By Veinu Vasisht and Rajeev Kumar
SCIM(System for Cross-domain Identity Management), is an open standard that allows for the automation of user provisioning and management in the cloud by defining two standards:
- canonical user schema
- A RESTful API for all necessary user management operations
Although IBM Cloud Identity comes with a lot of the out of the box applications having account lifecycle management support like Salesforce, Box, Office365 etc. But it is not limited to it. If an endpoint adheres to SCIM 2.0 standard it can leverage the IBM CI Custom application account lifecycle feature. By providing minimal set of authentication information, admin can perform the lifecycle management of users.
Read on to learn how IBM supports SCIM based endpoint, giving businesses an easier path to the future
Implementation Details
IBM Cloud Identity, that contains a robust directory of user identities acts as a client and SaaS applications, like Salesforce or Slack, that needs a subset of information from those identities act as server. When changes to identities are made in the IBM CI, including create, update, modify and delete, they are automatically synced to the SaaS applications according to the SCIM protocol. For end users, this means that they have seamless access to applications for which they’re assigned, with up-to-date profiles and permissions.
For this blog, we are using Peakon as target endpoint. The same steps will be applicable to other SCIM 2.0 compliant applications as well. To start configuration:
- Log in to Cloud Identity (CIC subscription)
- Switch to admin and navigate to ‘Applications’.
- Click ‘Add Application’ and chose ‘Custom Application’.
- Provide details for your endpoint in ‘General’ and ‘Sign-on’ tab.
- Under ‘Account Lifecycle’ tab, select policies for provisioning and de-provisioning.
Step 1 – Provide authentication details
Custom application supports Web bearer token authentication. Under ‘API Authentication’ section, admin needs to provide only two inputs which are used for authenticating to the SaaS application or target APIs. The two inputs required are:
- SCIM Base URL – The SCIM URL of your application
- Bearer token – Token which can be used for API calls
Refer your endpoint documentation to get the values of these two parameters. Provide the values and click 'Test Connection' to make sure the authentication details are correct.
Step 2 – Provide user attributes
‘API Attribute Mappings’ section lists the user attributes which will be used for user creation at the endpoint. Custom application supports majority of the SCIM core and enterprise schema attributes. Some attributes are pre-mapped to the default sources to provide ease to admin. Admin can choose which attributes are needed for the user creation on an endpoint.
Step 3 – Add entitlement
Once the application has been on-boarded successfully, navigate to 'Entitlements' tab to select which users should be entitled to access this application. Click 'Save' to save your changes.
Testing
To verify if the user has been provisioned successfully on the endpoint, navigate to 'Governance' tab, you should be able to see the operation was 'Success' or you can check the 'Accounts list' for your custom application. The status should be 'Active'. Click on the user entry, using the right pane menu, you can also 'Suspend' or 'Restore' the user.
With this admin can integrate any SCIM2.0 adhered application to manage the user lifecycle without a need to have a specific OOTB adapter in couple of minutes.
Authors:
Veinu Vasisht:
Veinu is a positively motivated person, finding solace in web-development and learning more about the world around us.
Rajeev Kumar:
Rajeev is an Engineer who is passionate about exploring the solution based on integrating products capability.