Content Management and Capture

We are working on connecting OAuth and CPE/ICN to Azure.  To help the customer manger users/groups being added to CPE Managed Directory Service we need to get SCIM working.  I have tried to back engineer using the documentation and help bubbles to get CPE SCIM connecting to Azure.

Example of help bubble when setting up SCIM.  For value SCIM context path the help shows "For example, the context path for IAM is dmgmt/identity/api/v1/scim)."   There are more values needing to be filled out, but this is a simple example not being able to find the counterpart in Azure. 

Thank You for your time,

JJ

You can use Azure AD as an OIDC identity provider.  However, SCIM integration is not supported at this time.  This is because Azure does not allow retrieving the groups a user is a member of from a SCIM user query.  Azure only allows retrieving members from a SCIM group query.

We are working on connecting OAuth and CPE/ICN to Azure.  To help the customer manger users/groups being added to CPE Managed Directory Service we need to get SCIM working.  I have tried to back engineer using the documentation and help bubbles to get CPE SCIM connecting to Azure.

Example of help bubble when setting up SCIM.  For value SCIM context path the help shows "For example, the context path for IAM is dmgmt/identity/api/v1/scim)."   There are more values needing to be filled out, but this is a simple example not being able to find the counterpart in Azure. 

Thank You for your time,

JJ

is that still the case today (Feb 2024)

You can use Azure AD as an OIDC identity provider.  However, SCIM integration is not supported at this time.  This is because Azure does not allow retrieving the groups a user is a member of from a SCIM user query.  Azure only allows retrieving members from a SCIM group query.

We are working on connecting OAuth and CPE/ICN to Azure.  To help the customer manger users/groups being added to CPE Managed Directory Service we need to get SCIM working.  I have tried to back engineer using the documentation and help bubbles to get CPE SCIM connecting to Azure.

Example of help bubble when setting up SCIM.  For value SCIM context path the help shows "For example, the context path for IAM is dmgmt/identity/api/v1/scim)."   There are more values needing to be filled out, but this is a simple example not being able to find the counterpart in Azure. 

Thank You for your time,

JJ

Hi,

While you still cannot use Azure SCIM directly with CPE, as of FNCM 5.5.12, you can do so by using RedHat Keycloak.  In this configuration, Keycloak is set up as the IDP and SCIM server between CPE and Azure AD.  Keycloak has an interface with Azure so that Azure users and Groups can be imported into Keycloak.  Then you can use Keycloak in a CPE SCIM Directory Configuration for authorization.

This configuration is described in the Integration with Red Hat Keycloak section of the attached presentation: P85512 - FNCMS Container Deployment.pdf.

is that still the case today (Feb 2024)

You can use Azure AD as an OIDC identity provider.  However, SCIM integration is not supported at this time.  This is because Azure does not allow retrieving the groups a user is a member of from a SCIM user query.  Azure only allows retrieving members from a SCIM group query.

We are working on connecting OAuth and CPE/ICN to Azure.  To help the customer manger users/groups being added to CPE Managed Directory Service we need to get SCIM working.  I have tried to back engineer using the documentation and help bubbles to get CPE SCIM connecting to Azure.

Example of help bubble when setting up SCIM.  For value SCIM context path the help shows "For example, the context path for IAM is dmgmt/identity/api/v1/scim)."   There are more values needing to be filled out, but this is a simple example not being able to find the counterpart in Azure. 

Thank You for your time,

JJ

Awesome, thank you for the update and useful PDF. 

So to make SCIM Azure AD work we need to implement Keycloak and the "scim-for-keycloak" plugin.

Trusting the keycloak tool is a smaller issue (as it comes from RH) but trusting the random plugin developer (Mr Knüppel) could be a issue in technical review boards meetings.   :-)

Could you please clarify if both (keycloak and plugin) are needed because of Azure AD (well now Entra ID) limitations or FN CPE limitations?
Any plans to improve support of Azure AD via SCIM directly? 

Hi,

While you still cannot use Azure SCIM directly with CPE, as of FNCM 5.5.12, you can do so by using RedHat Keycloak.  In this configuration, Keycloak is set up as the IDP and SCIM server between CPE and Azure AD.  Keycloak has an interface with Azure so that Azure users and Groups can be imported into Keycloak.  Then you can use Keycloak in a CPE SCIM Directory Configuration for authorization.

This configuration is described in the Integration with Red Hat Keycloak section of the attached presentation: P85512 - FNCMS Container Deployment.pdf.

is that still the case today (Feb 2024)

You can use Azure AD as an OIDC identity provider.  However, SCIM integration is not supported at this time.  This is because Azure does not allow retrieving the groups a user is a member of from a SCIM user query.  Azure only allows retrieving members from a SCIM group query.

We are working on connecting OAuth and CPE/ICN to Azure.  To help the customer manger users/groups being added to CPE Managed Directory Service we need to get SCIM working.  I have tried to back engineer using the documentation and help bubbles to get CPE SCIM connecting to Azure.

Example of help bubble when setting up SCIM.  For value SCIM context path the help shows "For example, the context path for IAM is dmgmt/identity/api/v1/scim)."   There are more values needing to be filled out, but this is a simple example not being able to find the counterpart in Azure. 

Thank You for your time,

JJ

Yes, both Keycloak and the "scim-for-keycloak" plugin are required.

CPE cannot work with Azure AD SCIM directly due to an Azure AD limitation that does not return the groups to which a user belongs using a SCIM query on the user.  This Azure AD limitation is also mentioned in this stackoverflow post:  https://stackoverflow.com/questions/70377887/azure-ad-scim-attribute-mapping-group-membership-expression, in which it's stated

Until Microsoft fixes this issue, CPE SCIM integration directly with Azure AD is not possible.

Awesome, thank you for the update and useful PDF. 

So to make SCIM Azure AD work we need to implement Keycloak and the "scim-for-keycloak" plugin.

Trusting the keycloak tool is a smaller issue (as it comes from RH) but trusting the random plugin developer (Mr Knüppel) could be a issue in technical review boards meetings.   :-)

Could you please clarify if both (keycloak and plugin) are needed because of Azure AD (well now Entra ID) limitations or FN CPE limitations?
Any plans to improve support of Azure AD via SCIM directly? 

Hi,

While you still cannot use Azure SCIM directly with CPE, as of FNCM 5.5.12, you can do so by using RedHat Keycloak.  In this configuration, Keycloak is set up as the IDP and SCIM server between CPE and Azure AD.  Keycloak has an interface with Azure so that Azure users and Groups can be imported into Keycloak.  Then you can use Keycloak in a CPE SCIM Directory Configuration for authorization.

This configuration is described in the Integration with Red Hat Keycloak section of the attached presentation: P85512 - FNCMS Container Deployment.pdf.

is that still the case today (Feb 2024)

You can use Azure AD as an OIDC identity provider.  However, SCIM integration is not supported at this time.  This is because Azure does not allow retrieving the groups a user is a member of from a SCIM user query.  Azure only allows retrieving members from a SCIM group query.

We are working on connecting OAuth and CPE/ICN to Azure.  To help the customer manger users/groups being added to CPE Managed Directory Service we need to get SCIM working.  I have tried to back engineer using the documentation and help bubbles to get CPE SCIM connecting to Azure.

Example of help bubble when setting up SCIM.  For value SCIM context path the help shows "For example, the context path for IAM is dmgmt/identity/api/v1/scim)."   There are more values needing to be filled out, but this is a simple example not being able to find the counterpart in Azure. 

Thank You for your time,

JJ

Yes, both Keycloak and the "scim-for-keycloak" plugin are required.

CPE cannot work with Azure AD SCIM directly due to an Azure AD limitation that does not return the groups to which a user belongs using a SCIM query on the user.  This Azure AD limitation is also mentioned in this stackoverflow post:  https://stackoverflow.com/questions/70377887/azure-ad-scim-attribute-mapping-group-membership-expression, in which it's stated

Until Microsoft fixes this issue, CPE SCIM integration directly with Azure AD is not possible.

Awesome, thank you for the update and useful PDF. 

So to make SCIM Azure AD work we need to implement Keycloak and the "scim-for-keycloak" plugin.

Trusting the keycloak tool is a smaller issue (as it comes from RH) but trusting the random plugin developer (Mr Knüppel) could be a issue in technical review boards meetings.   :-)

Could you please clarify if both (keycloak and plugin) are needed because of Azure AD (well now Entra ID) limitations or FN CPE limitations?
Any plans to improve support of Azure AD via SCIM directly? 

Hi,

While you still cannot use Azure SCIM directly with CPE, as of FNCM 5.5.12, you can do so by using RedHat Keycloak.  In this configuration, Keycloak is set up as the IDP and SCIM server between CPE and Azure AD.  Keycloak has an interface with Azure so that Azure users and Groups can be imported into Keycloak.  Then you can use Keycloak in a CPE SCIM Directory Configuration for authorization.

This configuration is described in the Integration with Red Hat Keycloak section of the attached presentation: P85512 - FNCMS Container Deployment.pdf.

is that still the case today (Feb 2024)

You can use Azure AD as an OIDC identity provider.  However, SCIM integration is not supported at this time.  This is because Azure does not allow retrieving the groups a user is a member of from a SCIM user query.  Azure only allows retrieving members from a SCIM group query.

