Adding custom SCIM attributes

You can add custom SCIM user and group attributes.

The new attributes must be defined in the extended SCIM user schema (urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User). They must follow the SCIM specification of attribute properties, including name, type, multiValued, description, required, caseExact, mutability, returned, and uniqueness. For more information, see Resource Schema Representation Opens in a new tab.

Following table provides the payload of the attributes.

Table 1. Custom attribute payload
Subattribute field name Mandatory or not Default value Allowed value
schemaId Yes NA urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User or urn:ietf:params:scim:schemasibmcp:2.0:User; urn:ietf:params:scim:schemas:extension:ibmcp:2.0:Group or urn:ietf:params:scim:schemasibmcp:2.0:Group
screenName Yes NA Any alphanumeric characters between 2 and 30 characters in length; may contain space
name Yes NA Any alphanumeric characters between 2 and 30 characters in length
description No NA NA
isSensitive No false false
type Yes string string, complex
multiValued No false true, false
required No false true, false
caseExact No false false
mutability No readWrite readWrite
returned No default default
uniqueness No none none

Important: The SchemaIds urn:ietf:params:scim:schemasibmcp:2.0:User and urn:ietf:params:scim:schemasibmcp:2.0:Group might be deprecated in a future release. Hence, use the SchemaId urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User or urn:ietf:params:scim:schemas:extension:ibmcp:2.0:Group when you create any custom SCIM attributes.

See these notes:

  • For each attribute, you must provide the mandatory subattribute as described in Table 1. Otherwise, the POST API operation returns an error.
  • schemaId is a mandatory field and its value must be urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User or urn:ietf:params:scim:schemasibmcp:2.0:User for user, and urn:ietf:params:scim:schemas:extension:ibmcp:2.0:Group or urn:ietf:params:scim:schemasibmcp:2.0:Group for group.
  • For each attribute, it is ideal to add the nonmandatory subattribute fields with values in the payload. Otherwise, the default values are added as described in the Table 1.
  • Attribute key and name must have the same value.
  • IM supports only default values for these subattributes: isSensitive, caseExact, mutability, returned, and uniqueness. If you provide custom values, then IM changes the values of these subattributes to their default values and then creates the custom SCIM attribute.

Add custom SCIM attributes

Use the POST operation with the idmgmt/identity/api/v2/scim/attributes API to add one or more custom SCIM attributes in the users and groups section.

Before you use the API, create these environment variables to use with the APIs.

  • Console route. For more information about how to get the console route, see Getting the console URL.

    export CP_CONSOLE_URL=$CP_CONSOLE_URL_ROUTE

  • Access token. For more information, see Preparing to run component or management API commands.

    1. Run the following command to get all authentication tokens. Then, copy the access token from the output.
      curl -k -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -d "grant_type=password&username=admin&password=admin&scope=openid" https://$CP_CONSOLE_URL/idprovider/v1/auth/identitytoken
    2. Create an environment variable for the access token.
      export ACCESS_TOKEN= <Access-token>

Add custom SCIM attribute for users

Run the following curl command to add custom attribute only for users:

curl -k -X POST \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "content-type: application/json" \
  "https://$CP_CONSOLE_URL/idmgmt/identity/api/v2/scim/attributes" \
  -d '{
      "user": {
        "userAttribute1": {
            "schemaId": "urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User",
            "screenName": "userAttribute1",
            "isSensitive": false,
            "name" : "userAttribute1",
            "type" : "string",
            "multiValued" : false,
            "description" : "Custom User Attribute 1",
            "required" : true,
            "caseExact" : false,
            "mutability" : "readWrite",
            "returned" : "default",
            "uniqueness" : "none"
           }
      }
   }'

Add custom SCIM attribute for groups

Run the following curl command to add custom attribute only for groups:

curl -k -X POST \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "content-type: application/json" \
  "https://$CP_CONSOLE_URL/idmgmt/identity/api/v2/scim/attributes" \
  -d '{
        "group": {
            "groupAttribute1": {
              "schemaId": "urn:ietf:params:scim:schemas:extension:ibmcp:2.0:Group",
              "screenName": "groupAttribute1",
              "isSensitive": false,
              "name" : "groupAttribute1",
              "type" : "string",
              "multiValued" : false,
              "description" : "Custom Group Attribute 1",
              "required" : true,
              "caseExact" : false,
              "mutability" : "readWrite",
              "returned" : "default",
              "uniqueness" : "none"
            }
        }
      }'

