Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This section provides instructions on how to configure the SCIM 2.0 connector with WSO2 Identity Server for identity provisioning. 

...

Tip

Note: SCIM 2.0 is supported by default in WSO2 Identity Server version 5.54.0. If you are using WSO2 Identity Server 5.54.0 or a later version, see SCIM 2.0 REST APIs for instructions on how to use SCIM 2.0 OOTB.

...

  1. Download the latest version of WSO2 Identity Server (IS) from here and extract it to a folder. Extracted folder will hereafter be referred to as <IS_HOME>.
  2. Download the SCIM 2.0 connector artifacts for WSO2 Identity Server from here

    Expand
    titleExpand to see what the SCIM 2.0 connector artifacts pack includes
    • charon-config.xml

    • claim-config-diff.txt

    • org.wso2.carbon.identity.scim2.common-1.1.1.jar

    • org.wso2.charon3.core-3.0.7.jar

    • README

    • scim2-schema-extension.config

    • scim2.war

  3. From the downloaded artifacts, place the org.wso2.charon.core-3.0.7.jar file in the <IS_HOME>/repository/components/lib folder.
  4. Place the org.wso2.carbon.identity.scim2.common-1.1.1.jar file in the <IS_HOME>/repository/components/dropins folder.
  5. Place the scim2.war in the <IS_HOME>/repository/deployment/server/webapps folder.
  6. Place the charon-config.xml in the <IS_HOME>/repository/conf/identity folder.
  7. Place the scim2-schema-extension.config file in the <IS_HOME>/repository/conf folder.
  8. Append the following entries to the <ResourceAccessControl></ResourceAccessControl> element of the identity.xml file found in the <IS_HOME>/repository/conf/identity folder.

    Code Block
    <Resource context="(.*)/scim2/Users" secured="true" http-method="POST">
        <Permissions>/permission/admin/manage/identity/usermgt/create</Permissions>
    </Resource>
    <Resource context="(.*)/scim2/Users" secured="true" http-method="GET">
        <Permissions>/permission/admin/manage/identity/usermgt/list</Permissions>
    </Resource>
    <Resource context="(.*)/scim2/Groups" secured="true" http-method="POST">
        <Permissions>/permission/admin/manage/identity/rolemgt/create</Permissions>
    </Resource>
    <Resource context="(.*)/scim2/Groups" secured="true" http-method="GET">
        <Permissions>/permission/admin/manage/identity/rolemgt/view</Permissions>
    </Resource>
    <Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="GET">
        <Permissions>/permission/admin/manage/identity/usermgt/view</Permissions>
    </Resource>
    <Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="PUT">
        <Permissions>/permission/admin/manage/identity/usermgt/update</Permissions>
    </Resource>
    <Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="PATCH">
        <Permissions>/permission/admin/manage/identity/usermgt/update</Permissions>
    </Resource>
    <Resource context="(.*)/scim2/Users/(.*)" secured="true" http-method="DELETE">
        <Permissions>/permission/admin/manage/identity/usermgt/delete</Permissions>
    </Resource>
    <Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="GET">
        <Permissions>/permission/admin/manage/identity/rolemgt/view</Permissions>
    </Resource>
    <Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="PUT">
        <Permissions>/permission/admin/manage/identity/rolemgt/update</Permissions>
    </Resource>
    <Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="PATCH">
        <Permissions>/permission/admin/manage/identity/rolemgt/update</Permissions>
    </Resource>
    <Resource context="(.*)/scim2/Groups/(.*)" secured="true" http-method="DELETE">
        <Permissions>/permission/admin/manage/identity/rolemgt/delete</Permissions>
    </Resource>
    <Resource context="(.*)/scim2/Me" secured="true" http-method="GET">
        <Permissions>/permission/admin/login</Permissions>
    </Resource>
    <Resource context="(.*)/scim2/Me" secured="true" http-method="DELETE">
        <Permissions>/permission/admin/manage/identity/usermgt/delete</Permissions>
    </Resource>
    <Resource context="(.*)/scim2/Me" secured="true" http-method="PUT">
        <Permissions>/permission/admin/login</Permissions>
    </Resource>
    <Resource context="(.*)/scim2/Me" secured="true" http-method="PATCH">
        <Permissions>/permission/admin/login</Permissions>
    </Resource>
    <Resource context="(.*)/scim2/Me" secured="true" http-method="POST">
        <Permissions>/permission/admin/manage/identity/usermgt/create</Permissions>
    </Resource>
    <Resource context="/scim2/ServiceProviderConfig" secured="false" http-method="all">
        <Permissions></Permissions>
    </Resource>
    <Resource context="/scim2/ResourceType" secured="false" http-method="all">
        <Permissions></Permissions>
    </Resource>
    <Resource context="/scim2/Bulk" secured="true" http-method="all">
        <Permissions>/permission/admin/manage/identity/usermgt</Permissions>
    </Resource>
    <Resource context="(.*)/api/identity/oauth2/dcr/(.*)" secured="true" http-method="all">
        <Permissions>/permission/admin/manage/identity/applicationmgt</Permissions>
    </Resource>
  9. Disable the SCIM listener with the orderId=90 parameter by setting the enable parameter to false in the identity.xml file found in the <IS_HOME>/repository/conf/identity folder. 
    Then, add the SCIM2 listener with the orderid=93 parameter to the identity.xml file and ensure that the enable parameter is set to true.

    Code Block
    <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.scim.common.listener.SCIMUserOperationListener" orderId="90" enable="false" />
    
    <!-- Enable the following SCIM2 event listener and disable the above SCIM event listener if SCIM2 is used. -->
    
    <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.scim2.common.listener.SCIMUserOperationListener" orderId="93" enable="true" />
  10. If you will be using the tenant endpoint, add the following property within the <TenantContextsToRewrite> <WebApp> tag of the identity.xml file found in the <IS_HOME>/repository/conf/identity folder.

    Code Block
    <Context>/scim2</Context>
  11. Ensure that the following property is set to true to enable SCIM for the relevant userstore in the user-mgt.xml file found in the  <IS_HOME>/repository/conf/ folder.

    Code Block
    <Property name="SCIMEnabled">true</Property>

...