The System for Cross-domain Identity Management (SCIM) is a protocol for identity exchange, especially across SaaS products. SCIM connectors enable Identity Governance to integrate with applications seamlessly and support multiple authentication methods.
Identity Governance provides the following templates for SCIM:
SCIM Identity
SCIM Account
SCIM Permission
SCIM Fulfillment
For additional information about configuring SCIM templates, see the following sections:
SCIM connectors require a particularly complex configuration template that supports three different authentication types, each of which has different credential parameters that are required to properly configure the collectors and fulfillers. The choice of authentication type and grant type will depend on the use case and what the authentication token endpoint supports.
When using the bearer token authentication method, you can select Password Flow (when user involvement is required) or Client Credential Flow (for machine-to-machine communication) as the authentication grant type. When using the Password Flow, you will need to specify a username and password, then OAuth2 client ID and secret for API access to the SCIM-compatible application. When using the Client Credential Flow, you will need to specify whether the credentials should be included in the request header or request body and the client ID and secret. The process for configuring the applications and generating the client ID and secret will vary depending on your data source. For additional information about getting the client ID and secret, contact the application owner.
The following table lists the available authentication types and related credentials.
Authentication Type |
Credential Set |
---|---|
Basic Auth |
|
Access Token |
|
Bearer Token |
|
Bearer Token |
|
IMPORTANT:For the access token, the user provides the token to connect to the SCIM-compatible application, whereas, for the bearer token, the connector generates the token. When the access token expires, replace it with a new access token.
The SCIM account and permission collectors use unique authentication methods. In addition to specifying the authentication method, you might need to change attribute mapping when configuring the template. SCIM supports singular, complex singular, complex multi-valued attributes, and extensions. However, if your application supports any other attributes or extensions different from those mentioned in the SCIM protocol, you can change the attribute mapping in the template by using delimiters. You can use ‘:’ (colon) for attributes, for example, emails:work:value, and ‘+’ (plus) for extensions, for example, urn:ietf:params:scim:schemas:extension:enterprise:2.0:User+department.
To successfully map SCIM accounts and permissions to identities, you must use email as the mapping attribute during identity, accounts, and permissions collection. SCIM collects records in batches of up to 999 records, and the default batch collection session timeout value is set to 60 seconds.
By default, the generic SCIM permission collector collects groups as permission for the resource type. However, you can configure the collector to collect other permissions by setting the Resource Type and mapping the attributes of that resource type. For example, if you want to add printers as permission you can give the endpoint of that resource type and map the required attributes to perform the collection.
Identity Governance uses the System for Cross-domain Identity Management (SCIM) fulfillment template for managing identities, and fulfilling change requests for permissions and accounts, especially across SaaS products. Based on the SCIM protocol, the SCIM fulfiller has default attribute mapping that helps you fulfill requests. However, you can change these mappings to match the requirements of your application.
The SCIM fulfiller template allows you to edit the transform script to build the required payload for the change requests for generic fulfillment, user profiles, permissions, and accounts. The ECMA script includes comments that guide you through the payload generation process. After you generate the payload, Identity Governance sends the payload for fulfillment. The SCIM fulfiller generates the payload for the following change requests:
ADD_APPLICATION_TO_USER
ADD_PERMISSION_TO_USER
REMOVE_ACCOUNT_PERMISSION
REMOVE_PERMISSION_ASSIGNMENT
REMOVE_ACCOUNT