Configuring access to user and group information (SCIM)
Traditional:
User Management Service (UMS) version 1.0.1 and later support the IBM® WebSphere® Application Server Liberty scim-1.0 feature. This feature allows a user who is in the administrator role of the User Management Service to invoke System for Cross-domain Identity Management (SCIM) operations in Liberty. For example, you can use SCIM REST APIs to search for users and groups and to retrieve user details. For more information, see SCIM operations in Liberty.
User Management Service (UMS) version 1.0.1 and later support the IBM® WebSphere® Application Server Liberty scim-1.0 feature. This feature allows a user who is in the administrator role of the User Management Service to invoke System for Cross-domain Identity Management (SCIM) operations in Liberty. For example, you can use SCIM REST APIs to search for users and groups and to retrieve user details. For more information, see SCIM operations in Liberty.
If you created your server configuration by using the ibmUserManagement:ibmUserManagement template, the administrator role is already defined and the user specified in the wlp/usr/servers/server_name/configDropins/overrides/umsVariables.xml file is assigned to that role. If you are upgrading from an earlier version of the User Management Service, you must add the administrator role to your User Management Service server configuration as described in Creating a User Management Service server instance. In both cases, you can create and add users to the administrator role, for example, if you want fine-grained authorization control for the OAuth 2.0, OpenID Connect, and SCIM features.
User Management Service clients
retrieve user details through the SCIM REST APIs. The returned details
include the user ID, user name, and formatted full name. Depending
on your LDAP schema, the value of the user full name might be unexpected.
It is strongly recommended that you test your configuration to ensure
that the returned details are as you expect. To test the API calls,
connect your LDAP server to the User Management Service, and invoke
the following request:
https://umshost:port/ibm/api/scim/Users/{id}{id} is
the fully distinguished name of an LDAP user: uid=someUser,ou=someOrg,o=someCompany.
The request returns all the configured user attributes. Check that
the “name” attribute in the response
looks similar to the following example:"name": {
"formatted": "John Doe",
"givenName": "John",
"familyName": "Doe"
}Because the Liberty federatedRegistry-1.0
and scim-1.0 features use the field
“cn” as
the first name by default, you might see a name object similar to
the following example returned by the request:"name": {
"formatted": "John Doe Doe",
"givenName": "John Doe",
"familyName": "Doe"
}cn property.
For example, add the following attribute configuration to your ldapRegistry
XML configuration file in the wlp/usr/servers/server_name/configDropins/overrides directory:<attributeConfiguration>
<attribute name="givenName" propertyName="cn" syntax="String" entityType="PersonAccount" />
</attributeConfiguration>