GitHubContribute in GitHub: Open doc issue|Edit online

Configuration files

Before you deploy the SCIM service, you must modify the configuration files to specify connection settings, user and group mapping, and schemas.

After you install IBM® Security Verify Directory Integrator, you can find a folder named

SCIM in

tdi_install_dir. When you create the solution directory, either manually or when the server is started, the SCIM folder is automatically copied to the solution directory. Alternately, you can manually copy the SCIM folder to your solution directory.

The SCIM folder contains the following set of files, including the configurations files that you can modify to configure the setup. In most cases, you might be required to update only the SCIM.properties file. Other files might not require any modification.

SCIM.properties

The SCIM.properties file contains the following server system-specific properties, including details of the backend IBM Security Directory Server.

Location
The externally accessible URL of the SCIM service. It affects only the location headers in SCIM replies.

httpPort
The port that the SCIM Service uses for listening. The SCIM Service always uses SSL.

LDAP.LookupLimit
uThe maximum number of resources that can be found by the SCIM Service. The default value is only 20000, to avoid memory overflow.

LDAPServer
The URL for the IBM Security Directory Server that stores the user data.

LDAPServer.1
The URL for the first failover server. If more than one failover server is required, you can add LDAPServer.2, and so on.

userSearchBase
The Search Base for users in the IBM Security Directory Server.

groupSearchBase
The Search Base for groups in the IBM Security Directory Server.

userObjectClass
The list of object classes that are used when a user is created in the IBM Security Directory Server.

groupObjectClass
The list of object classes that are used when a group is created in the IBM Security Directory Server.

userSearchFilter
Used to find all users in the userSearchBase.

groupSearchFilter
Used to find all groups in the groupSearchBase.

dummyGroupMember
When new groups are created, if dummyGroupMember has a value and there are no members in the group, this value is added to avoid object violation error.

audit.log
Set this parameter to true to create audit logs.

audit.logFile
The name of the audit log file.

audit.logFileDatePattern
The date pattern specifies how often the log file is rolled over to a backup file. It also specifies how the date is appended to the log file name for the backup files that store previous logs.

audit.syslog
Indicates whether syslogging to QRadar® is enabled. Set the value to true to enable.

audit.QRadarHost
The host where QRadar is located.

audit.QRadarPort
The port number for QRadar.

audit.facility
The facility for the audit messages.

audit.eventID
The event ID to use in audit logs.

audit.devTimeFormat
The date format to use in audit logs.

mapTenantNames
Set this property to true to change the way that SCIM authentication is done. For more information and a list of properties that you can use if this property is true, see Authentication of SCIM requests.

TenantBase
The base DN to which containers are added in the LDAP server when a new tenant is added.

alltenants
Set this property to true to enable the alltenants endpoint.

usePasswordPolicy
If this property is det to true, it enables you to set and get password policy attributes for a tenant.

AuthenticationRealm
The realm that is presented to the user when asked for authentication.

authenticationEndpoint
If this property is set to true, it enables the authentication endpoint. The default value is false.

UserMapping.json and GroupMapping.json

The

UserMapping.json and

GroupMapping.json files specify the mapping between SCIM attributes and IBM Security Directory Server user or group attributes. Each entry in these files contains an SCIM attribute name and an LDAP attribute name. The entry might also contain the following extra attributes.

ReadOnly
Specifies that the value is mapped only from LDAP to SCIM and not the other way.

WriteOnly
Specifies that the value is mapped only from SCIM to LDAP and not the other way. This entry must be used for password.

CreateDN
Specifies that the value is also used to create a distinguished name (DN) in the IBM Security Directory Server, by appending the userSearchBase to the value. To be able to create new resources, there must be one entry with the CreateDN attribute, which uses a SCIM attribute name that is always provided.

Type
Provides the canonical type for a multi-valued attribute.

Conversion
Specifies a conversion of the attribute value. The conversion attribute can have one of the following values:

  • DateTime converts the value from LDAP date format to SCIM date format.
  • Group converts the value from an LDAP group to a SCIM group.
  • NewLines converts the new lines in SCIM values to $ in LDAP values and vice versa.
  • IsActive computes the active status for a user based on several operational attributes.
  • Boolean converts from SCIM boolean to LDAP TRUE or FALSE.
  • InverseBoolean converts from SCIM boolean to LDAP TRUE or FALSE, but TRUE maps to FALSE and vice versa.
  • MultiValued indicates a multi-valued attribute with no canonical type.

Note:

  • There must be only one map entry for each SCIM name, unless the entries have a unique Type.
  • There must be only one entry for each LDAP name, unless the entries are ReadOnly.

UserSchema.json and GroupSchema.json

The

UserSchema.json and

GroupSchema.json files provide the schema definition of users or groups as per the SCIM specification. The attributes that are specified must match the attributes that are defined in the

UserMapping.json and

GroupMapping.json files.

ServiceProviderConfig.json
Defines the specification compliance, supported data models, authentication schemes, and so forth.

SCIM.xml
The configuration file that implements the SCIM service.

QRadarLogging.map

The QRadarLogging.map file specifies the values for attributes that are sent to the QRadar system when QRadar syslogging is enabled.

For more information, see the

Readme.txt file in the

SCIM folder in the

sdi_solution_dir of

IBM® Security Verify Directory Integrator installation.