Configuring SCIM Directory Server

You can configure a SCIM Directory to be the directory service for Content Cortex.

For the current list of SCIM Servers qualified with Content Platform Engine, see IBM® Software Product Compatibility Report External link opens a new window or tab.

The SCIM Server supports queries for users, groups, and nested parent groups using the SCIM protocol and the SCIM schema. For more information, see SCIM protocol External link opens a new window or tab and SCIM schema External link opens a new window or tab.

The user queries for SCIM return user information including the groups for which the user is a member in one of the following ways:
  • By using a direct retrieval with the SCIM id. For example, 
    GET https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646
  • By using a filter attribute. For example,
    GET https://example.com/v2/Users?filter=userName eq “johnsmith”
The group queries for SCIM return group members as well as nested parent groups for the group. For example, to retrieve parent groups with a SCIM query:
GET https://example.com/v2/Groups?filter=members.value eq “groupName”
If the query does not retrieve parent groups, but returns nested parent groups on its own, then you need to set the GroupMembershipSearchFilter property in the Content Platform Engine SCIM Directory configuration. You can set the property to one of the following depending on whether nested parent groups are returned for user queries, group queries, or both:
  • nestedGroupsReturned=users
  • nestedGroupsReturned=groups
  • nestedGroupsReturned=users,groups
For more information, see Directory Configuration Properties (SCIM Directory).

If your SCIM server does not contain any nested groups, then you can set the GroupMembershipSearchFilter to nestedGroupsReturned=users,groups. This indicates to the CPE server that SCIM server is responsible for returning nested groups, so CPE does not perform its own nested group query using the members.value filter. Since there are no nested groups in the SCIM directory, then the correct set of groups are returned regardless of whether the SCIM server supports the members.value group filter.