SCIM: System for Cross-domain Identity Management
SCIM is a system for cross-domain identity management that uses a REST API for the exchange of user identity information between identity domains such as to provision or de-provision user accounts in an external system, reset passwords for the accounts, or modify group memberships.
Connector name |
|
Connector type | Executable |
Type (UI field value) | SCIM: System for Cross-domain Identity Management |
Target system versions supported / tested | The SCIM connector supports the v1.0 and v2.0 standards. The SCIM connector may be used to integrate with servers that expose a SCIM inbound API. The SCIM 2.0 specification is used by SCIM for the integration by the SCIM endpoints. Examples for use with SCIM is to integrate with the SCIM endpoints used by Zoom and Dropbox. |
Connector status / support | Bravura Security-Verified This connector has been tested and is fully supported by Bravura Security. |
The following Bravura Security Fabric operations are supported by this connector:
get server information
user change password
administrator reset password
create account
delete account
update attributes
list account attributes
add user to group
delete user from group
List:
accounts
attributes
groups
members
The following platform specific SCIM connectors are also available:
Oracle ERP Services (
agtoraerp)Salesforce (
agtsalesforcescim)Amazon Web Services (
agtscimaws)
Setting the administrator credentials
A SCIM target may require one or two sets of administrative credentials depending on the specifications of the target. The basic authentication method will normally only require one set of administrator credentials, while OAuth usually requires two, one of which must use a system password.
For the first administrator, set the Administrator ID and Password to the login ID of an administrative user of the SCIM application server.
For the second administrator, set the Administrator ID and Password to administrative system credentials on the OAuth server. This must match client_id and client_secret on the OAuth server. Ensure that the System password checkbox is checked.
Creating a template account
Bravura Security Fabric uses template accounts as models or "blueprints" for creating new accounts on the SCIM server.
Ensure that a user exists on the SCIM server that may be used as the template account.
Targeting SCIM: System for Cross-domain Identity Management
To target SCIM, add a target system in Bravura Security Fabric (Manage the System > Resources > Target systems):
Type is
SCIM: System for Cross-domain Identity Management.Address uses options described in the table below.
Administrator credentials require administrative and system credentials as described in Setting the administrator credentials .
The full list of target parameters is explained in Target System Options .
Option | Description |
|---|---|
Options marked with a | |
Server | The IP address/domain name of the SCIM server. (key: server) |
Connection over SSL | Select to enforce SSL connections. Default is "true". (key: ssl) |
Service Path | The service path for the SCIM server. Example: services/scim/v1 (key: basePath) |
Port | Port number for the SCIM server. Default is 443 when Connection over SSL is checked. (key: port) |
Validate the server's certificate when connecting | Determines whether to validate the server’s security certificate for SSL connections. Default is "true". (key: checkCert) |
HTTP Network Proxy | Specifies a proxy URL to use for connecting. (key: proxy) |
OAuth server | The IP address/domain name of the OAuth server. (key: oauthServer) |
OAuth service path | The service path for the OAuth server.Example: services/oauth2/token (key: oauthTokenPath) |
OAuth port | Port number for the OAuth server.(key: oauthPort) |
Authentication method | Choose whether to use the basic or OAuth authentication method. This is dependent on the target platform’s specification. (key: authmethod) |
Records per page | Affects the number of records returned during listing. Default: 200. (key: pagesize) |
Group module | Specify where to get the groups for group management. This is dependent on the target platform’s specification. (key: grpmodule) |
Credential works as bearer token | Select to indicate that the admin credentials should also be used as the bearer token. This is dependent on the target platform’s specification and requires OAuth authentication. (key: credasbearer) |
Troubleshooting
The following are possible error messages that may be encountered during the configuration of the SCIM target. For each error message, a suggested solution is provided.
Error: Failed to read response from put [18] [unable to read result]:
The value for Server for the IP address/domain name of the SCIM server is set correctly.
Check the settings and values for Connection over SSL and Port and if SSL is being used for the SCIM target.
Ensure that Service Path is set to the correct service path for the SCIM server.
Invalid OAuth data. Could not connect to address <targetaddress>:
The value for OAuth server for the IP address/domain name of the OAuth server is set correctly.
The value for OAuth port for the port number for the OAuth server is set correctly.
Ensure that OAuth service path is set to the correct service path for the OAuth server.
Check that both the administrative and OAuth system credentials for the target administrator credentials are set correctly.
Invalid System credentials provided. Could not connect to address <targetaddress>:
Ensure that the OAuth system credentials have been added for the target administrator credentials.
Ensure that System password is checked for the OAuth system credentials for the target administrator credentials.