This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, go to https://wso2.com/documentation/.

Outbound Provisioning with SCIM

Owned by Former user (Deleted)
Last updated: Jan 03, 2018 by Former user (Deleted)
4 min read

Configuring an identity provider

To start off, you must configure a trusted identity provider that has the ability to accept the provisioning request from Identity Server.

Tip: When configuring the identity provider to provision users using SCIM, you must ensure that the trusted identity provider can accept SCIM requests. For the purposes of this example scenario, you can use another Identity Server as your identity provider. The configurations in this topic are done to reflect this.

The following steps provide instructions on how to create a new trusted identity provider in the Identity Server.

  1. Sign in. Enter your username and password to log on to the Management Console
  2. Navigate to the Main menu to access the Identity menu. Click Add under Identity Providers.
  3. Fill in the details in the Basic Information section. 

    Note the following when filling the above form.
    • The Identity Provider Name should be unique.
    • The Home Realm Identifier is a standard value which will come with the communication from the identity provider. This is used as an identifier.
    • The Alias is the equivalent location specified in the identity provider.
  4. Expand the Outbound Provisioning Connectors section followed by the SCIM Provisioning Configuration section.

  5. Fill out the details in the form.

    Do the following configurations.

    FieldDescription
    Enable ConnectorSelecting this enables identity provisioning through SCIM.
    UsernameThis is the username of the SCIM application. In this example you can use the Identity Server username as you are using another Identity Server as the trusted identity provider.
    PasswordThis is the password of the SCIM application. In this example you can use the Identity Server password as you are using another Identity Server as the trusted identity provider.
    User EndpointYou can configure users and groups in SCIM. This is the URL for configuring users in the Identity Server that acts as a trusted identity provider.
    Group EndpointThis is the URL for the groups. In this example, it is not filled as our focus is on provisioning users and not groups.
    User Store DomainThis is the user store that users are created. You can specify any user store connected to your identity provider.
    Enable Password ProvisioningThis is to select whether to provision user password or not.
    Default PasswordIf Enable Password Provisioning not selected, this will used as user password when provisioning.
  6. Click Register to save your changes.

Configuring outbound provisioning

There are two options available to configure outbound provisioning in the Identity Server.

Configuring a resident service provider

When configuring outbound provisioning for any user management operation done via the management console, SOAP API or the SCIM API, you must configure outbound provisioning identity providers against the resident service provider. So, based on the outbound configuration, users added from the management console can also be provisioned to external systems like Salesforce and Google Apps.

  1. Sign in. Enter your username and password to log on to the Management Console.
  2. In the Main menu under the Identity section, click List under Service Providers. The list of service providers you added appears.
  3. Click the Resident Service Provider link.
  4. In the resulting screen, expand the Outbound Provisioning Configuration section.

    In the Outbound Provisioning Configuration section, do the following.
    1. Select the identity provider you added from the dropdown menu available and click the following sign to add it. If you have not added an identity provider as yet, this step is not possible.
    2. Once added, the identity provider is displayed as an entry in a list. Select scim from the dropdown to ensure that the SCIM operation is used for provisioning.
    3. There is another option called Blocking. If enabled, it means that the outbound provisioning request must be blocked until the response is received. By default, request would be not non-blocking.
  5. Click Update to save your configurations.

Configuring a service provider

You can configure a service provider instead of a resident service provider if your application supports OAuth.

  1. Sign in. Enter your username and password to log on to the Management Console
  2. Navigate to the Main menu to access the Identity menu. Click Add under Service Providers.
  3. Fill in the Service Provider Name and provide a brief Description of the service provider. Only Service Provider Name is a required field.
  4. In the screen that appears, expand the Outbound Provisioning Configuration section.
    In the Outbound Provisioning Configuration section, do the following.
    1. Select the identity provider you added from the dropdown menu available and click the following sign to add it. If you have not added an identity provider as yet, this step is not possible.
    2. Once added, the identity provider is displayed as an entry in a list. Select scim from the dropdown to ensure that the SCIM operation is used for provisioning.
    3. There is another option called Blocking. If enabled, it means that the outbound provisioning request must be blocked until the response is received. By default, request would be not non-blocking.
    4. You can also enable just-in-time provisioning by selecting the Enable JIT checkbox. Once you enable this, when a user is JIT provisioned to IS when authenticating from a federated authenticator, that user will be outbound provisioned to this identity provider as well.
  5. Click Update to save your configurations.