Add custom SCIM attribute for users and groups

Run the following curl command to add custom attribute for both users and groups:

curl -k -X POST \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "content-type: application/json" \
  "https://$CP_CONSOLE_URL/idmgmt/identity/api/v2/scim/attributes" \
  -d '{
      "user": {
        "userAttribute1": {
          "schemaId": "urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User",
          "screenName": "userAttribute1",
          "isSensitive": false,
          "name" : "userAttribute1",
          "type" : "string",
          "multiValued" : false,
          "description" : "Custom User Attribute 1",
          "required" : true,
          "caseExact" : false,
          "mutability" : "readWrite",
          "returned" : "default",
          "uniqueness" : "none"
           }
        },
        "group": {
            "groupAttribute1": {
              "schemaId": "urn:ietf:params:scim:schemas:extension:ibmcp:2.0:Group",
              "screenName": "groupAttribute1",
              "isSensitive": false,
              "name" : "groupAttribute1",
              "type" : "string",
              "multiValued" : false,
              "description" : "Custom Group Attribute 1",
              "required" : true,
              "caseExact" : false,
              "mutability" : "readWrite",
              "returned" : "default",
              "uniqueness" : "none"
            }
        }
      }'

Updating a custom SCIM attribute

Use the PUT operation with the idmgmt/identity/api/v2/scim/attributes/<resourceType>/<attributekey> API to modify a custom SCIM attribute in the users and groups section.

Update user attribute

To modify a user attribute, use the idmgmt/identity/api/v2/scim/attributes/users/<attributekey> API.

  • To get the user attributekey value, use the following command:
    curl -sk -X GET --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" "https://$CP_CONSOLE_URL:443/idmgmt/identity/api/v2/scim/attributes/users"
  • To modify the user attribute, use the following curl command:
    curl -k -X PUT \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "content-type: application/json" \
  "https://$CP_CONSOLE_URL/idmgmt/identity/api/v2/scim/attributes/user/<attributekey>" \
  -d '{
          "schemaId": "urn:ietf:params:scim:schemasibmcp:2.0:User",
          "screenName": "userAttribute1",
          "isSensitive": false,
          "name" : "userAttribute1",
          "type" : "string",
          "multiValued" : false,
          "description" : "Custom User Attribute 1",
          "required" : true,
          "caseExact" : false,
          "mutability" : "readWrite",
          "returned" : "default",
          "uniqueness" : "none"

      }

Update group attribute

To modify a group attribute, use the idmgmt/identity/api/v2/scim/attributes/group/<attributekey> API.

  • To get the group attributekey value, use the following command:
    curl -sk -X GET --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" "https://$CP_CONSOLE_URL:443/idmgmt/identity/api/v2/scim/attributes/group"
  • To modify the group attribute, use the following curl command:
    curl -k -X PUT \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "content-type: application/json" \
  "https://$CP_CONSOLE_URL/idmgmt/identity/api/v2/scim/attributes/group/<attributekey>" \
  -d '{
          "schemaId": "urn:ietf:params:scim:schemasibmcp:2.0:Group",
          "screenName": "groupAttribute1",
          "isSensitive": false,
          "name" : "groupAttribute1",
          "type" : "string",
          "multiValued" : false,
          "description" : "Custom Group Attribute 1",
          "required" : true,
          "caseExact" : false,
          "mutability" : "readWrite",
          "returned" : "default",
          "uniqueness" : "none"

      }'

Deleting a custom SCIM attribute

Use the DELETE operation with the idmgmt/identity/api/v2/scim/attributes/<resourceType>/<attributekey> API to delete a custom SCIM attribute in the users and groups section.

Delete a user attribute

Use the idmgmt/identity/api/v2/scim/attributes/users/<attributekey> API.

Use the following curl command:

curl -k -X DELETE \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "content-type: application/json" \
  "https://$CP_CONSOLE_URL/idmgmt/identity/api/v2/scim/attributes/user/<attributekey>"

Delete a group attribute

Use the idmgmt/identity/api/v2/scim/attributes/group/<attributekey> API.

Use the following curl command:

curl -k -X DELETE \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "content-type: application/json" \
  "https://$CP_CONSOLE_URL/idmgmt/identity/api/v2/scim/attributes/group/<attributekey>"