Adding custom SCIM attributes
You can add custom SCIM user and group attributes.
The new attributes must be defined in the extended SCIM user schema (urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User). They must follow the SCIM specification of attribute properties, including name, type, multiValued, description, required, caseExact, mutability, returned, and uniqueness. For more information, see Resource Schema Representation .
Following table provides the payload of the attributes.
Subattribute field name | Mandatory or not | Default value | Allowed value |
---|---|---|---|
schemaId | Yes | NA | urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User or urn:ietf:params:scim:schemasibmcp:2.0:User; urn:ietf:params:scim:schemas:extension:ibmcp:2.0:Group or urn:ietf:params:scim:schemasibmcp:2.0:Group |
screenName | Yes | NA | Any alphanumeric characters between 2 and 30 characters in length; may contain space |
name | Yes | NA | Any alphanumeric characters between 2 and 30 characters in length |
description | No | NA | NA |
isSensitive | No | false | false |
type | Yes | string | string, complex |
multiValued | No | false | true, false |
required | No | false | true, false |
caseExact | No | false | false |
mutability | No | readWrite | readWrite |
returned | No | default | default |
uniqueness | No | none | none |
Important: The SchemaIds urn:ietf:params:scim:schemasibmcp:2.0:User and urn:ietf:params:scim:schemasibmcp:2.0:Group might be deprecated in a future release. Hence, use the SchemaId urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User or urn:ietf:params:scim:schemas:extension:ibmcp:2.0:Group when you create any custom SCIM attributes.
See these notes:
- For each attribute, you must provide the mandatory subattribute as described in Table 1. Otherwise, the POST API operation returns an error.
schemaId
is a mandatory field and its value must beurn:ietf:params:scim:schemas:extension:ibmcp:2.0:User
orurn:ietf:params:scim:schemasibmcp:2.0:User
for user, andurn:ietf:params:scim:schemas:extension:ibmcp:2.0:Group
orurn:ietf:params:scim:schemasibmcp:2.0:Group
for group.- For each attribute, it is ideal to add the nonmandatory subattribute fields with values in the payload. Otherwise, the default values are added as described in the Table 1.
- Attribute key and name must have the same value.
- IM supports only default values for these subattributes: isSensitive, caseExact, mutability, returned, and uniqueness. If you provide custom values, then IM changes the values of these subattributes to their default values and then creates the custom SCIM attribute.
Add custom SCIM attributes
Use the POST
operation with the idmgmt/identity/api/v2/scim/attributes
API to add one or more custom SCIM attributes in the users and groups section.
Before you use the API, create these environment variables to use with the APIs.
-
Console route. For more information about how to get the console route, see Getting the console URL.
export CP_CONSOLE_URL=$CP_CONSOLE_URL_ROUTE
-
Access token. For more information, see Preparing to run component or management API commands.
-
Run the following command to get all authentication tokens. Then, copy the access token from the output.
curl -k -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -d "grant_type=password&username=admin&password=admin&scope=openid" https://$CP_CONSOLE_URL/idprovider/v1/auth/identitytoken
-
Create an environment variable for the access token.
