When configuring SCIM, I am currently using full users.
So, when I create a user using LMI Policy Administration, I create the users there, and they will be added to the correct suffix, plus an additional entry will be added to secAuthority=Default, under cn=Users.

If I use to create a user, it will be added to the embedded ldap server, but not to the secAuthority=Default!
When I delete a user, it will be deleted from its suffix, but not from the secAuthority=Default!
When I add a user with its attributes using PUT /scim/Users, when I list them, using GET /scim/Users, not all attributes are returned!
After creating the user, he will not be able to login. What attributes are required for allowing him to login?

So, there is something going on here that I need to understand! Can someone help me understanding this?
Where are the attributes that were used when I created the user (e.g. ExternalId)?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Hi Joao,

Users created via the SCIM interface will only be created as "full" users if you include the ISAM-specific schema (urn:ietf:params:scim:schemas:extension:isam:1.0:User) that tells it to create a full user.

Here's an example POST body that will create a full user:


Here's an example PUT body that will "import" a user:


I hope these examples point you in the right direction.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Tue March 23, 2021 01:20 PM
From: Joao Goncalves
Subject: SCIM detail questions

When configuring SCIM, I am currently using full users.
So, when I create a user using LMI Policy Administration, I create the users there, and they will be added to the correct suffix, plus an additional entry will be added to secAuthority=Default, under cn=Users.

If I use to create a user, it will be added to the embedded ldap server, but not to the secAuthority=Default!
When I delete a user, it will be deleted from its suffix, but not from the secAuthority=Default!
When I add a user with its attributes using PUT /scim/Users, when I list them, using GET /scim/Users, not all attributes are returned!
After creating the user, he will not be able to login. What attributes are required for allowing him to login?

So, there is something going on here that I need to understand! Can someone help me understanding this?
Where are the attributes that were used when I created the user (e.g. ExternalId)?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Thanks for the information, I will try it today, But there is still some important questions, that I need, to make sure I will be able to use SCIM, and I hope what I need will be possible to implement:

• According to IETF RFC, there are some attributes that are part of the core, which are relevant to me: active and externalId.
• If I want to disable a user to login, I thought on using the property "active" no enable/disable the user to login. If the user is a full user or basic user, can I use this property to allow a user to login to an application?
• Regarding the externalId, I know that I can create the user, with this attribute, but when I list the attributes of the user, I cannot find this attribute in the json. How can I retrieve it?
• Is I want to used OIDC to return a JWT claim with the SCIM externalId, how do I do it?
• In the LDAP, I can configure it to to apply a password policy. If I use SCIM, and set or change a user's password, which is not compliant with the policy what happens when I create the user, or whenever the user's password is changed?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Tue March 23, 2021 03:10 PM
From: Jon Harry
Subject: SCIM detail questions

Hi Joao,

Users created via the SCIM interface will only be created as "full" users if you include the ISAM-specific schema (urn:ietf:params:scim:schemas:extension:isam:1.0:User) that tells it to create a full user.

Here's an example POST body that will create a full user:

{

"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:isam:1.0:User"],

"userName": "{{username}}",

"password": "{{user_password}}",

"name": {

"formatted": "{{firstname}} {{surname}}",

"familyName": "{{surname}}",

"givenName": "{{firstname}}"

},

"emails": [

{

"value": "{{email}}",

"type": "work"

}

],

"phoneNumbers": [

{

"value": "{{phone}}",

"type": "mobile"

}

],

"urn:ietf:params:scim:schemas:extension:isam:1.0:User": {

"identity":"{{username}}",

"accountValid":true

}

}

Here's an example PUT body that will "import" a user:

{

"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:isam:1.0:User"],

"userName":"{{username}}",

"name":{

"formatted": "{{firstname}} {{surname}}",

"familyName":"{{surname}}",

"givenName": "{{firstname}}"

},

"urn:ietf:params:scim:schemas:extension:isam:1.0:User": {

"identity":"{{username}}",

"accountValid":true

}
}

I hope these examples point you in the right direction.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Tue March 23, 2021 01:20 PM
From: Joao Goncalves
Subject: SCIM detail questions

When configuring SCIM, I am currently using full users.
So, when I create a user using LMI Policy Administration, I create the users there, and they will be added to the correct suffix, plus an additional entry will be added to secAuthority=Default, under cn=Users.

If I use to create a user, it will be added to the embedded ldap server, but not to the secAuthority=Default!
When I delete a user, it will be deleted from its suffix, but not from the secAuthority=Default!
When I add a user with its attributes using PUT /scim/Users, when I list them, using GET /scim/Users, not all attributes are returned!
After creating the user, he will not be able to login. What attributes are required for allowing him to login?

So, there is something going on here that I need to understand! Can someone help me understanding this?
Where are the attributes that were used when I created the user (e.g. ExternalId)?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

I tried all these properties you have in your example and some of them do not work:

• formatted: SCIIS0009E An unknown attribute, 'name.formatted', has been specified.","status":"400"

Creating full users have also some issues:

• When creating a full user I get a HTTP 400 error, the json is not returned but the user is created!!!!
• After creating the full user, unlike all other full users there is the structural object ResCred under the principal name (cn=ResCred,principalName=fulluser,cn=Users,secAuthority=Default) that is not created when I use POST /scim/Users.

