IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

View Only

Back to Blog List

IBM Verify Identity Access (IVIA) - SCIM Configuration and Troubleshooting

By Shubham Kotwal posted Tue April 15, 2025 11:29 AM

Introduction

SCIM stands for System for Cross-Domain Identity Management. It’s a standard way to automate the exchange of user identity information between systems.

In IBM Verify Identity Access, SCIM is used to provision and manage users and groups automatically. Instead of manually adding, updating, or deleting user accounts in different applications, SCIM helps do that programmatically in a consistent and secure way.

Example:

Let’s say your company uses IBM Verify Identity Access to manage user logins across different apps like Slack, Salesforce, and Office 365.

Now, imagine a new employee joins the company.

Without SCIM:
An admin would need to log in to each app one by one and create that user manually.
With SCIM:
The moment the user is added to a central HR system or identity directory, SCIM automatically creates that user in all connected apps through IBM Verify Identity Access.

If the employee leaves the company, SCIM can also automatically remove their access from all apps. This helps improve security and saves a lot of time.

Steps to Configure:

Setup a Server Connection so the SCIM can communicate with LDAP.
Navigate to AAC → Global Settings: Server Connections.
Click on the New button and choose LDAP from the drop-down menu. I am establishing an LDAP connection with Active Directory (external LDAP).
In the Connection tab, specify any Name for Server Connection, and in the Servers tab, provide the LDAP server's details. I am not using an SSL certificate; that's why I selected False for SSL. If you are using SSL, then you need to make it True and provide the Truststore as well as Authentication Key details.

Note: If there is replication configured for the LDAP servers, then you can specify multiple LDAP servers in the Server Connection so that if one connection goes down, SCIM can communicate with another one.
Review and Deploy the Pending Changes.
Now, configure the SCIM Interface:

Navigate to AAC → Manage: SCIM Configuration → User Profile.
Select the Server Connection that we configured in Steps 2 & 3, this will auto-fetch the Type. Specify the Search Suffix and User Suffix, so whenever you perform an API call to Search or Create a User, that will be fetched/created in the mentioned Suffix. User DN Attribute is a text string that uniquely identifies a user in a directory server. A User ID Attribute is a piece of information that identifies a user. It can be used to retrieve user information, add user accounts, and more. Click on the Save button to save the changes.
Navigate to AAC → Manage: SCIM Configuration → Verify Access User. Select Enable Verify Access Integration to enable the integration with Verify Identity Access and the management of Verify Identity Access users. From the Verify Access User Registry drop-down, select the LDAP connection that we selected in the User Profile as well as Server Connection. Enable the Update Native Users, this option defines whether the uid attribute of the native user entry is updated with the Verify Identity Access user identity when a Verify Identity Access user is created. Thereafter, Save and Deploy the changes.
To access the SCIM Interface outside the Verify Identity Access via Reverse proxy, we need to create a /scim junction.

Navigate to Web → Manage: Reverse Proxy
Select the Reverse Proxy Instance for which you want to create a /scim junction. From the Manage drop-down, click on Junction Management. In Junction Management, click on the New button to create a new junction and select the junction type as Standard Junction.
Specify the Junction Point Name as /scim and select Create a Transparent Path Junction. In Junction Type, select SSL if you want to use SSL for communication with SCIM; else, use TCP for non-SSL communication.
Navigate to the Servers tab, click on the New button, and provide the Hostname/IP as well as specify the TCP or SSL Port for the communication with the SCIM.
Navigate to the Basic Authentication tab, Enable Basic Authentication, and provide the Username and Password (Default password for the easuser is “passw0rd”).
Go to the Identity tab and enable the headers IV-USER, IV-GROUPS, and IV-CREDS, and Save the changes.
As we defined a server address as localhost and non-standard port 9444, then you may observe a DPWWA1222E error, and the Server State may show as not running. You can refer to the Troubleshooting section to resolve this issue.
URLs generated by the SCIM interface will reference the hostname where the AAC Runtime is listening (e.g. localhost). We need to configure the Reverse Proxy so that it will recognize these URLs and replace the hostname with its own. For that, we need to edit the reverse proxy configuration file. Go to Web → Manage: Reverse Proxy then select the Reverse Proxy instance where you configured the /scim junction, then click on Manage → Configuration → Edit Configuration File.
In the [filter-content-types] stanza, add the type entry:
```
[filter-content-types]
type = application/scim+json
```
In the [script-filtering] stanza, enable script filtering and replace absolute URLs:
```
[script-filtering]
script-filter = yes
rewrite-absolute-with-absolute = yes
```
Then click on the Save button and Deploy the changes as well as Restart the reverse proxy instance.
Now need to update the ACL associated with the SCIM endpoint to allow PUT and DELETE methods. This can be updated through both methods: LMI(GUI) or CLI. We will update the ACLs through the GUI, go to Web → Manage: Policy Administration, login using sec_master user, then click on Object Space → Browse Object Space thereafter extend “/” → WebSEAL → primary-test-instance and click on scim.
In the ACL Attached section, click on the Attach button.
Select the isam_mobile_rest ACL from the list. If it is not listed like below, then you can create a /mga junction, which will automatically create ACLs.

