This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Configuring Secondary Userstores for Inbound Provisioning

WSO2 Identity Server can be configured to behave as a SCIM service provider for the primary user store. See the topic on Identity Server as a SCIM Provider for more information on how this can be achieved. This topic provides instructions on how the Identity Server can be configured as a SCIM Service Provider for a secondary user store.

When a user or a group is created with SCIM, there are set of specific values which needs to be saved along with the user or group. Some of these values are as follows.

  • urn:scim:schemas:core:1.0:userName
  • urn:scim:schemas:core:1.0:meta.location
  • urn:scim:schemas:core:1.0:meta.created
  • urn:scim:schemas:core:1.0:meta.lastModified
  • urn:scim:schemas:core:1.0:id

Unless your user store is a JDBC user store or the embedded LDAP (which comes with IS), you need to map how these values are stored in your user store. This mapping can be done in the claim mapping setup in the Identity Server. You can do the claim mapping for any primary user store. This process is explained here.

Now lets assume you have an AD user store as the primary user store and you have done the claim mappings for the SCIM attributes. Then you need to add a secondary user store and this will be an OpenLDAP. In this scenario, claim mappings done for AD may not be suited for OpenLDAP attributes. Therefore it should be possible to map claim attributes to the secondary user store. For this you need to change the "Mapped Attribute" value as indicated below.

  1. Log into the WSO2 Identity Server and access the management console.
  2. In the Main menu of the management console, click List under Claims. See here for more information on claim management.
  3. Click one of the available claims. You can alternatively Add a New Claim Dialect if the claim you wish to modify is not available.
  4. Click Edit and modify the Mapped Attribute field in the resulting page.
    {primary-attribute};{secondary user store domain}/{secondary-attribute}

Now you can perform SCIM operations to secondary user store as below.

User Creation

curl -v -k --user admin:admin --data '{"schemas":[],"name":{"familyName":"kahawala","givenName":"venura"},"userName":'demo.com/venura',"password":"testPwd123"}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users

Update User

curl -v -k --user admin:admin -X PUT -d '{"schemas":[],"name":{"familyName":"kahawala","givenName":"venura"},"userName":'demo.com/venura',"emails":[{"value":"venura@wso2.com","type":"work"},{"value":"vkahawala@gmail.com","type":"home"}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users/334d988a-5e68-4594-8b96-356adeec29f1

Filter User

curl -v -k --user admin:admin https://localhost:9443/wso2/scim/Users?filter=userName+Eq+%22demo.com/adam%22

Create Group

curl -v -k --user admin:admin --data '{"displayName": 'demo.com/Engineer',"members": [{"value":"334d988a-5e68-4594-8b96-356adeec29f1","display": "venura"}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups

Update Group

curl -v -k --user admin:admin -X PUT -d '{"displayName": 'demo.com/Engineer' ,"members": [{"value":"334d988a-5e68-4594-8b96-356adeec29f1","display": "venura"}, {"value":"p09okhyt-5e68-4594-8mkj-356ade12we34","display": "testUser"}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups/c4f6c973-bae6-4a03-b09f-2ad8629f406c

Filter Group

curl -v -k --user admin:admin https://localhost:9443/wso2/scim/Groups?filter=displayNameEqdemo.com/Engineer

If a mapped attribute matches with the secondary user store, then it is not necessary to repeat the attribute value in the claim mapping for the secondary domain.

Add new member to a group

curl -v -k --user admin:admin -X PATCH -d '{"displayName": 'US2/secEngineer',"members": [{"value":"4a0fcb2b-efff-4dc2-ad2d-a25f0a814bd3","display": 'US2/secUser1'}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups/81d9bab2-d798-433d-af9e-b9d960cf358c

Delete a user from a group

curl -v -k --user admin:admin -X PATCH -d '{"displayName": 'US2/secEngineer',"members": [{"value":"4a0fcb2b-efff-4dc2-ad2d-a25f0a814bd3","display": 'US2/secuser1',"operation":"delete"}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups/81d9bab2-d798-433d-af9e-b9d960cf358c

Add a new member and delete a member at the same time

curl -v -k --user admin:admin -X PATCH -d '{"displayName": 'US2/secEngineer'',"members": [{"value":"4a0fcb2b-efff-4dc2-ad2d-a25f0a814bd3","display": 'US2/secuser1'},{"value":"b2f5182d-ebfc-4b74-b0db-537e8dba38c3","display": 'US2/secuser5',"operation":"delete"}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Groups/81d9bab2-d798-433d-af9e-b9d960cf358c