I don't know what the ResCred does, but it is missing! Is this important?

Delete is working fine for both full and basic users!

How can I list the groups that a user belongs to in scim? When I execute GET /scim/Groups?members.value co "SomeUser" I get this error message:
SCIIS0013E The filter operation 'CO' for the 'urn:ietf:params:scim:schemas:core:2.0:Group' schema is not supported.

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Tue March 23, 2021 03:10 PM
From: Jon Harry
Subject: SCIM detail questions

Hi Joao,

Users created via the SCIM interface will only be created as "full" users if you include the ISAM-specific schema (urn:ietf:params:scim:schemas:extension:isam:1.0:User) that tells it to create a full user.

Here's an example POST body that will create a full user:

{

"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:isam:1.0:User"],

"userName": "{{username}}",

"password": "{{user_password}}",

"name": {

"formatted": "{{firstname}} {{surname}}",

"familyName": "{{surname}}",

"givenName": "{{firstname}}"

},

"emails": [

{

"value": "{{email}}",

"type": "work"

}

],

"phoneNumbers": [

{

"value": "{{phone}}",

"type": "mobile"

}

],

"urn:ietf:params:scim:schemas:extension:isam:1.0:User": {

"identity":"{{username}}",

"accountValid":true

}

}

Here's an example PUT body that will "import" a user:

{

"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:isam:1.0:User"],

"userName":"{{username}}",

"name":{

"formatted": "{{firstname}} {{surname}}",

"familyName":"{{surname}}",

"givenName": "{{firstname}}"

},

"urn:ietf:params:scim:schemas:extension:isam:1.0:User": {

"identity":"{{username}}",

"accountValid":true

}
}

I hope these examples point you in the right direction.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Tue March 23, 2021 01:20 PM
From: Joao Goncalves
Subject: SCIM detail questions

When configuring SCIM, I am currently using full users.
So, when I create a user using LMI Policy Administration, I create the users there, and they will be added to the correct suffix, plus an additional entry will be added to secAuthority=Default, under cn=Users.

If I use to create a user, it will be added to the embedded ldap server, but not to the secAuthority=Default!
When I delete a user, it will be deleted from its suffix, but not from the secAuthority=Default!
When I add a user with its attributes using PUT /scim/Users, when I list them, using GET /scim/Users, not all attributes are returned!
After creating the user, he will not be able to login. What attributes are required for allowing him to login?

So, there is something going on here that I need to understand! Can someone help me understanding this?
Where are the attributes that were used when I created the user (e.g. ExternalId)?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

The ResCred subtree is for GSO credentials. It is only there if you tick the box "GSO User".

------------------------------
Laurent LA Asselborn
------------------------------

Original Message:
Sent: Wed March 24, 2021 05:47 AM
From: Joao Goncalves
Subject: SCIM detail questions

I tried all these properties you have in your example and some of them do not work:

• formatted: SCIIS0009E An unknown attribute, 'name.formatted', has been specified.","status":"400"

Creating full users have also some issues:

• When creating a full user I get a HTTP 400 error, the json is not returned but the user is created!!!!
• After creating the full user, unlike all other full users there is the structural object ResCred under the principal name (cn=ResCred,principalName=fulluser,cn=Users,secAuthority=Default) that is not created when I use POST /scim/Users.

I don't know what the ResCred does, but it is missing! Is this important?

Delete is working fine for both full and basic users!

How can I list the groups that a user belongs to in scim? When I execute GET /scim/Groups?members.value co "SomeUser" I get this error message:
SCIIS0013E The filter operation 'CO' for the 'urn:ietf:params:scim:schemas:core:2.0:Group' schema is not supported.

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Tue March 23, 2021 03:10 PM
From: Jon Harry
Subject: SCIM detail questions

Hi Joao,

Users created via the SCIM interface will only be created as "full" users if you include the ISAM-specific schema (urn:ietf:params:scim:schemas:extension:isam:1.0:User) that tells it to create a full user.

Here's an example POST body that will create a full user:

{

"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:isam:1.0:User"],

"userName": "{{username}}",

"password": "{{user_password}}",

"name": {

"formatted": "{{firstname}} {{surname}}",

"familyName": "{{surname}}",

"givenName": "{{firstname}}"

},

"emails": [

{

"value": "{{email}}",

"type": "work"

}

],

"phoneNumbers": [

{

"value": "{{phone}}",

"type": "mobile"

}

],

"urn:ietf:params:scim:schemas:extension:isam:1.0:User": {

"identity":"{{username}}",

"accountValid":true

}

}

Here's an example PUT body that will "import" a user:

{

"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:isam:1.0:User"],

"userName":"{{username}}",

"name":{

"formatted": "{{firstname}} {{surname}}",

"familyName":"{{surname}}",

"givenName": "{{firstname}}"

},

"urn:ietf:params:scim:schemas:extension:isam:1.0:User": {

"identity":"{{username}}",

"accountValid":true

}
}

I hope these examples point you in the right direction.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Tue March 23, 2021 01:20 PM
From: Joao Goncalves
Subject: SCIM detail questions

When configuring SCIM, I am currently using full users.
So, when I create a user using LMI Policy Administration, I create the users there, and they will be added to the correct suffix, plus an additional entry will be added to secAuthority=Default, under cn=Users.

