SCIM 2.0
SCIM stands for System for Cross-domain Identity Management.
The System for Cross-domain Identity Management (SCIM) specification is designed to make managing user identities in cloud-based applications and services easier. - www.simplecloud.info
idaas.nl supports SCIM for managing users and groups. It allows creating, patching, putting and deleting objects via SCIM. This includes assigning and revoking group memberships.
The core of the idaas.nl SCIM server has been released as open source code and is available on github. This SCIM server is also used by The SCIM Playground.
Endpoints
GET|HEAD | scim/v1
GET|HEAD | scim/v1/{fallbackPlaceholder}
POST | scim/v2/.search
GET|HEAD | scim/v2/ResourceTypes
GET|HEAD | scim/v2/ResourceTypes/{id}
GET|HEAD | scim/v2/Schemas
GET|HEAD | scim/v2/Schemas/{id}
GET|HEAD | scim/v2/ServiceProviderConfig
GET|HEAD | scim/v2/{fallbackPlaceholder}
GET|HEAD | scim/v2/{resourceType}
POST | scim/v2/{resourceType}
GET|HEAD | scim/v2/{resourceType}/{resourceObject}
PUT | scim/v2/{resourceType}/{resourceObject}
PATCH | scim/v2/{resourceType}/{resourceObject}
DELETE | scim/v2/{resourceType}/{resourceObject}GET|HEAD | scim/v1
GET|HEAD | scim/v1/{fallbackPlaceholder}
POST | scim/v2/.search
GET|HEAD | scim/v2/ResourceTypes
GET|HEAD | scim/v2/ResourceTypes/{id}
GET|HEAD | scim/v2/Schemas
GET|HEAD | scim/v2/Schemas/{id}
GET|HEAD | scim/v2/ServiceProviderConfig
GET|HEAD | scim/v2/{fallbackPlaceholder}
GET|HEAD | scim/v2/{resourceType}
POST | scim/v2/{resourceType}
GET|HEAD | scim/v2/{resourceType}/{resourceObject}
PUT | scim/v2/{resourceType}/{resourceObject}
PATCH | scim/v2/{resourceType}/{resourceObject}
DELETE | scim/v2/{resourceType}/{resourceObject}SCIM from the web interface
Idaas.nl uses SCIM for all user and group operations. Including from all operations initiated from the web interface.
This is visible under /users and /groups in the web application. All actions initiated from here are plain SCIM actions. These are visible from your web brower's developer tools.
Example SCIM request
.json
PUT /api/scim/v2/Users/8ec33dbe-ae75-9682-9f1a-9cf2743bc18a
Host: [your-tenant].manage.idaas.nl
content-type: application/scim+json
Authorization: Bearer ...
{
"id": "8ec33dbe-ae75-9682-9f1a-9cf2743bc18a",
"meta": {
"created": "2019-09-28T17:34:16+00:00",
"lastModified": "2019-12-06T06:32:47+00:00",
"location": "https://login.manage.limosa.io/api/scim/v2/Users/8ec33dbe-ae75-9682-9f1a-9cf2743bc18a",
"resourceType": "User"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"arietimmerman:ice"
],
"urn:ietf:params:scim:schemas:extension:account:2.0:Password": {
"lastSuccessfulLoginDate": "2019-12-06T06:32:47+00:00"
},
"urn:ietf:params:scim:schemas:core:2.0:User": {
"active": false,
"emails": [
{
"value": "arietimmerman@gmail.com",
"type": "other",
"primary": true
}
],
"phoneNumbers": [
{
"type": "other",
"primary": true,
"value": "0612345678"
}
],
"roles": [
{
"id": "8ec33dbe-85fc-4d0f-8ca7-7c7baf3af4f6",
"meta": {
"created": "2019-09-28T17:34:16+00:00",
"lastModified": "2019-09-28T17:34:16+00:00",
"resourceType": "Role"
},
"value": "8ec33dbe-85fc-4d0f-8ca7-7c7baf3af4f6",
"display": "Administrator",
"slug": null,
"system": true,
"tenant": "login"
}
],
"groups": [
{
"value": "8ec3654b-2d54-47a9-b56e-22ace9e533d8",
"$ref": "https://login.manage.limosa.io/api/scim/v2/Group/8ec3654b-2d54-47a9-b56e-22ace9e533d8",
"display": "Active Users"
}
]
},
}PUT /api/scim/v2/Users/8ec33dbe-ae75-9682-9f1a-9cf2743bc18a
Host: [your-tenant].manage.idaas.nl
content-type: application/scim+json
Authorization: Bearer ...
