SCIM Part I: An Overview of User Provisioning
Hello again, Numan here! Welcome back to yet again another story for our itdesign blog!
SCIM (System for Cross-domain Identity Management) is an HTTP-based protocol which is mainly used for user provisioning. User provisioning in this sense means that companies can transfer information about their employees, customers and externals from one platform to another. SCIM standardizes the way in which user data is imported. With standardizing the way we import users, services can implement general features that exactly do that.
This guide is supposed to make it easier for you to get into SCIM, since for me it was pretty hard to gather all needed information about it.
SCIM
While SCIM itself is the protocol, the whole picture is something like an API. We have different endpoints when we implement SCIM on our servers and with the pre-defined endpoints we are able to execute CRUD operations.
The protocol
As you can see in the image, the protocol allows us to transfer user information to other microservices that need them. E.g. if you want to create a Slack group for your company, you could easily transfer the information to Slack from your user information management software (in this case Azure Active Directory).
Endpoints
There are many endpoints defined in the SCIM RFC. The Groups and the Users endpoints are the most relevant ones. Most of the endpoints support CRUD (Create, Read, Update, Delete) operations. The way SCIM distinguishes the operations is by the type of the sent HTTP request.
Some of the endpoints are listed below:
<your-amazing-url>/Users
<your-amazing-url>/Groups
Request Types
Like I have written before, the operation is derived from the type of the HTTP request that is sent.
POST: Creates a new resource.
PUT: Updates a resource, if it exists.
DELETE: Deletes resource, if it exists.
GET: Returns the resource with its attributes, if it exists.
Attributes
There are many attributes defined in the SCIM protocol from the get-go. Some example attributes will be shown with the next section.
Example requests
An example request of a basic SCIM call:
As you can see it is just a simple JSON request. When sending this request there are two HTTP parameters we need to include: Content-type “application/scim+json” and Accept “application/scim+json”. This tells the server (in our case the SCIMono server) that it is supposed to be a SCIM request.
In the case of this requests we would call the /scim/Users API endpoint with a POST request. This will make us able to create a user. If we would want to update a user, we would use the PUT request type.
The SCIM part of this JSON is the “schemas” key. It includes all the standardized schemas that you want to use in the JSON. There is the possibility to define further custom schemas. These so called “extensions” need to be implemented by yourself. One of the open source solutions for SCIM where you can easily implement your own extensions is the SCIMono server which was also the project that I used.
SCIMono server
A gamechanger for me, and something I would recommend using is the SCIMono project being developed by SAP. It is an open source SCIM project that comes with supporting most of the protocols features. It is written in Java and includes functionality such as already having implemented all API calls functionalites and most of the extended features of the protocol.
Where to look for..
… if you want to know if a specific attribute exists:
For me personally most of the time it was pretty hard to find out if something can be implemented with SCIM. Finding resources for SCIM in general is pretty hard since the environment is pretty sparse. Microsoft has some really great articles about the protocol, it is really informative but obviously does not have all of the information broken down to you. A good resource thus are the RFCs. I always held back from reading through the RFCs since they are pretty bad formatted and are sometimes hard to read, but the RFC for SCIM really has good coverage when it comes to all the attributes and explaining what they are there for.
… if you want to try SCIM on a practical example:
Try the Spring Boot example project of the SCIMono server from the user karaimin. It allows you to setup a SCIM server pretty fast so that you can test the functionality.
If you want, also check out the company I work for (itdesign):
itdesign GmbH — Software und Beratung aus einer Hand
One of our own products, check it out:
Meisterplan: Planen Sie Projektportfolios und Ressourcen in der Cloud
Werden Sie als Unternehmen agiler Treffen Sie mit den drei As innerhalb eines Monats bessere Entscheidungen. Werden Sie…
If you ever want to apply but don’t know what for, itdesign has this cool feature where you can request a programming challenge and submit it without writing a full CV etc:
