SCIM - System for Cross-Domain Identity Management¶
SCIM is a specification created to easily manage users and groups between different services and applications. A common schema is used for a User or a Group, which allows services to pass their data without having to think about how the information is stored in your own service. By provisioning with SCIM, you can simply set up the mapping of your attributes to SCIM-attributes, which then will be mapped to attributes in the IFS database, and also create new Users and Groups if they do not already exist.
Purpose¶
SCIM in IFS Cloud uses one-way communication. This means that only the external Identity provider sends information that creates, updates or deletes user and group information. Changes made to users within IFS Cloud will not trigger an update to the external Identity provider. The purpose of SCIM in IFS cloud is simple user management.
IMPORTANT: As described above, if a user is synced with an external Identity Provider, their details should only be updated through the external Identity Provider, not on IFS Cloud Web. If changes are made on IFS Cloud Web, they will be overwritten by the user details from the external Identity provider during the next synchronization.
SCIM Standard¶
For updated and detailed information about the SCIM standard please visit this page.
Usage¶
SCIM 2.0 uses REST API for all operations.
User Operations¶
- Read: GET https://example.com/ifsapplications/SCIM/{v}/Users/{id}
- Create: POST https://example.com/ifsapplications/SCIM/{v}/Users/
- Update: PUT https://example.com/ifsapplications/SCIM/{v}/Users/{id}
- Patch: PATCH https://example.com/ifsapplications/SCIM/{v}/Users/{id}
- Delete: DELETE https://example.com/ifsapplications/SCIM/{v}/Users/{id}
Group Operations¶
- Read: GET https://example.com/ifsapplications/SCIM/{v}/Groups/{id}
- Create: POST https://example.com/ifsapplications/SCIM/{v}/Groups/
- Update: PUT https://example.com/ifsapplications/SCIM/{v}/Groups/{id}
- Patch: PATCH https://example.com/ifsapplications/SCIM/{v}/Groups/{id}
- Delete: DELETE https://example.com/ifsapplications/SCIM/{v}/Groups/{id}
All data passed to the Create and Update endpoints must be encoded as a SCIM object in JSON. Resources stored in attributes that are not mapped to an IFS attribute will not be stored.
Attribute Mapping¶
This mapping table is intended for use by Administrators when configuring a new Provisioning Service. The SCIM Attribute maps to certain fields of the IFS Cloud database. When first creating a new User through provisioning, a unique Identity will be created. This ID is used as a unique identifier for the new user and will be generated based on the values of the SCIM attributes name.givenName and name.familyName. Some Identity Managers will have all of these attributes by default, but in some cases, a manual attribute mapper will need to be added. For example, in the Okta configuration, an attribute mapper for name.formatted must be added manually.
The SCIM attributes username, name.formatted, and displayName are mandatory. They must be mapped and assigned values from the external Identity Manager to successfully sync new users.
If name.givenName and name.familyName are not mapped, the first name and given name will be passed to Cloud as null, resulting in the creation of numeric identities.
NOTE: The main logic for identity creation is: "First three letters of the first name + first three letters of the last name."
However, if multiple users are created with the same name, the following logic will be applied:
Example:
5 users with same name are created in Azure side and provisioned: (User Name: Alain Prost)
User 1: First 3 letters of First Name + First 3 letters of Last Name -> UserId: ALAPRO
User 2: First 3 letters of First Name + First 4 letters of Last Name -> UserId: ALAPROS
User 3: First 4 letters of First Name + First 4 letters of Last Name -> UserId: ALAIPROS
User 4: First 3 letters of First Name + First 3 letters of Last Name + Numeric Suffix (3 digit) -> UserId: ALAPRO537
User 5: First 3 letters of First Name + First 3 letters of Last Name + Numeric Suffix (3 digit) -> UserId: ALAPRO454If more than five users with identical names are created, the identity generation logic will continue by appending additional randomized numeric suffixes.
User Attribute Mapping¶
SCIM Attribute | IFS DB Attribute | IFS DB Character Limit |
---|---|---|
userName | fnd_user.web_user | 2000 |
name.formatted | person_info.name | 100 |
name.familyName | person_info.last_name | 100 |
name.givenName | person_info.first_name | 100 |
name.middleName | person_info.middle_name | 100 |
displayName | fnd_user.description | 2000 |
title | person_info.title | 100 |
addresses[type eq "work"].formatted | person_info_address.address | N/A (default 'work') |
addresses[type eq "work"].streetAddress | person_info_address.address1 | 35 |
addresses[type eq "work"].locality | person_info_address.city | 35 |
addresses[type eq "work"].region | person_info_address.state | 35 |
addresses[type eq "work"].postalCode | person_info_address.zip_code | 35 |
addresses[type eq "work"].country | person_info_address.country | 35 (ISO-3166 / Country) |
emails[type eq "work"].value | comm_method.value, fnd_user_property.value | 200 |
emails.type | comm_method.method_id_db, fnd_user_property.name | N/A (default 'work') |
phoneNumbers[type eq "work"].value | comm_method.value | 200 |
phoneNumbers.type | comm_method.method_id_db | N/A (default 'work') |
Note: Addresses, emails and phonenumbers will have the default type 'work' when syncing a new User. The type provided will have to be 'work'.
Handling Addresses¶
Previously, address mappings were in the format of addresses.formatted
. If a user's person address is provisioned from the external Identity Provider, the mapping should now follow the new format as above (e.g., addresses[type eq "work"].formatted
).
If an address mapping is created on the external Identity Provider side, another work type address should not be added from IFS Cloud Web. If done, the address type added on IFS Cloud Web will be replaced by the existing address on the external Identity Provider side.
Group Attribute Mapping¶
This table shows the mapping of SCIM attributes and how they map to the IFS Cloud Database. When first creating a new Group through provisioning, a unique UserGroupId will be created which is used to identify and map the provisioned Groups from the Identity Management Service to IFS. The SCIM attribute displayName also needs to be unique and duplicates are not allowed. When provisioning a group with a name that already exists, IFS will return that group as part of the SCIM-response to the Identity Management Service.
SCIM Attribute | IFS DB Attribute | IFS DB Character Limit |
---|---|---|
displayName | user_group.name | 200 |