member management

Stabilized feature: The scim-1.0 feature is stabilized. There is no strategic alternative. You can continue to use the scim-1.0 feature.

You can configure the scim-1.0 feature in the server.xml file to enable user and group member management. System for Cross-domain Identity Management (SCIM) defines REST APIs to create, retrieve, update, and delete (CRUD) users and groups. Calls are made through a systems management REST WAB. The local calls will be HTTP over localhost through Web API only; no java APIs for local calls.

About this task

Procedure

Adding the scim-1.0 feature in the server.xml file enables SCIM functions. But to complete the configuration, you must also perform the following configuration steps:
  • SSL Configuration: The REST services are protected and can be accessed only on the HTTPS port. For more information about how to complete the SSL configuration, see Enabling SSL communication in Liberty.
  • Configuration of Federation Registry: The SCIM functions is only supported by the Federation Registry. To quickly set up a federation registry by using LDAP, see Configuring LDAP user registries in Liberty.
  • Configuration of administrative roles: The SCIM REST services are only accessible by users who are in the administrator role. Users who are in the administrator role are authorized to perform all POST, PUT, DELETE, GET operations.

    Users who are in the reader role are authorized to perform read-only GET operations. See information about mapping the administrator role to Liberty.

    Note: For configuration of the administrator role for SCIM, you cannot use the Quick Start Registry.
  • Configuration of HTTPS port (optional): The HTTP end point must be configured. For more information about the httpEndpoint feature element configuration, see the httpEndpoint section in Admin Center.
After the configuration steps are completed, the scim-1.0 feature is now ready to be used. A sample configuration in the server.xml file is shown in the following example:

<server description="server1">
    <!-- Enable features -->
    <featureManager>
        <feature>appSecurity-2.0</feature>
        <feature>servlet-3.0</feature>
	<feature>ldapRegistry-3.0</feature>
	<feature>scim-1.0</feature>
	<feature>transportSecurity-1.0</feature>
    </featureManager>

    <httpEndpoint id="defaultHttpEndpoint" httpPort="9080" httpsPort="9090">
        <tcpOptions soReuseAddr="true" />
    </httpEndpoint>

    <ldapRegistry id="LDAP1" realm="SampleLdapIDSRealm" host="9.127.1.90" port="1389" ignoreCase="true"
        baseDN="o=ibm,c=us" ldapType="IBM Tivoli Directory Server" searchTimeout="8m" recursiveSearch="true"
        bindDN="cn=xxxx" bindPassword="xxxxxx">
	    <ldapEntityType name="PersonAccount">
	        <rdnProperty name="uid" objectClass="inetOrgPerson"/>
                <objectClass>inetOrgPerson</objectClass>
            </ldapEntityType>
            <ldapEntityType name="Group">
	        <objectClass>groupofnames</objectClass>
		<objectClass>ibm-nestedGroup</objectClass>
		  <rdnProperty name="cn" objectClass="groupofnames"/>
	    </ldapEntityType>
    <attributeConfiguration>
        <attribute name="title" propertyName="honorificPrefix" syntax="String" entityType="PersonAccount">
        </attribute>
	<attribute name="initials" propertyName="middleName" syntax="String" entityType="PersonAccount">
        </attribute>
	<attribute name="st" propertyName="honorificSuffix" syntax="String" entityType="PersonAccount">
        </attribute>
	<attribute name="l" propertyName="homeStateOrProvinceName" syntax="String" entityType="PersonAccount">
        </attribute>
	<attribute name="street" propertyName="homeStreet" syntax="String" entityType="PersonAccount">
        </attribute>
	<attribute name="postalAddress" propertyName="homeCity" syntax="String" entityType="PersonAccount">
        </attribute>
	<attribute name="postalCode" propertyName="homePostalCode" syntax="String" entityType="PersonAccount">
        </attribute>
       <attribute name="postOfficeBox" propertyName="homeCountryName" syntax="String" entityType="PersonAccount">
        </attribute>
        <attribute name="departmentNumber" propertyName="photoURLThumbnail" syntax="String" entityType="PersonAccount">
        </attribute>
	<attribute name="description" propertyName="photoURL" syntax="String" entityType="PersonAccount">
        </attribute>
    </attributeConfiguration>
    <groupProperties>
        <memberAttribute name="member" dummyMember="uid=dummy" objectClass="groupOfNames" scope="direct"/>
	<memberAttribute name="ibm-memberGroup" objectClass="ibm-nestedGroup" scope="direct"/>
    </groupProperties>
  </ldapRegistry>

  <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" />
  <keyStore id="defaultKeyStore" password="Liberty"/>

  <administrator-role>
    <user>admin</user>
  </administrator-role>

  <reader-role>
    <user>reader</user>
  </reader-role>

  <federatedRepository>
      <primaryRealm name="WIMRegistry">
          <participatingBaseEntry name="o=ibm,c=us"/>
      </primaryRealm>
   </federatedRepository>
</server>