Configuring SCIM for user and group member management
You can configure the scim-1.0 feature in the server.xml file to enable user and group member management. System for Cross-domain Identity Management (SCIM) defines REST APIs to create, retrieve, update, and delete (CRUD) users and groups. Calls are made through a systems management REST WAB. The local calls will be HTTP over localhost through Web API only; no java APIs for local calls.
Procedure
Adding the scim-1.0 feature in the
server.xml file enables SCIM functions. But to complete
the configuration, you must also perform the following configuration
steps:
- SSL Configuration: The REST services are protected and can be accessed only on the HTTPS port. For more information about how to complete the SSL configuration, see Enabling SSL communication in Liberty.
- Configuration of Federation Registry: The SCIM functions is only supported by the Federation Registry. To quickly set up a federation registry by using LDAP, see Configuring LDAP user registries in Liberty.
- Configuration of an administrator role: The REST services are only
accessible by an administrator, so a user needs to be configured with an
administrator role. For more information about mapping the administrator
role to Liberty, see Mapping the administrator role for Liberty.Note: For configuration of the administrator role for SCIM, you cannot use the Quick Start Registry.
- Configuration of HTTPS port (optional): The HTTP end point must be configured. For more information about the httpEndpoint feature element configuration, see the httpEndpoint section in Admin Center.
<server description="server1">
<!-- Enable features -->
<featureManager>
<feature>appSecurity-2.0</feature>
<feature>servlet-3.0</feature>
<feature>ldapRegistry-3.0</feature>
<feature>scim-1.0</feature>
<feature>ssl-1.0</feature>
</featureManager>
<httpEndpoint id="defaultHttpEndpoint" httpPort="9080" httpsPort="9090">
<tcpOptions soReuseAddr="true" />
</httpEndpoint>
<ldapRegistry id="LDAP1" realm="SampleLdapIDSRealm" host="9.127.1.90" port="1389" ignoreCase="true"
baseDN="o=ibm,c=us" ldapType="IBM Tivoli Directory Server" searchTimeout="8m" recursiveSearch="true"
bindDN="cn=xxxx" bindPassword="xxxxxx">
<ldapEntityType name="PersonAccount">
<rdnProperty name="uid" objectClass="inetOrgPerson"/>
<objectClass>inetOrgPerson</objectClass>
</ldapEntityType>
<ldapEntityType name="Group">
<objectClass>groupofnames</objectClass>
<objectClass>ibm-nestedGroup</objectClass>
<rdnProperty name="cn" objectClass="groupofnames"/>
</ldapEntityType>
<attributeConfiguration>
<attribute name="title" propertyName="honorificPrefix" syntax="String" entityType="PersonAccount">
</attribute>
<attribute name="initials" propertyName="middleName" syntax="String" entityType="PersonAccount">
</attribute>
<attribute name="st" propertyName="honorificSuffix" syntax="String" entityType="PersonAccount">
</attribute>
<attribute name="l" propertyName="homeStateOrProvinceName" syntax="String" entityType="PersonAccount">
</attribute>
<attribute name="street" propertyName="homeStreet" syntax="String" entityType="PersonAccount">
</attribute>
<attribute name="postalAddress" propertyName="homeCity" syntax="String" entityType="PersonAccount">
</attribute>
<attribute name="postalCode" propertyName="homePostalCode" syntax="String" entityType="PersonAccount">
</attribute>
<attribute name="postOfficeBox" propertyName="homeCountryName" syntax="String" entityType="PersonAccount">
</attribute>
<attribute name="departmentNumber" propertyName="photoURLThumbnail" syntax="String" entityType="PersonAccount">
</attribute>
<attribute name="description" propertyName="photoURL" syntax="String" entityType="PersonAccount">
</attribute>
</attributeConfiguration>
<groupProperties>
<memberAttribute name="member" dummyMember="uid=dummy" objectClass="groupOfNames" scope="direct"/>
<memberAttribute name="ibm-memberGroup" objectClass="ibm-nestedGroup" scope="direct"/>
</groupProperties>
</ldapRegistry>
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" />
<keyStore id="defaultKeyStore" password="Liberty"/>
<administrator-role>
<user>wasadmin</user>
</administrator-role>
<federatedRepository>
<primaryRealm name="WIMRegistry">
<participatingBaseEntry name="o=ibm,c=us"/>
</primaryRealm>
</federatedRepository>
</server>