This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Configuring Secondary Userstores for Inbound Provisioning
WSO2 Identity Server can be configured to behave as a SCIM service provider for the primary user store. See the topic on Identity Server as a SCIM Provider for more information on how this can be achieved. This topic provides instructions on how the Identity Server can be configured as a SCIM Service Provider for a secondary user store.
When a user or a group is created with SCIM, there are set of specific values which needs to be saved along with the user or group. Some of these values are as follows.
urn:scim:schemas:core:1.0:userName
urn:scim:schemas:core:1.0:meta.location
urn:scim:schemas:core:1.0:meta.created
urn:scim:schemas:core:1.0:meta.lastModified
urn:scim:schemas:core:1.0:id
Unless your user store is a JDBC user store or the embedded LDAP (which comes with IS), you need to map how these values are stored in your user store. This mapping can be done in the claim mapping setup in the Identity Server. You can do the claim mapping for any primary user store. This process is explained here.
Now lets assume you have an AD user store as the primary user store and you have done the claim mappings for the SCIM attributes. Then you need to add a secondary user store and this will be an OpenLDAP. In this scenario, claim mappings done for AD may not be suited for OpenLDAP attributes. Therefore it should be possible to map claim attributes to the secondary user store. For this you need to change the "Mapped Attribute" value as indicated below.
- Log into the WSO2 Identity Server and access the management console.
- In the Main menu of the management console, click List under Claims. See here for more information on claim management.
- Click one of the available claims. You can alternatively Add a New Claim Dialect if the claim you wish to modify is not available.
- Click Edit and modify the Mapped Attribute field in the resulting page.
{primary-attribute};{secondary user store domain}/{secondary-attribute}
Now you can perform SCIM operations to secondary user store as below.
User Creation
curl -v -k --user admin:admin --data '{"schemas":[],"name":{"familyName":"kahawala","givenName":"venura"},"userName":'demo.com/venura',"password":"testPwd123"}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users
Update User
curl -v -k --user admin:admin -X PUT -d '{"schemas":[],"name":{"familyName":"kahawala","givenName":"venura"},"userName":'demo.com/venura',"emails":[{"value":"venura@wso2.com","type":"work"},{"value":"vkahawala@gmail.com","type":"home"}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users/334d988a-5e68-4594-8b96-356adeec29f1
Filter User
curl -v -k --user admin:admin https://localhost:9443/wso2/scim/Users?filter=userName+Eq+%22demo.com/adam%22
Create Group
curl -v -k --user admin:admin --data '{"displayName": 'demo.com/Engineer',"members": [{"value":"334d988a-5e68-4594-8b96-356adeec29f1","display": "venura"}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups
Update Group
curl -v -k --user admin:admin -X PUT -d '{"displayName": 'demo.com/Engineer' ,"members": [{"value":"334d988a-5e68-4594-8b96-356adeec29f1","display": "venura"}, {"value":"p09okhyt-5e68-4594-8mkj-356ade12we34","display": "testUser"}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups/c4f6c973-bae6-4a03-b09f-2ad8629f406c
Filter Group
curl -v -k --user admin:admin https://localhost:9443/wso2/scim/Groups?filter=displayNameEqdemo.com/Engineer
If a mapped attribute matches with the secondary user store, then it is not necessary to repeat the attribute value in the claim mapping for the secondary domain.
Add new member to a group
curl -v -k --user admin:admin -X PATCH -d '{"displayName": 'US2/secEngineer',"members": [{"value":"4a0fcb2b-efff-4dc2-ad2d-a25f0a814bd3","display": 'US2/secUser1'}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups/81d9bab2-d798-433d-af9e-b9d960cf358c
Delete a user from a group
curl -v -k --user admin:admin -X PATCH -d '{"displayName": 'US2/secEngineer',"members": [{"value":"4a0fcb2b-efff-4dc2-ad2d-a25f0a814bd3","display": 'US2/secuser1',"operation":"delete"}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups/81d9bab2-d798-433d-af9e-b9d960cf358c
Add a new member and delete a member at the same time
curl -v -k --user admin:admin -X PATCH -d '{"displayName": 'US2/secEngineer'',"members": [{"value":"4a0fcb2b-efff-4dc2-ad2d-a25f0a814bd3","display": 'US2/secuser1'},{"value":"b2f5182d-ebfc-4b74-b0db-537e8dba38c3","display": 'US2/secuser5',"operation":"delete"}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups/81d9bab2-d798-433d-af9e-b9d960cf358c