The return structure of the /ServiceproviderConfig endpoint defines, among other things, the features that are supported by the SCIM plug-in.
-
patch: When transferring changes, only single operations on object properties are transferred, not the complete object to be changed.
-
filter: This supports filtering of objects immediately on request or in patch operations.
An authenticationSchemes list is included in the structure returned by the /ServiceproviderConfig endpoint. The list publishes the possible authentication and authorization methods with which the SCIM plug-in can be used.
Supported are:
-
HTTP Basic access authentication
-
NTLM Authentication and Kerberos
-
OAuth 2.0 client authorization
Related topics
To access the One Identity Manager database, the SCIM plug-in be authenticated. Authentication is carried out by the One Identity Manager authentication modules. For more information, see the One Identity Manager Authorization and Authentication Guide.
The authentication modules are checked in the following order and the first successful authentication module is used for logging in. Ensure sure that at least one authentication module is enabled and configured. For more information about the authenticating users on the API Server, see the One Identity Manager API Development Guide.
-
Active Directory user account (ADSAccount)
-
HTTP Header (HTTPHeader)
-
OAuth 2.0/OpenID Connect (role-based) (OAuthRoleBased)
Related topics
The SCIM 2.0 schema exported to the /Schemas endpoint is generated from the One Identity Manager schema. The table definitions to take into account are supplied as are the M:N figures to publish. A data object description with simple and complex properties is created for each table.
Columns in a table
The columns of a table are mapped to simple properties of integral types.
Foreign key relations
The foreign key relations of a table are only included in the schema if the reference's target table is also part of the schema. In this case, a complex property is published with the foreign key's column name. This complex property has the value, $ref, and displayName properties.
The complex property is marked in the schema with the "returned" : "request" attribute. To be able to read this data, the property must be explicitly requested by the SCIM client using the attributes URL parameter.
Example:
https://<servername>.<domainname>/ApiServer/scim/v2/Locality/0294ce3c-8286-4641-bc13-9bcd4a2fd714?attributes=cn,City,UID_PersonHead
M:N tables
M:N tables are published under the members complex property in the schema. This also applies if there are several M:N tables to take into account. This complex property defines an array of subelements that have the value, type, $ref, and display properties.
The members complex property is marked in the schema with the attribute "returned" : "request". To be able to read this data, the property must be explicitly requested by the SCIM client via the URL parameter attributes.
Example:
http://<servername>.<domainname>/ApiServer/scim/v2/UNSGroupB/94bbe614-0a6e-4659-8fe9-20da94d967c8?attributes=cn,members
If several M:N tables are grouped together, the distinction, from which table the respective element originates, is made on the basis of the value in the type property. Ensure that the value in the type property is also passed when writing to the property. The values accepted as correct are defined in the schema on the respective type subattribute as a list in canonicalValues.
If the value for type cannot be determined for the SCIM client, it can be left blank and is not transmitted with the PUT or PATCH request. The SCIM plug-in tries to determine the correct type. The element's ID passed in the value property is used to search in all One Identity Manager tables that are part of the members definition. If the object is found in the process, the operation can be performed.