General SCIM settings

Edit online

The general SCIM settings include common configuration for the SCIM Web Service.

Before you begin

For new installations, the SCIM web service is disabled. Use the SCIM enablement level configuration property to enable SCIM at the required level. Ensure that when SCIM is enabled it should be via a reverse proxy instance. The SCIM API should be locked down using reverse proxy ACLs to suit the intended purpose.

Procedure

  1. From the top menu, go to AAC > Manage > SCIM Configuration.
  2. On the General page, modify the following options as needed.
    Enable Verify Identity Access Header Authentication
    Controls whether Verify Identity Access Header Authentication is enabled. Verify Identity Access Header Authentication is used to add the Verify Identity Access credential attributes to the session so they can be used by SCIM.
    Enable Authorization Filter
    The authorization filter is responsible for authorizing the request. It has some pre-defined rules for each of the supported SCIM end-points. These rules are:
    For the user profile functionality
    • Only authenticated users with administrator authority are allowed to do a search of users (GET /Users).
    • Unauthenticated access is allowed for creating a new user (POST /Users).
    • Only authenticated users with administrator authority or authenticated users who are accessing their own data are allowed to perform create, retrieve, update, and delete operations on a specific user's data (GET/PUT/DELETE/PATCH /Me or /Users/<id>).
    For other functionalities
    Any authenticated user is allowed to retrieve information about the SCIM service (GET /ServiceProviderConfig, /ResourceTypes, or /Schemas).

    If more advanced or different authorization is required, disable this filter and use a Web Reverse Proxy or the Advanced Access Control component in front of the SCIM application to handle the authorization.

    Administration Group
    This group is used by the authorization filter for authorization checks where the user must be a member of the administration group.
    Max User Responses
    Sets the maximum number of users that can be returned from a web service query to list users.
    Attribute Mode
    Each SCIM attribute has an associated mutability mode. The value can be ReadOnly, ReadWrite, AdminWrite, UserWrite, WriteOnly, or Immutable.

    The value of the default column shows if the mode is default (true) or user defined (false). A mode can be reset to default by setting this mode to an empty string.

    You can expand an attribute to see its subattributes.

    Enablement Level
    Controls the level of enablement for the SCIM web service API. The following options are available:
    • All (Full Access): This enables the full SCIM API with no additional restrictions.
    • None (Disabled): This disables the SCIM API. This is the default setting for new installations.
    • Admin Only: This allows SCIM API operations by admin users only. Admin users are the members of the Administration Group.
    • Self-service Only: This allows SCIM API operations by users that are operating on their own data.
    • MMFA Only: This allows SCIM API operations that are required for MMFA scenarios. These operations include GET and PATCH on a users own data and is limited to one or more of the following SCIM schemas:
      • urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Transaction
      • urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator
      • urn:ietf:params:scim:schemas:extension:isam:1.0:U2F
  3. Click Save to save the changes.
    Note: Due to the caching of configuration data within the runtime, it might take up to 30 seconds before any deployed configuration changes become active.