This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Identity Synchronization Across Multiple Nodes

The WSO2 Identity Server supports identity provisioning with SCIM. This is based on WSO2 Charon which is the implementation of the specification.

In order to manage user identities in multiple nodes, it is necessary to synchronize all the nodes when one node gets updated. The intention of this section is to provide you with information necessary to leverage SCIM to achieve Identity Synchronization. The Identity Server can act as both SCIM Consumer and Service Provider and it is possible to leverage both those capabilities of IS at once.

To demonstrate Identity Synchronization Across Multiple Nodes lets implement the following scenario:

  1. We have three nodes: CentralStore, Store1 and Store2. 
  2. Users created in the CentralStore must be provisioned to both the Store1 and Store2.
  3. Users created in the Store1 should be provisioned to the CentralStore, and from there to the Store2.
  4. Users created in the Store2 should be provisioned to the CentralStore, and from there to the Store1. 

The following are the steps you need to follow to do this task:

  1. Set up three nodes.
  2. Register the Provisioning Administrators.
  3. Register Providers.
  4. Test Identity Synchronization.
To synchronize identity across multiple nodes:

Step 1: Set up three nodes

  1. Download Identity Server and unzip it into three folders named: 'store1', 'central', 'store2'.
    Since you are starting in the same machine, you need to change the port offset of each IS instance.
  2. Go to [IS_Home]/repository/conf and open carbon.xml. In the 'central' instance, make Ports->OffSet "1" and in the 'store2' instance, make Ports->OffSet "2".
  3. Start the three instances. 
    Now our three instances are running in the following ports:
    • store1: 9443
    • central: 9444
    • store2: 9445

Step 2: Register the Provisioning Administrators

Lets configure store1 first.

  1. Create user accounts in each node that have privileges to register SCIM providers and/or perform provisioning on behalf of each store.
  2. Go to the Management Console of the store1 IS instance by visiting the following link using a browser: https://localhost:9443/carbon/.
  3. Login to the Management Console as an admin.
  4. Go to the Configure menu and select Users and Roles.
  5. Create 'centraladmin' and 'store2admin' user accounts. For more information on how to do this, view Configuring Users.
  6. Create a role called 'provisioning admin' and assign that role to the above two users, along with the two permissions: 'login' and 'Identity Provisioning'. For more information on how to do this, view Configuring Roles.

    The centraladmin user is used at the CentralStore to provision users created in CentralStore to Store1. 
    The store2admin user is used at the CentralStore to provision users created in Store2 to Store1 via CentralStore. 
    The default admin user is used at the Store1 itself to provision users created in Store1 itself to the CentralStore.

  7. Configure CentralStore [store1admin, store2admin] and Store2 [centraladmin, store1admin] in the same way

Similarly create the relevant provisioning admin user accounts in the central store and store2 IS instances as well, and assign them to the provisioning admin role with the two permissions.

Step 3: Register Providers

To register SCIM Providers at the central store:

  1. Register global SCIM providers at the central store.
    Any user management operation performed by users in the admin role of central store should be provisioned to store1 and store2.
    1. Login as a default admin user in the central node (https://localhost:9444/carbon/admin/login.jsp).
    2. Access the Main menu and under Manageselect SCIM from the menu items.
    3. Click Register New SCIM Provider.
    4. Register both store1 and store2 as global providers.
    5. Define a Provider Id, and provide a User Name and Password to authenticate and authorize the provider in the SCIM provider node (in this case it is the centraladmin account where both store1 and store2 are registered). Additionally, add the URLs of the SCIM User Endpoint and Group Endpoint.
    6. Additionally, register store2 as a global provider with relevant configuration.
  2. Register SCIM providers specific to user accounts, at the central store.
    Any provisioning request coming to central store from store1 should be provisioned to all the other sub stores except to store1. Therefore, the user account of the store1admin in the central store should be able to identify which providers the SCIM provisioning request should be further provisioned to, from the central node.
    1. Login to the central node as store1admin.
    2. Access the Main menu and under My Identityselect My SCIM Providers from the menu items.
    3. Click Register New SCIM Provider.
    4. Now as the store1admin, you can register store2 as the SCIM Provider by providing relevant configuration as shown below. Define a Provider Id, and provide a User Name and Password to authenticate and authorize the provider in the SCIM provider node (in this case it is the centraladmin account where both store1 and store2 are registered). Additionally, add the URLs of the SCIM User Endpoint and Group Endpoint.
    5. Login to central node as the store2admin and register the SCIM provider pointing to store1 endpoints.