We are working on connecting OAuth and CPE/ICN to Azure.  To help the customer manger users/groups being added to CPE Managed Directory Service we need to get SCIM working.  I have tried to back engineer using the documentation and help bubbles to get CPE SCIM connecting to Azure.

Example of help bubble when setting up SCIM.  For value SCIM context path the help shows "For example, the context path for IAM is dmgmt/identity/api/v1/scim)."   There are more values needing to be filled out, but this is a simple example not being able to find the counterpart in Azure. 

Thank You for your time,

JJ

Hello,

I am trying to do exactly that, but with a classic deployment of CPE. I have looked online for resources about this, but all of them seem to refer to the container version of FN. Do you know if it's possible to have a Azure AD - Keycloak with SCIM plugin - classic FN deployment in a VM?

Yes, both Keycloak and the "scim-for-keycloak" plugin are required.

CPE cannot work with Azure AD SCIM directly due to an Azure AD limitation that does not return the groups to which a user belongs using a SCIM query on the user.  This Azure AD limitation is also mentioned in this stackoverflow post:  https://stackoverflow.com/questions/70377887/azure-ad-scim-attribute-mapping-group-membership-expression, in which it's stated

Until Microsoft fixes this issue, CPE SCIM integration directly with Azure AD is not possible.

Awesome, thank you for the update and useful PDF. 

So to make SCIM Azure AD work we need to implement Keycloak and the "scim-for-keycloak" plugin.

Trusting the keycloak tool is a smaller issue (as it comes from RH) but trusting the random plugin developer (Mr Knüppel) could be a issue in technical review boards meetings.   :-)

Could you please clarify if both (keycloak and plugin) are needed because of Azure AD (well now Entra ID) limitations or FN CPE limitations?
Any plans to improve support of Azure AD via SCIM directly? 

Hi,

While you still cannot use Azure SCIM directly with CPE, as of FNCM 5.5.12, you can do so by using RedHat Keycloak.  In this configuration, Keycloak is set up as the IDP and SCIM server between CPE and Azure AD.  Keycloak has an interface with Azure so that Azure users and Groups can be imported into Keycloak.  Then you can use Keycloak in a CPE SCIM Directory Configuration for authorization.

This configuration is described in the Integration with Red Hat Keycloak section of the attached presentation: P85512 - FNCMS Container Deployment.pdf.

is that still the case today (Feb 2024)

You can use Azure AD as an OIDC identity provider.  However, SCIM integration is not supported at this time.  This is because Azure does not allow retrieving the groups a user is a member of from a SCIM user query.  Azure only allows retrieving members from a SCIM group query.

We are working on connecting OAuth and CPE/ICN to Azure.  To help the customer manger users/groups being added to CPE Managed Directory Service we need to get SCIM working.  I have tried to back engineer using the documentation and help bubbles to get CPE SCIM connecting to Azure.

Example of help bubble when setting up SCIM.  For value SCIM context path the help shows "For example, the context path for IAM is dmgmt/identity/api/v1/scim)."   There are more values needing to be filled out, but this is a simple example not being able to find the counterpart in Azure. 

Thank You for your time,

JJ

As of CPE 5.6, SCIM is supported as a Directory Provider on traditional WebSphere deployments and has been qualified to work with keycloak connected to Azure AD.  See this What's New topic: https://www.ibm.com/docs/en/filenet-p8-platform/5.6.0?topic=welcome-whats-new

Hello,

I am trying to do exactly that, but with a classic deployment of CPE. I have looked online for resources about this, but all of them seem to refer to the container version of FN. Do you know if it's possible to have a Azure AD - Keycloak with SCIM plugin - classic FN deployment in a VM?

Yes, both Keycloak and the "scim-for-keycloak" plugin are required.

CPE cannot work with Azure AD SCIM directly due to an Azure AD limitation that does not return the groups to which a user belongs using a SCIM query on the user.  This Azure AD limitation is also mentioned in this stackoverflow post:  https://stackoverflow.com/questions/70377887/azure-ad-scim-attribute-mapping-group-membership-expression, in which it's stated

Until Microsoft fixes this issue, CPE SCIM integration directly with Azure AD is not possible.

Awesome, thank you for the update and useful PDF. 

So to make SCIM Azure AD work we need to implement Keycloak and the "scim-for-keycloak" plugin.