If I use to create a user, it will be added to the embedded ldap server, but not to the secAuthority=Default!
When I delete a user, it will be deleted from its suffix, but not from the secAuthority=Default!
When I add a user with its attributes using PUT /scim/Users, when I list them, using GET /scim/Users, not all attributes are returned!
After creating the user, he will not be able to login. What attributes are required for allowing him to login?

So, there is something going on here that I need to understand! Can someone help me understanding this?
Where are the attributes that were used when I created the user (e.g. ExternalId)?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Thanks this is useful too. I have another questions regarding the json returned by /scim requests.
Most of the replies contain an attribute named "Location" which references https://localhost/scim/...
But https://localhost is wrong, it should contain https://rp1/scim/...

A reverse proxy should be able to replace the URL that come from the backend server. Why is this happening? How can we fix this?

I suspect the reason is related with the file format. In fact, I think the reverse proxy is expecting a html format, but in fact it is a scim+json format, and it doesn't know how the apply xslt rules to make these changes!

What am I missing?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Thu March 25, 2021 04:00 AM
From: Laurent LA Asselborn
Subject: SCIM detail questions

The ResCred subtree is for GSO credentials. It is only there if you tick the box "GSO User".

------------------------------
Laurent LA Asselborn

Original Message:
Sent: Wed March 24, 2021 05:47 AM
From: Joao Goncalves
Subject: SCIM detail questions

I tried all these properties you have in your example and some of them do not work:

• formatted: SCIIS0009E An unknown attribute, 'name.formatted', has been specified.","status":"400"

Creating full users have also some issues:

• When creating a full user I get a HTTP 400 error, the json is not returned but the user is created!!!!
• After creating the full user, unlike all other full users there is the structural object ResCred under the principal name (cn=ResCred,principalName=fulluser,cn=Users,secAuthority=Default) that is not created when I use POST /scim/Users.

I don't know what the ResCred does, but it is missing! Is this important?

Delete is working fine for both full and basic users!

How can I list the groups that a user belongs to in scim? When I execute GET /scim/Groups?members.value co "SomeUser" I get this error message:
SCIIS0013E The filter operation 'CO' for the 'urn:ietf:params:scim:schemas:core:2.0:Group' schema is not supported.

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Tue March 23, 2021 03:10 PM
From: Jon Harry
Subject: SCIM detail questions

Hi Joao,

Users created via the SCIM interface will only be created as "full" users if you include the ISAM-specific schema (urn:ietf:params:scim:schemas:extension:isam:1.0:User) that tells it to create a full user.

Here's an example POST body that will create a full user:

{

"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:isam:1.0:User"],

"userName": "{{username}}",

"password": "{{user_password}}",

"name": {

"formatted": "{{firstname}} {{surname}}",

"familyName": "{{surname}}",

"givenName": "{{firstname}}"

},

"emails": [

{

"value": "{{email}}",

"type": "work"

}

],

"phoneNumbers": [

{

"value": "{{phone}}",

"type": "mobile"

}

],

"urn:ietf:params:scim:schemas:extension:isam:1.0:User": {

"identity":"{{username}}",

"accountValid":true

}

}

Here's an example PUT body that will "import" a user:

{

"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:isam:1.0:User"],

"userName":"{{username}}",

"name":{

"formatted": "{{firstname}} {{surname}}",

"familyName":"{{surname}}",

"givenName": "{{firstname}}"

},

"urn:ietf:params:scim:schemas:extension:isam:1.0:User": {

"identity":"{{username}}",

"accountValid":true

}
}

I hope these examples point you in the right direction.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Tue March 23, 2021 01:20 PM
From: Joao Goncalves
Subject: SCIM detail questions

When configuring SCIM, I am currently using full users.
So, when I create a user using LMI Policy Administration, I create the users there, and they will be added to the correct suffix, plus an additional entry will be added to secAuthority=Default, under cn=Users.

If I use to create a user, it will be added to the embedded ldap server, but not to the secAuthority=Default!
When I delete a user, it will be deleted from its suffix, but not from the secAuthority=Default!
When I add a user with its attributes using PUT /scim/Users, when I list them, using GET /scim/Users, not all attributes are returned!
After creating the user, he will not be able to login. What attributes are required for allowing him to login?

So, there is something going on here that I need to understand! Can someone help me understanding this?
Where are the attributes that were used when I created the user (e.g. ExternalId)?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------