Custom Schema Extensions

The SCIM service provides an API that can consolidate the management of user data from various sources.

However, the core schemas and built-in schema extensions provided out of the box have strict payload structure and fixed attribute names.

Custom Schema Extensions can be used to add custom attributes to the User Resource with administrator-defined schema extensions. The custom attributes can be mapped to LDAP attributes, session attributes, or fixed values.

Configuration can be performed on Custom Schema Extensions tab of the SCIM Configuration page. See Custom Schema Extensions. Configuration can also be performed by using the Schema Extensions API.

Schema Extension

A schema extension consists of the following parameters:

The ID, which is typically a URN
A human-readable name
An optional description
A list of custom attributes

For example:

{
    "id": "urn:UserAttributes",
    "name": "Custom User Attributes",
    "description": "",
    "attributes": [
        ...
    ]
}

Custom schemas can be created, modified or removed on the Custom Schema Extensions page.

The schema extension ID is used as the JSON container when inserting the custom attributes into the User Resource payload, to distinguish attributes belonging to the extension namespace from base schema attributes.

{
    "meta": {
        "location": "https://localhost/scim/Users/dGVzdHVzZXI",
        "resourceType": "User"
    },
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:isam:1.0:User",
        "urn:UserAttributes",
    ],
    "id": "dGVzdHVzZXI",
    "userName": "testuser",
    ...
    "urn:ietf:params:scim:schemas:extension:isam:1.0:User": {
        "passwordValid": true,
        "identity": "testuser",
        "accountValid": true
    },    
    "urn:UserAttributes": {
        "pwdAccountLocked": true
    }
}

Custom Attributes

The configuration of an attribute in a custom schema extension follows a similar format to the attribute definitions from RFC 7643. The key differences are the inclusion of the mapping parameter, and the exclusion of the caseExact and uniqueness parameters.

For example, an attribute in a custom schema extension may be defined as follows:

{
    "name": "pwdAccountLocked",
    "description": "Whether this account is locked.",
    "type": "boolean",
    "multiValued": false,
    "required": true,
    "mutability": "adminWrite",
    "returned": "default",
    "mapping": {
        "sourceAttribute": "ibm-pwdAccountLocked",
        "sourceType": "ldap"
    }
}

Similar to the User Profile Attribute Mapping, the mapping parameter controls where the attribute value is sourced from (for example, mapped from). The sourceType can be set to one of: ldap, session, fixed.

If sourceType is set to ldap, the sourceAttribute field must contain the name of the LDAP attribute that is to be mapped. The LDAP attribute is retrieved using the server connection, suffix, dn, ID, and object class configuration defined for the User Profile.

If sourceType is set to session, the sourceAttribute field must contain the name of the Session attribute that is to be mapped.

If sourceType is set to fixed, the data in the sourceAttribute field is inserted as the value.

The following attribute types are supported:

String
Boolean
Decimal
Decimal
Integer
DateTime
Binary
Reference
Complex (Object)

The following attribute mutability options are supported:

ReadOnly
ReadWrite
AdminWrite
UserWrite
WriteOnly
Immutable

Limitations

Custom Schema Extensions are only applied to User resource requests, not Group resource requests.
The Custom Schema Extensions functionality cannot be used to modify the "User" Resource Schema, Enterprise User Schema Extension, or any built-in extension schemas. For example, MMFA transactions, FIDO2 Authenticators.
The schema attributes "caseExact" and "uniqueness" are not configurable, and default to false and "none" respectively.