Configure SCIM for user and group member management

Stabilized feature: The scim-1.0 feature is stabilized. There is no strategic alternative. We can continue to use the scim-1.0 feature.

We can configure the scim-1.0 feature in server.xml to enable user and group member management. System for Cross-domain Identity Management (SCIM) defines REST APIs to create, retrieve, update, and delete (CRUD) users and groups. Calls are made through a systems management REST WAB. The local calls will be HTTP over localhost through Web API only; no java APIs for local calls. Adding the scim-1.0 feature in server.xml enables SCIM functions. But to complete the configuration, we must also perform the following configuration steps:

  • SSL Configuration: The REST services are protected and can be accessed only on the HTTPS port. For more information about how to complete the SSL configuration, see Enable SSL communication in Liberty.

  • Configuration of Federation Registry: The SCIM functions is only supported by the Federation Registry. To quickly set up a federation registry using LDAP, see Configure LDAP user registries in Liberty.

  • Configuration of administrative roles: The SCIM REST services are only accessible by users who are in the administrator role. Users who are in the administrator role are authorized to perform all POST, PUT, DELETE, GET operations.

    Users who are in the reader role are authorized to perform read-only GET operations.

    See information about mapping the administrator role to Liberty.

    Note: For configuration of the administrator role for SCIM, we cannot use the Quick Start Registry.

  • Configuration of HTTPS port (optional): The HTTP end point must be configured. For more information about the httpEndpoint feature element configuration, see the httpEndpoint section in Admin Center.

After the configuration steps are completed, the scim-1.0 feature is now ready to be used. A sample configuration in server.xml is shown in the following example: 

    <server description="server1">
    <!-- Enable features -->
    <featureManager>
        <feature>appSecurity-2.0</feature>
        <feature>servlet-3.0</feature>
	<feature>ldapRegistry-3.0</feature>
	<feature>scim-1.0</feature>
	<feature>transportSecurity-1.0</feature>
    </featureManager>

    <httpEndpoint id="defaultHttpEndpoint" httpPort="9080" httpsPort="9090">
        <tcpOptions soReuseAddr="true" />
    </httpEndpoint>

    <ldapRegistry id="LDAP1" realm="SampleLdapIDSRealm" host="9.127.1.90" port="1389" ignoreCase="true"
        baseDN="o=ibm,c=us" ldapType="IBM Tivoli Directory Server" searchTimeout="8m" recursiveSearch="true"
        bindDN="cn=xxxx" bindPassword="xxxxxx">
	    <ldapEntityType name="PersonAccount">
	        <rdnProperty name="uid" objectClass="inetOrgPerson"/>
        <objectClass>inetOrgPerson</objectClass>
    </ldapEntityType>
    <ldapEntityType name="Group">
	        <objectClass>groupofnames</objectClass>
		<objectClass>ibm-nestedGroup</objectClass>
		  <rdnProperty name="cn" objectClass="groupofnames"/>
	    </ldapEntityType>
    <attributeConfiguration>
        <attribute name="title" propertyName="honorificPrefix" syntax="String" entityType="PersonAccount">
        </attribute>
	<attribute name="initials" propertyName="middleName" syntax="String" entityType="PersonAccount">
        </attribute>
	<attribute name="st" propertyName="honorificSuffix" syntax="String" entityType="PersonAccount">
        </attribute>
	<attribute name="l" propertyName="homeStateOrProvinceName" syntax="String" entityType="PersonAccount">
        </attribute>
	<attribute name="street" propertyName="homeStreet" syntax="String" entityType="PersonAccount">
        </attribute>
	<attribute name="postalAddress" propertyName="homeCity" syntax="String" entityType="PersonAccount">
        </attribute>
	<attribute name="postalCode" propertyName="homePostalCode" syntax="String" entityType="PersonAccount">
        </attribute>
       <attribute name="postOfficeBox" propertyName="homeCountryName" syntax="String" entityType="PersonAccount">
        </attribute>
        <attribute name="departmentNumber" propertyName="photoURLThumbnail" syntax="String" entityType="PersonAccount">
        </attribute>
	<attribute name="description" propertyName="photoURL" syntax="String" entityType="PersonAccount">
        </attribute>
    </attributeConfiguration>
    <groupProperties>
        <memberAttribute name="member" dummyMember="uid=dummy" objectClass="groupOfNames" scope="direct"/>
	<memberAttribute name="ibm-memberGroup" objectClass="ibm-nestedGroup" scope="direct"/>
    </groupProperties>
  </ldapRegistry>

  <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" />
  <keyStore id="defaultKeyStore" password="Liberty"/>

  <administrator-role>
    <user>admin</user>
  </administrator-role>

  <reader-role>
    <user>reader</user>
  </reader-role>

  <federatedRepository>
      <primaryRealm name="WIMRegistry">
  <participatingBaseEntry name="o=ibm,c=us"/>
      </primaryRealm>
   </federatedRepository>
</server>