This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Setting Up Service Provider for Inbound Provisioning

Owned by Former user (Deleted)
Dec 20, 2016
5 min read

Inbound provisioning configurations can be defined in Service provider configuration at the admin console of the Identity Server.

It can be done using the following two methods.

Configuring the Resident Service Provider

Configuring the resident service provider is particularly useful if your application does not support OAuth. You can just send SCIM request secured using HTTP basic authentication to the SCIM endpoints in the Identity Server. If you have configured multiple user stores with Identity Server, you can specify the user store domain that you are provisioning the user.

Configuring the Identity Server for provisioning

The following steps provide instructions on how to configure this.

  1. Sign in. Enter your username and password to log on to the Management Console.
  2. In the Main menu under the Identity section, click Resident under Service Providers

  3. In the page that appears, expand the Inbound Provisioning Configuration section.

    When configuring Inbound Provisioning Configuration, you can enable dumb mode for inbound provisioning by marking the check box available there. When this is enabled, Users/Groups will not provision to the user store, they will only outbound provisioned.

  4. From the dropdown available, select the user store domain you prefer.

    Tip: If you do not specify any user store domain in the configuration (basically keep it without selecting anything), the user is created in the user store domain that is contained in the request. For example, In the SCIM provisioning request, you can send the user name in the following format.

    {Domain-Name}/username

    If the Domain-Name is not specified with the username, the user is provisioned to the primary user store.

    However, if you specify the user store in the configuration, the user is created in the configured user store domain regardless of the what is specified in the request.

  5. Click Update to save your configurations.

 

Testing the provisioning

To confirm that the provisioning works, do the following.

  1. Execute the following curl request (which will use SCIM to create a new user).

    curl -v -k --user admin:admin --data "{"schemas":[],"name":{"familyName":"mervyn","givenName":"samuel"},"userName":"samuel","password":"samuel","emails":[{"primary":true,"value":"samuel@wso2.com"}]}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users

    Refer SCIM 1.1 APIs page for more details on SCIM

  2. On the Management Console, click on Users and Roles in the Identity menu in Main tab. 

  3. Click List and then Click Users and check if the user you added is listed in the user management user interface. If the user has been created in the configured or requested user store, the provisioning has worked successfully.

     

     

Configuring a Service Provider

It is more appropriate to configure a service provider if your application offers support for OAuth. Also, this is a more appropriate configuration if you do not want to create the user in the Identity Server user store. When the resident service provider configuration is used, it allows outbound provisioning while the user is created in the Identity Server and it's user store. When using service provider configurations instead, you can select the preferred identity provider and connector for outbound provisioning.

Configuring the Identity Server for provisioning

The following steps provide instructions on how to configure the service provider.

  1. Sign in. Enter your username and password to log on to the Management Console
  2. Navigate to the Identity menu in Main tab. Click Add under Service Providers.
  3. Fill in the Service Provider Name and provide a brief Description of the service provider. Only Service Provider Name is a required field.

  4. Expand the Inbound Provisioning Configuration section and select the user store from the drop down.

    When configuring Inbound Provisioning Configuration, you can enable dumb mode for inbound provisioning by marking the check box available there. When this is enabled, Users/Groups will not provision to the user store, they will only outbound provisioned.

  5. Click Update to save your configurations.

When compared with the request sent to the resident service provider, this will require HTTP basic authentication headers replaced with an access token. You can simply use the client credentials or the resource owner grant type to obtain the access token.

Obtaining an OAuth access token

For the purposes of this example, the access token was obtained by configuring an OAuth service provider.

  1. Sign in. Enter your username and password to log on to the Management Console. 
  2. Navigate to the Identity menu in Main tab. Click List under Service Providers.
  3. Find the service provider you just created and click Edit.
  4. In the form that appears, expand the Inbound Authentication Configuration and then the OAuth/OpenID Connect Configuration and click Configure.

     
  5. Fill in the form that appears.

    Here we use the playground sample as the Callback Url for the purposes of this example scenario.
  6. Click Add.
  7. We now have an OAuth Client Key and OAuth Client Secret. Click Show to view the OAuth Client Secret.

  8. Use a service like Base64 to encode your OAuth Client Key and OAuth Client Secret. For this example, click Encode and enter your client key and client secret separated by a colon ":". Click the > ENCODE < button to encode this.

  9. Use the encoded value to generate the access token by inserting it into the following cURL command after Basic.

    curl -v -X POST -H "Authorization: Basic N2pHaXl5NnRmcl9RSXp2NGZRSUYzcG92aDJRYTpDd09fRWVBdndLaW1vT0pOc0VGdWNHYjIzNWNh" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=password&username=admin&password=admin" https://localhost:9443/oauth2/token

    The access token can be found in the output.

     

  10. The access token is then entered in the provisioning request after Bearer.

Testing the provisioning

To confirm that the provisioning works, do the following.

  1. Execute the following curl request (which will use SCIM to create a new user).

    curl -v -k --header "Authorization: Bearer 955fded39fc6cb08525b5f2a35b3e2e"  --data '{"schemas":[],"name":{"familyName":"fernando","givenName":"yohanna"},"userName":"yohanna","password":"yohanna","emails":[{"primary":true,"value":"yohanna@wso2.com"}]}' --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users

    Refer SCIM 1.1 APIs page for more details on SCIM

  2. On the Management Console, click on Users and Roles in the Identity menu in Main tab. 
  3. Click List and then Click Users and check if the user you added is listed in the user management user interface. If the user has been created in the configured or requested user store, the provisioning has worked successfully.