Content Management and Capture

 View Only
  • 1.  FileNet CPE SCIM connection to Azure

    Posted Sun March 05, 2023 03:22 PM

    We are working on connecting OAuth and CPE/ICN to Azure.  To help the customer manger users/groups being added to CPE Managed Directory Service we need to get SCIM working.  I have tried to back engineer using the documentation and help bubbles to get CPE SCIM connecting to Azure.

    Example of help bubble when setting up SCIM.  For value SCIM context path the help shows "For example, the context path for IAM is dmgmt/identity/api/v1/scim)."   There are more values needing to be filled out, but this is a simple example not being able to find the counterpart in Azure. 

    Thank You for your time,

    JJ



    ------------------------------
    John Justice
    ------------------------------


  • 2.  RE: FileNet CPE SCIM connection to Azure

    Posted Tue March 07, 2023 04:02 PM

    You can use Azure AD as an OIDC identity provider.  However, SCIM integration is not supported at this time.  This is because Azure does not allow retrieving the groups a user is a member of from a SCIM user query.  Azure only allows retrieving members from a SCIM group query.



    ------------------------------
    ROGER Bacalzo
    ------------------------------



  • 3.  RE: FileNet CPE SCIM connection to Azure

    Posted Wed February 21, 2024 04:38 PM

    is that still the case today (Feb 2024)



    ------------------------------
    Tilo S
    ------------------------------



  • 4.  RE: FileNet CPE SCIM connection to Azure

    Posted Thu February 22, 2024 04:56 PM
      |   view attached

    Hi,

    While you still cannot use Azure SCIM directly with CPE, as of FNCM 5.5.12, you can do so by using RedHat Keycloak.  In this configuration, Keycloak is set up as the IDP and SCIM server between CPE and Azure AD.  Keycloak has an interface with Azure so that Azure users and Groups can be imported into Keycloak.  Then you can use Keycloak in a CPE SCIM Directory Configuration for authorization.

    This configuration is described in the Integration with Red Hat Keycloak section of the attached presentation: P85512 - FNCMS Container Deployment.pdf.



    ------------------------------
    ROGER Bacalzo
    ------------------------------

    Attachment(s)



  • 5.  RE: FileNet CPE SCIM connection to Azure

    Posted Thu February 22, 2024 06:06 PM

    Awesome, thank you for the update and useful PDF. 

    So to make SCIM Azure AD work we need to implement Keycloak and the "scim-for-keycloak" plugin.

    Trusting the keycloak tool is a smaller issue (as it comes from RH) but trusting the random plugin developer (Mr Knüppel) could be a issue in technical review boards meetings.   :-)

    Could you please clarify if both (keycloak and plugin) are needed because of Azure AD (well now Entra ID) limitations or FN CPE limitations?
    Any plans to improve support of Azure AD via SCIM directly? 



    ------------------------------
    Tilo S
    ------------------------------



  • 6.  RE: FileNet CPE SCIM connection to Azure

    Posted Thu February 22, 2024 06:43 PM

    Yes, both Keycloak and the "scim-for-keycloak" plugin are required.

    CPE cannot work with Azure AD SCIM directly due to an Azure AD limitation that does not return the groups to which a user belongs using a SCIM query on the user.  This Azure AD limitation is also mentioned in this stackoverflow post:  https://stackoverflow.com/questions/70377887/azure-ad-scim-attribute-mapping-group-membership-expression, in which it's stated

    Group membership is considered a property of the group object, and cannot be called into any logic expressions for user objects.

    Until Microsoft fixes this issue, CPE SCIM integration directly with Azure AD is not possible.



    ------------------------------
    ROGER Bacalzo
    ------------------------------



  • 7.  RE: FileNet CPE SCIM connection to Azure

    Posted 17 days ago

    I see a few option here to simplify the solution stack. 

    • Azure AD (Entra ID) returns group (MS fix)
    • FN CPE implement a workaround (IBM fix)
    • SCIM server support directly in keycloak (IBM [RH] fix)
      • https://github.com/keycloak/keycloak/issues/13484
      • https://issues.redhat.com/browse/KEYCLOAK-2537 (created: 2016)

    Maybe the FN ECM team can push the SCIM feature in keycloak a bit. ⇑



    ------------------------------
    Tilo S
    ------------------------------