Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This topic provides instructions on how to provision users to a trusted identity provider from the WSO2 Identity Server. A trusted identity provider is basically an identity provider that supports inbound provisioning. It can be Google, Salesforce, another Identity Server, etc. 

Outbound provisioning Provisioning is supported via SCIM or SPML standards. There are outbound provisioning connectors for Google and Salesforce available by default in the Identity Server. If you need to plug any other custom connector, you can do it as well by writing an extension for that as described here. Outbound provisioning configurations can be found under identity provider configuration user interface of the Identity Server.

Configuring an identity provider

To start offFirst, you must configure a trusted identity provider that has the ability to accept the provisioning request from Identity Server.

Tip

Tip: When configuring the identity provider to provision users using SCIM, you must ensure that the trusted identity provider can accept SCIM requests. For the purposes purpose of this example scenario, you can use another Identity Server as your identity provider. The configurations in this topic are done to reflect this.

The following steps provide instructions on how to create a new trusted identity provider in the Identity Server.

  1. Sign in. Enter your username and password to log Log on to the Management Console using your username and password
  2. Navigate to the Main menu to access the Identity menu. Click Add under Identity Providers.
  3. Fill in the details in the Basic Information section. 

    Note the following when filling the above form.
    • The Identity Provider Name should be unique.
    • The Home Realm Identifier is a standard value which will come with the communication from the identity provider. This is used as an identifier.
    • The Alias is the equivalent location specified in the identity provider.
  4. Expand the Outbound Provisioning Connectors section followed by the SCIM Provisioning Configuration section.
  5. Fill out the details in the form.

    Do the configurations as described in Configuring SCIM provisioning. The following are the configurations in brief.

    • Select Enable Connector to enable identity provisioning.

    • Enter the Username and Password used in the SCIM application.

    • Select the User Endpoint and Group Endpoint, which are SCIM endpoints.

    • User Store Domain is the user store that you need to provision users to.

    • Enable Password Provisioning lets you send a default password with the SCIM request and Default Password lets you specify the password.

  6. Click Register to save your changes.

...

When configuring outbound provisioning for any user management operation done via the management console, SOAP API or the SCIM API, you must configure outbound provisioning identity providers against the resident service provider. So, based on the outbound configuration, users added from the management console can also be provisioned to external systems like Salesforce and Google Apps.

  1. Sign in. Enter your username and password to log Log on to the Management Console using your username and password.
  2. In the Main menu under the Identity section, click Resident under Service Providers
  3. In the resulting screen, expand the Outbound Provisioning Configuration section.
  4. In the Outbound Provisioning Configuration section, do the following.
    1. Select the identity provider you added from the drop-down menu available and click the following sign to add it. If you have not added an identity provider as yet, this step is not possible.
    2. Once added, the identity provider is displayed as an entry in a list. Select scim from the drop-down to ensure that the SCIM operation is used for provisioning.
    3. There is another option called Blocking. If The option Blocking, if enabled, it means that the outbound provisioning request must be blocked until the response is received. By default, the request would be not non-blocking.
    4. There is another option called The option Enable RulesIf , if enabled, it means outbound provisioning request will be executed along with the XACML rules enabled.

  5. Click Update to save your configurations.

...