Configuring OIDC with LDAP SCIM connection

You can configure the OIDC clients with the LDAP SCIM connection to add the OIDC users and groups when OIDC and LDAP use same user registries.

Prerequisites

  1. To configure OIDC with SCIM LDAP connection, the user registry for OIDC must be the same as LDAP.

  2. Configure the LDAP connection in your cluster. For more information, see Configuring LDAP connection.

  3. Configure the OIDC in your cluster. For more information, see Configuring single sign-on using OpenID Connect.

Procedure

You can configure OIDC with LDAP SCIM connection with one of the following methods:

Configuring OIDC with LDAP SCIM connection using your product UI

To configure OIDC with LDAP SCIM connection, complete the following steps:

  1. Log in to the console with the URL and enter the username and password.

    Note: The console can be Platform UI or Common UI.

  2. From the navigation menu, click Identity and access > Identity providers.

  3. In the Identity Providers page, a list of SCIM configurations is displayed.

  4. Select the name of the SCIM configuration to edit and click Edit connection. Edit the LDAP connection dialog box is displayed.

  5. In Edit your LDAP connection dialog box, click Edit. It displays the LDAP connection page that contains SCIM configuration.

  6. Delete the existing SCIM attributes. For each attribute, select the Delete option in the UI to delete each SCIM attributes.

  7. Select New attribute with the following SCIM attributes.

       {
        "default": {
            "idp_id": "bluepages",
            "idp_type": "ldap",
            "user": {
                "id": "dn",
                "userName": "uid",
                "principalName": "uid",
                "displayName": "cn",
                "givenName": "cn",
                "familyName": "sn",
                "fullName": "cn",
                "externalId": "dn",
                "emails": "mail",
                "created": "createTimestamp",
                "lastModified": "modifyTimestamp",
                "phoneNumbers": [{
                        "value": "mobile",
                        "type": "mobile"
                    },
                    {
                        "value": "telephoneNumber",
                        "type": "work"
                    }],
                "objectClass": "person",
                "groups": "memberOf"
            },
            "group": {
                "id": "dn",
                "name": "cn",
                "principalName": "cn",
                "displayName": "cn",
                "externalId": "dn",
                "created": "createTimestamp",
                "lastModified": "modifyTimestamp",
                "objectClass": "groupOfUniqueNames",
                "members": "uniqueMember"
            }
        }
    }
    
  8. Click Save.

See the following notes:

Configuring OIDC with LDAP SCIM connection using CLI

Complete the following steps to configure OIDC with LDAP SCIM connection using attributemapping API.

  1. Check the existing attribute mappings with the following API call:

     curl -sk -X GET --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" "https://cp-console-ibm-common-services.apps.clustername.cp.fyre.ibm.com/idmgmt/identity/api/v1/scim/attributemappings"
    

    The following output is displayed:

     [{"idp_id":"bluepages","idp_type":"ldap","user":{"id":"dn","userName":"emailAddress","displayName":"cn","principalName":"emailAddress"},"group":{"id":"cn","name":"cn","displayName":"cn"}},{"idp_id":"default","idp_type":"ldap","user":{"id":"dn","name":{"fullName":"cn","givenName":"cn","familyName":"sn"},"emails":"mail","groups":"memberOf","created":"createTimestamp","userName":"uid","externalId":"dn","displayName":"cn","objectClass":"person","lastModified":"modifyTimestamp","phoneNumbers":[{"type":"mobile","value":"mobile"},{"type":"work","value":"telephoneNumber"}],"principalName":"uid"},"group":{"id":"dn","name":"cn","created":"createTimestamp","members":"uniqueMember","externalId":"dn","displayName":"cn","objectClass":"groupOfUniqueNames","lastModified":"modifyTimestamp","principalName":"cn"}}]%
    
  2. Update the existing attribute mappings data with your mapping data with the following API call:

    export DATA='{"idp_id": "bluepages","idp_type": "ldap","user": {"id": "dn","userName": "emailAddress","displayName": "cn","principalName": "emailAddress"},"group": {"id": "cn","name": "cn","displayName": "cn"}}'
    
  3. Delete the existing attribute mappings with the following API call:

     curl -sk -X DELETE --header "Authorization: Bearer $ACCESS_TOKEN" \
     --header "Content-Type: application/json" \
     "https://$BCS_URL:443/idmgmt/identity/api/v1/scim/attributemappings/$IDP_ID"
    

    The response resembles the following code:

     {"count":1}
    

Note: By default, the LDAP connection configuration considers the following mapping values for SCIM APIs.

Table 1. LDAP connection attributes
LDAP connection attributes SCIM object SCIM attributes
LDAP_USERIDMAP user userName
LDAP_USERFILTER user objectClass
LDAP_GROUPIDMAP group name
LDAP_GROUPFILTER group objectClass
LDAP_GROUPMEMBERIDMAP group members

Note: If you have multiple expressions in the LDAP connection attributes configuration, the first configuration value is considered.