This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Identity Synchronization Across Multiple Nodes
- Former user (Deleted)
- Former user (Deleted)
The WSO2 Identity Server (IS) supports identity provisioning with SCIM. This is based on WSO2 Charon which is the implementation of the specification.
In order to manage user identities in multiple nodes, it is necessary to synchronize all the nodes so that any updates that occur in one of the nodes will be reflected in the others as well. This section provides you with the information necessary to leverage SCIM to achieve Identity Synchronization. The Identity Server can act as both SCIM Consumer and Service Provider and it is possible to leverage both those capabilities of IS at once.
To demonstrate identity synchronization across multiple nodes consider the following scenario:
- There are three nodes: CentralStore, Store1 and Store2.
- Users created in the CentralStore must be provisioned to both Store1 and Store2.
- Users created in the Store1 should be provisioned to the CentralStore, and from there to Store2.
- Users created in the Store2 should be provisioned to the CentralStore, and from there to Store1.
Follow the steps below to implement this scenario:
Step 1: Set up three nodes
- Download Identity Server and unzip it into three folders named: 'Store1', 'Central' and 'Store2'.
Open the
[IS_Home]/repository/conf/carbon.xmlfile of each instance and change the <Offset>tag as follows:Store1 - The offset should be 0
- CentralStore - The offset should be 1
- Store2 - The offset should be 2
The port offset of each IS instance is changed, because you are running all three nodes in the same machine.
Run the three instances. For more information on how to do this, see Running a Product. The three instances will now be running on the following ports:
Store1 - 9443
- CentralStore - 9444
- Store2 - 9445
Step 2: Register the SCIM providers
- Open the Management Console of the CentralStore IS instance at https://localhost:9444/carbon/.
- Log in to the Management Console as the admin (credentials: admin/admin).
Click Add under the Identity Provider section in the Main menu and add an identity provider for 'Store1'. Enter an identity provider name and expand the Outbound Provisioning Connectors>SCIM Provisioning Configuration section. Fill in the following details, select Enable identity provisioning to a SPML domain and click Register.
For more information, see Adding an Identity Provider.Field Value Username admin Password admin User Endpoint https://localhost:9443/wso2/scim/Users
The User Endpoint and Group Endpoint should point to the Store1 endpoint URLs. This can be found at Main>Identity Provider>List>Resident Identity Provider when you expand the Inbound Provisioning Configuration section of the Store1 IS instance.
Group Endpoint https://localhost:9443/wso2/scim/Groups.Refer to the note above. User Store Domain - 
Repeat step3 of this section to register Store2 as an identity provider.
The User Endpoint and Group Endpoint URLs when registering Store2 should be with port 9445 (e.g., https://localhost:9445/wso2/scim/Users)
- Navigate to Main>Service Provider>List>Resident Service Provider and expand the Outbound Provisioning Configuration section. Add Store1 and Store2 as seen below and click Update.
Login to the Store1 and Store2 IS instances and follow step3 of this section to register the CentralStore as an identity provider.
The User Endpoint and Group Endpoint URLs when registering the CentralStore should be with port 9444 (e.g., https://localhost:9444/wso2/scim/Users)
Navigate to Main>Service Provider>List>Resident Service Provider and expand the Outbound Provisioning Configuration section in the Store1 instance. Add CentralStore as seen below and click Update. Repeat this step for Store2 instance as well.
Make sure that you have registered the corresponding SCIM providers for each node as seen in the following diagram.
Step 3: Test identity synchronization
To test Identity Synchronization:
- Log in to Store1 as default admin and create a user account.
- Observe the logs at the backend console of each node. The information in the logs indicate that the user created at Store1 is also created at the CentralStore and Store2. Additionally, you can login to the Management Console of the CentralStore and Store2 in order to verify that the user created in Store1 is listed in other two nodes as well.
- You can perform other user and role management operations as well in each node and verify whether it has synchronized with other nodes. The following list of user management operations are currently supported in WSO2 Identity Server to be provisioned via SCIM:
- Create User
- Delete User
- Update credential of the user by admin
- Update the profile of a user by admin
- Update the profile of a user by the user himself
- Create Group
- Delete Group
- Add users to group by updating group (Update user list of role)
- Rename Group
- Add users to group by updating the user (updating the role list of user).
The Identity Server also supports configuring SCIM providers through the configuration file. Additionally, it allows you to register providers through the user interface.
To configure provisioning through the configuration file:
- Open the configuration file found at
[IS_Home]/repository/conf/provisioning-config.xml. - Shut down all three IS instances. Replace the provisioning-config.xml file of each instance with the ones shown below and restart the IS instances. To test the synchronization, see Test Identity Synchronization.
Store1 configuration file:
<provisioning-config>
<scim-providers>
<scim-provider id="central_store">
<property name="userName">store1admin</property>
<property name="password">store1admin</property>
<property name="userEndpoint">https://localhost:9444/wso2/scim/Users</property>
<property name="groupEndpoint">https://localhost:9444/wso2/scim/Groups</property>
</scim-provider>
</scim-providers>
<scim-consumers>
<scim-consumer id="carbon.super">
<scim-provider id="central_store">
</scim-provider></scim-consumer>
</scim-consumers>
</provisioning-config>
CentralStore configuration file:
<provisioning-config>
<scim-providers>
<scim-provider id="store1">
<property name="userName">centraladmin</property>
<property name="password">centraladmin</property>
<property name="userEndpoint">https://localhost:9443/wso2/scim/Users</property>
<property name="groupEndpoint">https://localhost:9443/wso2/scim/Groups</property>
</scim-provider>
<scim-provider id="store2">
<property name="userName">centraladmin</property>
<property name="password">centraladmin</property>
<property name="userEndpoint">https://localhost:9445/wso2/scim/Users</property>
<property name="groupEndpoint">https://localhost:9445/wso2/scim/Groups</property>
</scim-provider>
</scim-providers>
<scim-consumers>
<scim-consumer id="carbon.super">
<scim-provider id="store1">
<scim-provider id="store2">
</scim-provider>
</scim-provider>
</scim-consumer>
<scim-consumer id="store1admin@carbon.super">
<scim-provider id="store2">
</scim-provider>
</scim-consumer>
<scim-consumer id="store2admin@carbon.super">
<scim-provider id="store1">
</scim-provider>
</scim-consumer>
</scim-consumers>
</provisioning-config>
Store2 configuration file:
<provisioning-config>
<scim-providers>
<scim-provider id="central_store">
<property name="userName">store2admin</property>
<property name="password">store2admin</property>
<property name="userEndpoint">https://localhost:9444/wso2/scim/Users</property>
<property name="groupEndpoint">https://localhost:9444/wso2/scim/Groups</property>
</scim-provider>
</scim-providers>
<scim-consumers>
<scim-consumer id="carbon.super">
<scim-provider id="central_store">
</scim-provider>
</scim-consumer>
</scim-consumers>
</provisioning-config>