Using realName as a query filter
You can use the realmName
parameter in SCIM APIs to filter user and group queries.
When you use the /identity/v3/idsource
API, the realmName
parameter shows the IdP connection name. See the following example:
"urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User": {
"realmName": "openLDAP"
}
You can filter user and group queries based on the realmName
.
Get the RealmName for IdP
Use the following API to get the realmName.
See these API parameters:
- The protocol values can be
ldap
for LDAP servers,oauth
for OpenShift, andsaml
for SAML and OIDC. - If you have multiple LDAP servers, replace
[0]
with the LDAP server sequence number. Use 0 for the first LDAP server, 1 for the second LDAP server, and so on.
curl -k -X "Authorization: Bearer $ACCESS_TOKEN" "https://<cp-console>/idprovider/v3/auth/idsource?protocol=ldap" | jq -r .idp | jq -r '.[0].idp_config.name'
The following output is an example:
OutPut: openLDAP
Use the realmName to query users and groups
Use the realmName that you get from the https://<cp-console>/idprovider/v3/auth/idsource?protocol=<protocol-value>
API to run a filter on user and group queries.
-
For SCIM users query, the filter name must be equal to
urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User:realmName
orrealmName
. See the following example:https://<cp-console>/idmgmt/identity/api/v1/scim/users/?filter=urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User:realmName eq "openLDAP"
Or
https://<cp-console>/idmgmt/identity/api/v1/scim/users/?filter=realmName eq "openLDAP"
-
For SCIM groups query, the filter name must be equal to
urn:ietf:params:scim:schemas:extension:ibmcp:2.0:Group:realmName
orrealmName
. See the following example:https://<cp-console>/idmgmt/identity/api/v1/scim/groups/?filter=urn:ietf:params:scim:schemas:extension:ibmcp:2.0:Group:realmName eq "openLDAP"
Or
https://<cp-console>/idmgmt/identity/api/v1/scim/groups/?filter=realmName eq "openLDAP"
Note: The only supported operator for realmName is equal
or eq
. You can use any other filter with the realmName
by using and
or or
operator.
See the following example:
https://<cp-console>/idmgmt/identity/api/v1/scim/users/?filter=urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User:realmName eq "openLDAP" and displayName eq "icpuser1"
https://<cp-console>/idmgmt/identity/api/v1/scim/users/?filter=urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User:realmName eq "openLDAP" or displayName eq "icpuser1"
Limitations
The use of a realmName filter has the following limitations:
- The SCIM query returns all users for an identity provider. You must set the pagination to query identity providers with many users.
- For OpenShift, the groups are not returned when you run a query by using SCIM.
- You cannot run a query on OIDC users by using SCIM.
- For SAML with LDAP dependency, the SCIM query returns the LDAP connection name as realmName.