Configuring OIDC with LDAP SCIM connection
You can configure the OIDC clients with the LDAP SCIM connection to add the OIDC users and groups when OIDC and LDAP use same user registries.
Prerequisites
-
To configure OIDC with SCIM LDAP connection, the user registry for OIDC must be the same as LDAP.
-
Configure the LDAP connection in your cluster. For more information, see Configuring LDAP connection.
-
Configure the OIDC in your cluster. For more information, see Configuring single sign-on using OpenID Connect.
Procedure
You can configure OIDC with LDAP SCIM connection with one of the following methods:
- Configuring OIDC with LDAP SCIM connection using your product UI
- Configuring OIDC with LDAP SCIM connection using CLI
Configuring OIDC with LDAP SCIM connection using your product UI
To configure OIDC with LDAP SCIM connection, complete the following steps:
-
Log in to the console with the URL and enter the username and password.
Note: The console can be Platform UI or Common UI.
-
From the navigation menu, click Identity and access > Identity providers.
-
In the Identity Providers page, a list of SCIM configurations is displayed.
-
Select the name of the SCIM configuration to edit and click Edit connection. Edit the LDAP connection dialog box is displayed.
-
In Edit your LDAP connection dialog box, click Edit. It displays the LDAP connection page that contains SCIM configuration.
-
Delete the existing SCIM attributes. For each attribute, select the Delete option in the UI to delete each SCIM attributes.
-
Select New attribute with the following SCIM attributes.
{ "default": { "idp_id": "bluepages", "idp_type": "ldap", "user": { "id": "dn", "userName": "uid", "principalName": "uid", "displayName": "cn", "givenName": "cn", "familyName": "sn", "fullName": "cn", "externalId": "dn", "emails": "mail", "created": "createTimestamp", "lastModified": "modifyTimestamp", "phoneNumbers": [{ "value": "mobile", "type": "mobile" }, { "value": "telephoneNumber", "type": "work" }], "objectClass": "person", "groups": "memberOf" }, "group": { "id": "dn", "name": "cn", "principalName": "cn", "displayName": "cn", "externalId": "dn", "created": "createTimestamp", "lastModified": "modifyTimestamp", "objectClass": "groupOfUniqueNames", "members": "uniqueMember" } } }
-
Click Save.
See the following notes:
-
The
Group filter
andGroup member ID map
filters do not consider the custom SCIM attribute values. Use LDAP filter values forGroup filter
andGroup member ID map
attributes to map the data. For more information about LDAP filters, see LDAP filters. -
The SCIM users and groups API for LDAP depends on the attribute-mapping list. You must provide a proper attribute mapping for all the SCIM user and group attributes. If the SCIM attributes mapping is not proper then the SCIM API might not be able to fetch users or group details or some attributes might miss in the SCIM users or groups response.
Configuring OIDC with LDAP SCIM connection using CLI
Complete the following steps to configure OIDC with LDAP SCIM connection using attributemapping
API.
-
Check the existing attribute mappings with the following API call:
curl -sk -X GET --header "Authorization: Bearer $ACCESS_TOKEN" --header "Content-Type: application/json" "https://cp-console-ibm-common-services.apps.clustername.cp.fyre.ibm.com/idmgmt/identity/api/v1/scim/attributemappings"
The following output is displayed:
[{"idp_id":"bluepages","idp_type":"ldap","user":{"id":"dn","userName":"emailAddress","displayName":"cn","principalName":"emailAddress"},"group":{"id":"cn","name":"cn","displayName":"cn"}},{"idp_id":"default","idp_type":"ldap","user":{"id":"dn","name":{"fullName":"cn","givenName":"cn","familyName":"sn"},"emails":"mail","groups":"memberOf","created":"createTimestamp","userName":"uid","externalId":"dn","displayName":"cn","objectClass":"person","lastModified":"modifyTimestamp","phoneNumbers":[{"type":"mobile","value":"mobile"},{"type":"work","value":"telephoneNumber"}],"principalName":"uid"},"group":{"id":"dn","name":"cn","created":"createTimestamp","members":"uniqueMember","externalId":"dn","displayName":"cn","objectClass":"groupOfUniqueNames","lastModified":"modifyTimestamp","principalName":"cn"}}]%
-
Update the existing attribute mappings data with your mapping data with the following API call:
export DATA='{"idp_id": "bluepages","idp_type": "ldap","user": {"id": "dn","userName": "emailAddress","displayName": "cn","principalName": "emailAddress"},"group": {"id": "cn","name": "cn","displayName": "cn"}}'
-
Delete the existing attribute mappings with the following API call:
curl -sk -X DELETE --header "Authorization: Bearer $ACCESS_TOKEN" \ --header "Content-Type: application/json" \ "https://$BCS_URL:443/idmgmt/identity/api/v1/scim/attributemappings/$IDP_ID"
The response resembles the following code:
{"count":1}
Note: By default, the LDAP connection configuration considers the following mapping values for SCIM APIs.
LDAP connection attributes | SCIM object | SCIM attributes |
---|---|---|
LDAP_USERIDMAP |
user |
userName |
LDAP_USERFILTER |
user |
objectClass |
LDAP_GROUPIDMAP |
group |
name |
LDAP_GROUPFILTER |
group |
objectClass |
LDAP_GROUPMEMBERIDMAP |
group |
members |
Note: If you have multiple expressions in the LDAP connection attributes configuration, the first configuration value is considered.