Now we are done configuring central node for our provisioning scenario. Login to store1 and store2 IS instances as default admin and register the central node as the global provider in both store1 and store2 as shown below.

store1

store2

Make sure that you have created all the relevant provisioning admin user accounts in each IS node, given them proper permissions and registered the corresponding SCIM providers for each node as listed in the following diagram.

Step 4: Test Identity Synchronization

To test Identity Synchronization:

  1. Login to store1 as default admin and create a user account.
  2. Observe the logs at the backend console of each node. The information in the logs indicate that the user created at store1 is also created at the central store and store2. Additionally, you can login to the Management Console of the central store and store2 in order to verify that the user created in store1 is listed in other two nodes as well.
  3. You can perform other user and role management operations as well in each node and verify whether it is synchronized with other nodes. The following are the list of user management operations currently supported in WSO2 Identity Server to be provisioned via SCIM.
    • Create User
    • Delete User
    • Update credential of the user by admin
    • Update the profile of a user by admin
    • Update the profile of a user by the user himself
    • Create Group
    • Delete Group
    • Add users to group by updating group (Update user list of role)
    • Rename Group

    The following are the two user management operations allowed by WSO2 Identity Server, but not currently supported to be provisioned via SCIM.

    1. Add users to group by updating the user (updating the role list of user).

The Identity Server also supports configuring SCIM providers through the configuration file. Additionally it allows you to register providers through the user interface. In this case, it is the admin of a particular node who configures providers. This is different to individual provisioning admins registering SCIM providers through the user interface.

To configure provisioning through the configuration file:

  1. Open the configuration file. The relevant configuration file is: [IS_Home]/repository/conf/provisioning-config.xml.
  2. Shut down all the three IS instances. Replace the provisioning-config.xml file of each instance with the ones shown below and restart the IS instances.

store1 configuration file:

<provisioning-config>  
    <scim-providers>  
        <scim-provider id="central_store">  
            <property name="userName">store1admin</property>  
            <property name="password">store1admin</property>  
            <property name="userEndpoint">https://localhost:9444/wso2/scim/Users</property>  
            <property name="groupEndpoint">https://localhost:9444/wso2/scim/Groups</property>  
        </scim-provider>  
    </scim-providers>  
    <scim-consumers>  
        <scim-consumer id="carbon.super">  
            <scim-provider id="central_store">  
        </scim-provider></scim-consumer>  
    </scim-consumers>  
</provisioning-config> 

central store configuration file:

<provisioning-config>  
    <scim-providers>  
        <scim-provider id="store1">  
            <property name="userName">centraladmin</property>  
            <property name="password">centraladmin</property>  
            <property name="userEndpoint">https://localhost:9443/wso2/scim/Users</property>  
            <property name="groupEndpoint">https://localhost:9443/wso2/scim/Groups</property>  
        </scim-provider>  
 		<scim-provider id="store2">  
            <property name="userName">centraladmin</property>  
            <property name="password">centraladmin</property>  
            <property name="userEndpoint">https://localhost:9445/wso2/scim/Users</property>  
            <property name="groupEndpoint">https://localhost:9445/wso2/scim/Groups</property>  
        </scim-provider>  
    </scim-providers>  
    <scim-consumers>  
        <scim-consumer id="carbon.super">  
            <scim-provider id="store1">  
     		<scim-provider id="store2">  
        	</scim-provider>
			</scim-provider>
		</scim-consumer>  
 		<scim-consumer id="store1admin@carbon.super">  
     		<scim-provider id="store2">  
        	</scim-provider>
		</scim-consumer>  
 		<scim-consumer id="store2admin@carbon.super">  
            <scim-provider id="store1">  
        	</scim-provider>
		</scim-consumer>  
    </scim-consumers>  
</provisioning-config>  

store2 configuration file:

<provisioning-config>  
    <scim-providers>  
        <scim-provider id="central_store">  
            <property name="userName">store2admin</property>  
            <property name="password">store2admin</property>  
            <property name="userEndpoint">https://localhost:9444/wso2/scim/Users</property>  
            <property name="groupEndpoint">https://localhost:9444/wso2/scim/Groups</property>  
        </scim-provider>  
    </scim-providers>  
    <scim-consumers>  
        <scim-consumer id="carbon.super">  
            <scim-provider id="central_store">  
        	</scim-provider>
		</scim-consumer>  
    </scim-consumers>  
</provisioning-config>