Trusting the keycloak tool is a smaller issue (as it comes from RH) but trusting the random plugin developer (Mr Knüppel) could be a issue in technical review boards meetings.   :-)

Could you please clarify if both (keycloak and plugin) are needed because of Azure AD (well now Entra ID) limitations or FN CPE limitations?
Any plans to improve support of Azure AD via SCIM directly? 

Hi,

While you still cannot use Azure SCIM directly with CPE, as of FNCM 5.5.12, you can do so by using RedHat Keycloak.  In this configuration, Keycloak is set up as the IDP and SCIM server between CPE and Azure AD.  Keycloak has an interface with Azure so that Azure users and Groups can be imported into Keycloak.  Then you can use Keycloak in a CPE SCIM Directory Configuration for authorization.

This configuration is described in the Integration with Red Hat Keycloak section of the attached presentation: P85512 - FNCMS Container Deployment.pdf.

is that still the case today (Feb 2024)

You can use Azure AD as an OIDC identity provider.  However, SCIM integration is not supported at this time.  This is because Azure does not allow retrieving the groups a user is a member of from a SCIM user query.  Azure only allows retrieving members from a SCIM group query.

We are working on connecting OAuth and CPE/ICN to Azure.  To help the customer manger users/groups being added to CPE Managed Directory Service we need to get SCIM working.  I have tried to back engineer using the documentation and help bubbles to get CPE SCIM connecting to Azure.

Example of help bubble when setting up SCIM.  For value SCIM context path the help shows "For example, the context path for IAM is dmgmt/identity/api/v1/scim)."   There are more values needing to be filled out, but this is a simple example not being able to find the counterpart in Azure. 

Thank You for your time,

JJ

Thank you for this Roger. Are you aware if there is any documentation available on how the configuration on the WebSphere and CE side is performed? I have Keycloak deployed and the plugin enabled.

As of CPE 5.6, SCIM is supported as a Directory Provider on traditional WebSphere deployments and has been qualified to work with keycloak connected to Azure AD.  See this What's New topic: https://www.ibm.com/docs/en/filenet-p8-platform/5.6.0?topic=welcome-whats-new

Hello,

I am trying to do exactly that, but with a classic deployment of CPE. I have looked online for resources about this, but all of them seem to refer to the container version of FN. Do you know if it's possible to have a Azure AD - Keycloak with SCIM plugin - classic FN deployment in a VM?

Yes, both Keycloak and the "scim-for-keycloak" plugin are required.

CPE cannot work with Azure AD SCIM directly due to an Azure AD limitation that does not return the groups to which a user belongs using a SCIM query on the user.  This Azure AD limitation is also mentioned in this stackoverflow post:  https://stackoverflow.com/questions/70377887/azure-ad-scim-attribute-mapping-group-membership-expression, in which it's stated

Until Microsoft fixes this issue, CPE SCIM integration directly with Azure AD is not possible.

Awesome, thank you for the update and useful PDF. 

So to make SCIM Azure AD work we need to implement Keycloak and the "scim-for-keycloak" plugin.

Trusting the keycloak tool is a smaller issue (as it comes from RH) but trusting the random plugin developer (Mr Knüppel) could be a issue in technical review boards meetings.   :-)

Could you please clarify if both (keycloak and plugin) are needed because of Azure AD (well now Entra ID) limitations or FN CPE limitations?
Any plans to improve support of Azure AD via SCIM directly? 

Hi,

While you still cannot use Azure SCIM directly with CPE, as of FNCM 5.5.12, you can do so by using RedHat Keycloak.  In this configuration, Keycloak is set up as the IDP and SCIM server between CPE and Azure AD.  Keycloak has an interface with Azure so that Azure users and Groups can be imported into Keycloak.  Then you can use Keycloak in a CPE SCIM Directory Configuration for authorization.

This configuration is described in the Integration with Red Hat Keycloak section of the attached presentation: P85512 - FNCMS Container Deployment.pdf.

is that still the case today (Feb 2024)

You can use Azure AD as an OIDC identity provider.  However, SCIM integration is not supported at this time.  This is because Azure does not allow retrieving the groups a user is a member of from a SCIM user query.  Azure only allows retrieving members from a SCIM group query.

We are working on connecting OAuth and CPE/ICN to Azure.  To help the customer manger users/groups being added to CPE Managed Directory Service we need to get SCIM working.  I have tried to back engineer using the documentation and help bubbles to get CPE SCIM connecting to Azure.

Example of help bubble when setting up SCIM.  For value SCIM context path the help shows "For example, the context path for IAM is dmgmt/identity/api/v1/scim)."   There are more values needing to be filled out, but this is a simple example not being able to find the counterpart in Azure. 

Thank You for your time,

JJ