export ACCESS_TOKEN= <Access-token>
-
Add custom SCIM attribute for users
Run the following curl command to add custom attribute only for users:
curl -k -X POST \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "content-type: application/json" \
"https://$CP_CONSOLE_URL/idmgmt/identity/api/v2/scim/attributes" \
-d '{
"user": {
"userAttribute1": {
"schemaId": "urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User",
"screenName": "userAttribute1",
"isSensitive": false,
"name" : "userAttribute1",
"type" : "string",
"multiValued" : false,
"description" : "Custom User Attribute 1",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
}
}'
Add custom SCIM attribute for groups
Run the following curl command to add custom attribute only for groups:
curl -k -X POST \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "content-type: application/json" \
"https://$CP_CONSOLE_URL/idmgmt/identity/api/v2/scim/attributes" \
-d '{
"group": {
"groupAttribute1": {
"schemaId": "urn:ietf:params:scim:schemas:extension:ibmcp:2.0:Group",
"screenName": "groupAttribute1",
"isSensitive": false,
"name" : "groupAttribute1",
"type" : "string",
"multiValued" : false,
"description" : "Custom Group Attribute 1",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
}
}'
Add custom SCIM attribute for users and groups
Run the following curl command to add custom attribute for both users and groups:
curl -k -X POST \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "content-type: application/json" \
"https://$CP_CONSOLE_URL/idmgmt/identity/api/v2/scim/attributes" \
-d '{
"user": {
"userAttribute1": {
"schemaId": "urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User",
"screenName": "userAttribute1",
"isSensitive": false,
"name" : "userAttribute1",
"type" : "string",
"multiValued" : false,
"description" : "Custom User Attribute 1",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
},
"group": {
"groupAttribute1": {
"schemaId": "urn:ietf:params:scim:schemas:extension:ibmcp:2.0:Group",
"screenName": "groupAttribute1",
"isSensitive": false,
"name" : "groupAttribute1",
"type" : "string",
"multiValued" : false,
"description" : "Custom Group Attribute 1",
"required" : true,
"caseExact" : false,
"mutability" : "readWrite",
"returned" : "default",
"uniqueness" : "none"
}
}
}'
Updating a custom SCIM attribute
Use the PUT
operation with the idmgmt/identity/api/v2/scim/attributes/<resourceType>/<attributekey>
API to modify a custom SCIM attribute in the users and groups section.
Update user attribute
To modify a user attribute, use the idmgmt/identity/api/v2/scim/attributes/users/<attributekey>
API.
-
To get the user
attributekey
value, use the following command:curl -sk -X GET --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" "https://$CP_CONSOLE_URL:443/idmgmt/identity/api/v2/scim/attributes/users"
-
To modify the user attribute, use the following curl command:
curl -k -X PUT \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -H "content-type: application/json" \ "https://$CP_CONSOLE_URL/idmgmt/identity/api/v2/scim/attributes/user/<attributekey>" \ -d '{ "schemaId": "urn:ietf:params:scim:schemasibmcp:2.0:User", "screenName": "userAttribute1", "isSensitive": false, "name" : "userAttribute1", "type" : "string", "multiValued" : false, "description" : "Custom User Attribute 1", "required" : true, "caseExact" : false, "mutability" : "readWrite", "returned" : "default", "uniqueness" : "none" }
Update group attribute
To modify a group attribute, use the idmgmt/identity/api/v2/scim/attributes/group/<attributekey>
API.
-
To get the group
attributekey
value, use the following command:curl -sk -X GET --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" "https://$CP_CONSOLE_URL:443/idmgmt/identity/api/v2/scim/attributes/group"
-
To modify the group attribute, use the following curl command:
curl -k -X PUT \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -H "content-type: application/json" \ "https://$CP_CONSOLE_URL/idmgmt/identity/api/v2/scim/attributes/group/<attributekey>" \ -d '{ "schemaId": "urn:ietf:params:scim:schemasibmcp:2.0:Group", "screenName": "groupAttribute1", "isSensitive": false, "name" : "groupAttribute1", "type" : "string", "multiValued" : false, "description" : "Custom Group Attribute 1", "required" : true, "caseExact" : false, "mutability" : "readWrite", "returned" : "default", "uniqueness" : "none" }'
Deleting a custom SCIM attribute
Use the DELETE
operation with the idmgmt/identity/api/v2/scim/attributes/<resourceType>/<attributekey>
API to delete a custom SCIM attribute in the users and groups section.
Delete a user attribute
Use the idmgmt/identity/api/v2/scim/attributes/users/<attributekey>
API.
Use the following curl command:
curl -k -X DELETE \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "content-type: application/json" \
"https://$CP_CONSOLE_URL/idmgmt/identity/api/v2/scim/attributes/user/<attributekey>"
Delete a group attribute
Use the idmgmt/identity/api/v2/scim/attributes/group/<attributekey>
API.
Use the following curl command:
curl -k -X DELETE \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "content-type: application/json" \
"https://$CP_CONSOLE_URL/idmgmt/identity/api/v2/scim/attributes/group/<attributekey>"