16.12 Understanding and Configuring SCIM Templates

The System for Cross-domain Identity Management (SCIM) is a protocol for identity exchange, especially across SaaS products. SCIM connectors enable Identity Governance to integrate with applications seamlessly and support multiple authentication methods.

Identity Governance provides the following templates for SCIM:

  • SCIM Identity

  • SCIM Account

  • SCIM Permission

  • SCIM Fulfillment

For additional information about configuring SCIM templates, see the following sections:

16.12.1 Understanding SCIM Authentication Methods and Specifying Ordinals

SCIM connectors require a particularly complex configuration template that supports three different authentication types, each of which has different credential parameters that are required to properly configure the collectors and fulfillers. The choice of authentication type and grant type will depend on the use case and what the authentication token endpoint supports.

When using the bearer token authentication method, you can select Password Flow (when user involvement is required) or Client Credential Flow (for machine-to-machine communication) as the authentication grant type. When using the Client Credential Flow, you will need to specify whether the credentials should be included in the request header or request body .

When using Cloud Bridge, you must also specify a unique ordinal for each authentication method. Use the following table to understand the ordinal number that you need to specify for SCIM authentication methods.

Ordinal (Credential Position)

Authentication Type

Credential Set

3

Basic Auth

  • User Name

  • Password

4

Access Token

NOTE:When the access token expires, replace it with a new access token.

  • Access Token Header

  • Access Token

5

Bearer Token

  • User Name

  • Password

6

Bearer Token

  • Client ID

  • Client Secret

IMPORTANT:For the access token, the user provides the token to connect to the SCIM-compatible application, whereas, for the bearer token, the connector generates the token. When the access token expires, replace it with a new access token.

16.12.2 About SCIM Collectors

The SCIM account and permission collectors use unique authentication methods. In addition to specifying the authentication method, you might need to change attribute mapping when configuring the template. SCIM supports singular, complex singular, complex multi-valued attributes, and extensions. However, if your application supports any other attributes or extensions different from those mentioned in the SCIM protocol, you can change the attribute mapping in the template by using delimiters. You can use ‘:’ (colon) for attributes, for example, emails:work:value, and ‘+’ (plus) for extensions, for example, urn:ietf:params:scim:schemas:extension:enterprise:2.0:User+department.

To successfully map SCIM accounts and permissions to identities, you must use email as the mapping attribute during identity, accounts, and permissions collection. SCIM collects records in batches of up to 999 records, and the default batch collection session timeout value is set to 60 seconds.

By default, the generic SCIM permission collector collects groups as permission for the resource type. However, you can configure the collector to collect other permissions by setting the Resource Type and mapping the attributes of that resource type. For example, if you want to add printers as permission you can give the endpoint of that resource type and map the required attributes to perform the collection.

16.12.3 About SCIM Fulfillment

Identity Governance uses the System for Cross-domain Identity Management (SCIM) fulfillment template for managing identities, and fulfilling change requests for permissions and accounts, especially across SaaS products. Based on the SCIM protocol, the SCIM fulfiller has default attribute mapping that helps you fulfill requests. However, you can change these mappings to match the requirements of your application.

The SCIM fulfiller template allows you to edit the transform script to build the required payload for the change requests for generic fulfillment, user profiles, permissions, and accounts. The ECMA script includes comments that guide you through the payload generation process. After you generate the payload, Identity Governance sends the payload for fulfillment. The SCIM fulfiller generates the payload for the following change requests:

  • ADD_APPLICATION_TO_USER

  • ADD_PERMISSION_TO_USER

  • REMOVE_ACCOUNT_PERMISSION

  • REMOVE_PERMISSION_ASSIGNMENT

  • REMOVE_ACCOUNT