SCIM - System for Cross-Domain Identity Management¶
SCIM is a specification created to make the management of users between different services and applications easier. A common schema is used for User information which allows services to pass their user data without having to think about how the information is stored in your own service. By provisioning users with SCIM you can simply set the up the mapping of your Users attributes to SCIM-attributes, which then will be mapped to attributes in the IFS User database, and also create new Users if they do not already exist.
Purpose¶
SCIM in IFS Cloud uses one-way communication. This means that only the external Identity provider sends information that creates, updates or deletes user information. Changes made to users within IFS Cloud will not trigger an update to the external Identity provider. The purpose of SCIM in IFS cloud is simple user management.
SCIM Standard¶
For updated and detailed information about the SCIM standard please visit this page.
Usage¶
SCIM 2.0 uses REST API for all operations.
Operations¶
- Read: GET https://example.com/ifsapplications/SCIM/{v}/Users/{id}
- Create: POST https://example.com/ifsapplications/SCIM/{v}/Users/
- Update: PUT https://example.com/ifsapplications/SCIM/{v}/Users/{id}
- Patch: PATCH https://example.com/ifsapplications/SCIM/{v}/Users/{id}
- Delete: DELETE https://example.com/ifsapplications/SCIM/{v}/Users/{id}
All user data passed to the Create and Update endpoints must be encoded as a SCIM object in JSON. Resources stored in attributes that is not mapped to an IFS attribute will not be stored.
Attribute Mapping¶
This mapping table is to be used by Administrators when configuring a new Provisioning Service. The SCIM Attribute maps to certain fields of the IFS Cloud database. When first creating a new User through provisioning, a unique Identity will be created. This Id is used as a unique identified for the new User, and will be generated based on the values of the SCIM attributes name.givenName and name.familyName. Some Identity Managers will have all of these attributes by default, but in some cases a manual attribute mapper will need to be added. As an example, which can be seen in the configuration example for Okta, a attribute mapper for name.formatted has to be added.
The SCIM Attributes username, name.formatted, and displayName are mandatory, must be mapped, and have a value set from the external Identity Manager to successfully sync new users.
SCIM Attribute | IFS DB Attribute | IFS DB Character Limit |
---|---|---|
userName | fnd_user.web_user | 2000 |
name.formatted | person_info.name | 100 |
name.familyName | person_info.last_name | 100 |
name.givenName | person_info.first_name | 100 |
name.middleName | person_info.middle_name | 100 |
displayName | fnd_user.description | 2000 |
title | person_info.title | 100 |
addresses.formatted | person_info_address.address | N/A (default 'work') |
addresses.streetAddress | person_info_address.address1 | 35 |
addresses.locality | person_info_address.city | 35 |
addresses.region | person_info_address.state | 35 |
addresses.postalCode | person_info_address.zip_code | 35 |
addresses.country | person_info_address.country | 35 (ISO-3166 / Country) |
emails[type eq "work"].value | comm_method.value, fnd_user_property.value | 200 |
emails.type | comm_method.method_id_db, fnd_user_property.name | N/A (default 'work') |
phoneNumbers[type eq "work"].value | comm_method.value | 200 |
phoneNumbers.type | comm_method.method_id_db | N/A (default 'work') |
Note: Addresses, emails and phonenumbers will have the default type 'work' when syncing a new User. The type provided will have to be 'work'.