idaas.nl

SCIM 2.0

SCIM stands for System for Cross-domain Identity Management.

The System for Cross-domain Identity Management (SCIM) specification is designed to make managing user identities in cloud-based applications and services easier. - www.simplecloud.info

idaas.nl supports SCIM for managing users and groups. It allows creating, patching, putting and deleting objects via SCIM. This includes assigning and revoking group memberships.

The core of the idaas.nl SCIM server has been released as open source code and is available on github.

Endpoints

GET|HEAD | scim/v1
GET|HEAD | scim/v1/{fallbackPlaceholder}
POST     | scim/v2/.search
GET|HEAD | scim/v2/ResourceTypes
GET|HEAD | scim/v2/ResourceTypes/{id}
GET|HEAD | scim/v2/Schemas
GET|HEAD | scim/v2/Schemas/{id}
GET|HEAD | scim/v2/ServiceProviderConfig
GET|HEAD | scim/v2/{fallbackPlaceholder}
GET|HEAD | scim/v2/{resourceType}
POST     | scim/v2/{resourceType}
GET|HEAD | scim/v2/{resourceType}/{resourceObject}
PUT      | scim/v2/{resourceType}/{resourceObject}
PATCH    | scim/v2/{resourceType}/{resourceObject}
DELETE   | scim/v2/{resourceType}/{resourceObject}

SCIM from the web interface

Idaas.nl uses SCIM for all user and group operations. Including from all operations initiated from the web interface.

This is visible under /users and /groups in the web application. All actions initiated from here are plain SCIM actions. These are visible from your web brower's developer tools.

Example SCIM request

PUT /api/scim/v2/Users/8ec33dbe-ae75-9682-9f1a-9cf2743bc18a
Host: [your-tenant].manage.idaas.nl
content-type: application/scim+json
Authorization: Bearer ...


{
    "id": "8ec33dbe-ae75-9682-9f1a-9cf2743bc18a",
    "meta": {
        "created": "2019-09-28T17:34:16+00:00",
        "lastModified": "2019-12-06T06:32:47+00:00",
        "location": "https://login.manage.idaas.nl/api/scim/v2/Users/8ec33dbe-ae75-9682-9f1a-9cf2743bc18a",
        "resourceType": "User"
    },
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "arietimmerman:ice"
    ],
    "urn:ietf:params:scim:schemas:extension:account:2.0:Password": {
        "lastSuccessfulLoginDate": "2019-12-06T06:32:47+00:00"
    },
    "urn:ietf:params:scim:schemas:core:2.0:User": {
        "active": false,
        "emails": [
            {
                "value": "arietimmerman@gmail.com",
                "type": "other",
                "primary": true
            }
        ],
        "phoneNumbers": [
            {
                "type": "other",
                "primary": true,
                "value": "0612345678"
            }
        ],
        "roles": [
            {
                "id": "8ec33dbe-85fc-4d0f-8ca7-7c7baf3af4f6",
                "meta": {
                    "created": "2019-09-28T17:34:16+00:00",
                    "lastModified": "2019-09-28T17:34:16+00:00",
                    "resourceType": "Role"
                },
                "value": "8ec33dbe-85fc-4d0f-8ca7-7c7baf3af4f6",
                "display": "Administrator",
                "slug": null,
                "system": true,
                "tenant": "login"
            }
        ],
        "groups": [
            {
                "value": "8ec3654b-2d54-47a9-b56e-22ace9e533d8",
                "$ref": "https://login.manage.idaas.nl/api/scim/v2/Group/8ec3654b-2d54-47a9-b56e-22ace9e533d8",
                "display": "Active Users"
            }
        ]
    },

}

Get Users

Find users with a certain mail address

GET /api/scim/v2/Users?sortBy=id&sortOrder=descending&count=20&startIndex=0&filter=emails.value co "@gmail.com"

Get group members

GET /api/scim/v2/Users?sortBy=id&sortOrder=descending&count=20&startIndex=0&filter=groups.value eq "123"

Self Registration

Initiate a SCIM creation request to the /Me endpoint

POST /scim/v2/Me HTTP/1.1
Host: your-tenant.idaas.nl
Content-Type: application/json+scim

{
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "arietimmerman:ice"
    ],
   
    "urn:ietf:params:scim:schemas:core:2.0:User": {
        "userName": "johndoe@example.com",
        "password": "test123",
        "name": {
            "formatted": "John Doe"
        },
        "displayName": "John Doe",
        "emails": [
            {
                "value": "johndoe@example.com",
                "type": "other",
                "primary": true
            }
        ]
        
    }
}

After registering the user one should initiate an OpenID authentication request like the one below. Note that acr_values is set to activation and login_hint is set to your_new_emailadress

https://your-tenant.idaas.nl/oauth/authorize?acr_values=activation&client_id=8aa2d46c-593f-45e9-8b52-634b4b066e80&code_challenge=47ABApj8HBSa-_TImW-5JCeuA2Rkm5NMpJWZG3hSuFU&code_challenge_method=S256&nonce=12345&redirect_uri=http://localhost:8080/Tester&response_type=id_token&scope=email&state=123&login_hint=your_new_emailadress

Now the user is presented with a message stating the activation link is send. After the user reads this mail and follows the action link, the user is activated and logged in immediately.

All other authentication modules reject authentication for inactive users.

Zero Trust and Identity as a Service