Using realName as a query filter

You can use the realmName parameter in SCIM APIs to filter user and group queries.

When you use the /identity/v3/idsource API, the realmName parameter shows the IdP connection name. See the following example:

"urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User": {
        "realmName": "openLDAP"
}

You can filter user and group queries based on the realmName.

Get the RealmName for IdP

Use the following API to get the realmName.

See these API parameters:

  • The protocol values can be ldap for LDAP servers, oauth for OpenShift, and saml for SAML and OIDC.
  • If you have multiple LDAP servers, replace [0] with the LDAP server sequence number. Use 0 for the first LDAP server, 1 for the second LDAP server, and so on.
curl -k -X "Authorization: Bearer $ACCESS_TOKEN" "https://<cp-console>/idprovider/v3/auth/idsource?protocol=ldap" | jq -r .idp | jq -r '.[0].idp_config.name'

The following output is an example:

OutPut: openLDAP

Use the realmName to query users and groups

Use the realmName that you get from the https://<cp-console>/idprovider/v3/auth/idsource?protocol=<protocol-value> API to run a filter on user and group queries.

  • For SCIM users query, the filter name must be equal to urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User:realmName or realmName. See the following example:

    https://<cp-console>/idmgmt/identity/api/v1/scim/users/?filter=urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User:realmName eq "openLDAP"

    Or

    https://<cp-console>/idmgmt/identity/api/v1/scim/users/?filter=realmName  eq "openLDAP"

  • For SCIM groups query, the filter name must be equal to urn:ietf:params:scim:schemas:extension:ibmcp:2.0:Group:realmName or realmName. See the following example:

    https://<cp-console>/idmgmt/identity/api/v1/scim/groups/?filter=urn:ietf:params:scim:schemas:extension:ibmcp:2.0:Group:realmName eq "openLDAP"

    Or

    https://<cp-console>/idmgmt/identity/api/v1/scim/groups/?filter=realmName  eq "openLDAP"

Note: The only supported operator for realmName is equal or eq. You can use any other filter with the realmName by using and or or operator.

See the following example:

https://<cp-console>/idmgmt/identity/api/v1/scim/users/?filter=urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User:realmName eq "openLDAP" and displayName eq "icpuser1"
https://<cp-console>/idmgmt/identity/api/v1/scim/users/?filter=urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User:realmName eq "openLDAP" or displayName eq "icpuser1"

Limitations

The use of a realmName filter has the following limitations:

  • The SCIM query returns all users for an identity provider. You must set the pagination to query identity providers with many users.
  • For OpenShift, the groups are not returned when you run a query by using SCIM.
  • You cannot run a query on OIDC users by using SCIM.
  • For SAML with LDAP dependency, the SCIM query returns the LDAP connection name as realmName.