{
"id": "8ec33dbe-ae75-9682-9f1a-9cf2743bc18a",
"meta": {
"created": "2019-09-28T17:34:16+00:00",
"lastModified": "2019-12-06T06:32:47+00:00",
"location": "https://login.manage.limosa.io/api/scim/v2/Users/8ec33dbe-ae75-9682-9f1a-9cf2743bc18a",
"resourceType": "User"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"arietimmerman:ice"
],
"urn:ietf:params:scim:schemas:extension:account:2.0:Password": {
"lastSuccessfulLoginDate": "2019-12-06T06:32:47+00:00"
},
"urn:ietf:params:scim:schemas:core:2.0:User": {
"active": false,
"emails": [
{
"value": "arietimmerman@gmail.com",
"type": "other",
"primary": true
}
],
"phoneNumbers": [
{
"type": "other",
"primary": true,
"value": "0612345678"
}
],
"roles": [
{
"id": "8ec33dbe-85fc-4d0f-8ca7-7c7baf3af4f6",
"meta": {
"created": "2019-09-28T17:34:16+00:00",
"lastModified": "2019-09-28T17:34:16+00:00",
"resourceType": "Role"
},
"value": "8ec33dbe-85fc-4d0f-8ca7-7c7baf3af4f6",
"display": "Administrator",
"slug": null,
"system": true,
"tenant": "login"
}
],
"groups": [
{
"value": "8ec3654b-2d54-47a9-b56e-22ace9e533d8",
"$ref": "https://login.manage.limosa.io/api/scim/v2/Group/8ec3654b-2d54-47a9-b56e-22ace9e533d8",
"display": "Active Users"
}
]
},
}Get Users
Find users with a certain mail address
GET /api/scim/v2/Users?sortBy=id&sortOrder=descending&count=20&startIndex=0&filter=emails.value co "@gmail.com"GET /api/scim/v2/Users?sortBy=id&sortOrder=descending&count=20&startIndex=0&filter=emails.value co "@gmail.com"Get group members
GET /api/scim/v2/Users?sortBy=id&sortOrder=descending&count=20&startIndex=0&filter=groups.value eq "123"GET /api/scim/v2/Users?sortBy=id&sortOrder=descending&count=20&startIndex=0&filter=groups.value eq "123"Self Registration
Initiate a SCIM creation request to the /Me endpoint
POST /scim/v2/Me HTTP/1.1
Host: your-tenant.idaas.nl
Content-Type: application/json+scim
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"arietimmerman:ice"
],
"urn:ietf:params:scim:schemas:core:2.0:User": {
"userName": "johndoe@example.com",
"password": "test123",
"name": {
"formatted": "John Doe"
},
"displayName": "John Doe",
"emails": [
{
"value": "johndoe@example.com",
"type": "other",
"primary": true
}
]
}
}POST /scim/v2/Me HTTP/1.1
Host: your-tenant.idaas.nl
Content-Type: application/json+scim
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"arietimmerman:ice"
],
"urn:ietf:params:scim:schemas:core:2.0:User": {
"userName": "johndoe@example.com",
"password": "test123",
"name": {
"formatted": "John Doe"
},
"displayName": "John Doe",
"emails": [
{
"value": "johndoe@example.com",
"type": "other",
"primary": true
}
]
}
}After registering the user one should initiate an OpenID authentication request like the one below. Note that acr_values is set to activation and login_hint is set to your_new_emailadress
https://your-tenant.limosa.io/oauth/authorize?acr_values=activation&client_id=8aa2d46c-593f-45e9-8b52-634b4b066e80&code_challenge=47ABApj8HBSa-_TImW-5JCeuA2Rkm5NMpJWZG3hSuFU&code_challenge_method=S256&nonce=12345&redirect_uri=http://localhost:8080/Tester&response_type=id_token&scope=email&state=123&login_hint=your_new_emailadresshttps://your-tenant.limosa.io/oauth/authorize?acr_values=activation&client_id=8aa2d46c-593f-45e9-8b52-634b4b066e80&code_challenge=47ABApj8HBSa-_TImW-5JCeuA2Rkm5NMpJWZG3hSuFU&code_challenge_method=S256&nonce=12345&redirect_uri=http://localhost:8080/Tester&response_type=id_token&scope=email&state=123&login_hint=your_new_emailadressNow the user is presented with a message stating the activation link is send. After the user reads this mail and follows the action link, the user is activated and logged in immediately.
All other authentication modules reject authentication for inactive users.