Note: If you configured MMFA, OAuth, or any other methods, then a /mga junction will be automatically created. If it is not created then you can create it from Web → Manage: Reverse Proxy then select the Reverse Proxy instance where you configured the /scim junction, then click on Manage → AAC and Federation Configuration → MMFA Configuration (I am selecting MMFA Configuration just for demo purpose, you can select any other option as you want). Enter LMI credentials in the AAC LMI tab and the easuser password in the AAC Runtime tab (The default password for easuser is "passw0rd") and then click on the Finish button.

Now, you can see the ACL in the ACL List, select it, and click on Apply to attach it to the /scim object.
Create an adminGroup from Group → Create Group. Enter the Group Name as adminGroup, enter Registry GID, and click on the Create button.
Create a scimadmin user from User → Create User, enter User Id as scimadmin, click on Group Membership search for adminGroup, select and click on “< Add” thereafter hit Done button. Provide other details and press the Create button.
To run API calls using scimadmin user, enable the basic authentication from Web → Manage: Reverse Proxy, then select the Reverse Proxy instance where you configured the /scim junction, then click on Manage → Configuration → Edit Configuration File. Change the ba-auth value from none to both (You can also choose http or https as per your configuration). Save changes in the configuration file, deploy changes, and restart the Reverse Proxy instance.
```
ba-auth = both
```
To find out how to use API calls, go to System → Secure Settings: File Downloads, then extend access_control → doc → ISVA-Access-Control-scim-rest-api.zip → Export. Extract the downloaded zip archive to view sample APIs.

Troubleshooting DPWWA1222E

This issue may occur if there is an error while communicating with the backend server, which is defined in the junction configuration.

DPWWA1222E A third-party server is not responding. Possible causes: the server is down, there is a hung application on the server, or network problems. This is not a problem with the WebSEAL server.
Could not connect to the server.
Created junction at /scim

Resolving the Problem:

If you observe the error as shown below while configuring the /scim junction.
Then, check the Server State whether it is running or not by visiting the Servers tab of the newly configured junction.
As Server State is showing as “not running”, go to AAC → Global Settings: Runtime Parameters.
Click on the “+ Add” button and select the Interface from the dropdown and the Port as defined while configuring the /scim junction; thereafter, click on OK.
Once you add the Runtime Listening Interface, there will be a pop-up for the Pending Changes, so click on Review Pending Changes and deploy the changes.
Thereafter, go to the Runtime Status tab and check whether Restart Required is showing as True or not. If a restart is required, then you can click on Restart Local Runtime or Restart All Clustered Runtimes (As per your system configuration).
This issue may also occur due to the certificate issue. If this is the case, then you can go to System → Secure Settings: SSL Certificates.
Then select the pdsrv → Manage → Edit SSL Certificate Database.
In the Signer Certificates tab of the pdsrv database, click on Manage → Load.
Specify the same IP/Hostname in the Server box as defined while configuring the /scim junction. Enter the Port number and give the Certificate Label for your reference, and then Load the certificate as well as Deploy the changes.
Check the Server State again from the Servers tab of the newly configured junction, and it will change the Server State from "not running" to “running”.