Overview (SCIM Directory)

The SCIM Directory has the same features and properties of other Content Platform Engine directory providers. However, it does not require a direct connection to an LDAP server. It relies on the IdP integration with user repositories, such as LDAP, to provide information about users and groups that the Content Platform Engine uses to handle authorization checks to verify that the user is able to access or modify objects.

Requests to the IdP supporting the SCIM Provider are performed over a REST API and authenticated by using either the HTTP Basic Authentication or the Bearer Token Authentication(BTA). The authentication method depends on what the SCIM Provider supports. Bearer token authentication is preferable since it is inherently more secure, for example, it expires after a period.

SCIM Providers that utilize HTTP Basic Authentication use the username and password properties of the Content Platform Engine SCIM Directory configuration. These credentials are provided on every SCIM request and they belong to an account with full read access to the SCIM Provider to be able to retrieve all user and group information.

SCIM Providers that use BTA support a Bearer token obtained by using the OAuth client_credentials grant. This grant requires a client_id, client_secret, and a URL to the OAuth token endpoint of the IdP. In this case, the client_id and client_secret are stored in the username and password properties of the Content Platform Engine SCIM Directory configuration. The URL is stored in the authentication URL property of the Content Platform Engine SCIM Directory configuration. This URL property is populated only when Bearer token authentication is being used, since that is how Content Platform Engine determines which authentication method to use against the SCIM provider.

An example for a SCIM 1.1 Provider is UMS (or any WebSphere based Identity Provider). An example for a SCIM 2.0 Provider is IAM that is used in CP4BA.