Re: [Unity-idm-discuss] configure scim api

[Krzysztof B. <kb...@un...>]

[resending my answer - by mistake I've excluded ML when answering]

Good morning Sander,

W dniu 31.05.2022 o 08:52, Sander Apweiler pisze:
> Good morning Krzysztof,
> good morning Roman,
>
> at the moment we are trying to setup the scim API and we have some
> questions.
>
> 1. Do we need to configure the endpoint in core.module like the other
> endpoints as well? I assume yes.

If you are not configuring it with console, then the setup of the 
endpoint in configuration file is all the same as all other endpoints.

Whether you are putting that in the core.module file, or elsewhere is up 
to you.

> 2. Do we need to configure all attributes which are available scim
> within unity.endpoint.scim.membershipAttributes.* ?

No. This configuration option should enumerate all SCIM attribute names 
(typically just one: "groups") which hold information about user group 
memberships. This configuration is influencing authorization in case of 
OAuth access: there are separate scopes for accessing group membership data.

> 3. Do we need to configure all groups which are available scim within
> unity.endpoint.scim.membershipGroups.* ?

The groups listed in that config setting will be subject to mapping to 
SCIM membership attributes. So yes, however note that child groups are 
also going to be included, what should limit the number of entries greatly.


> 4. Is schema and mapping definition only online possible? I assume yes.

No, you can also do it with config file. However, we haven't documented 
the JSON format :-).

It is so complex that I think it is anyway the only way to do it with a 
help of proper UI.

Still if you want to eventually have this file configured we can easily 
add an option to export schema with mapping as a file. Then it would be 
only pointed in the configuration. How does it sound?

BTW note that in UI you can import schema file (w/o mappings) already.

Best,
Krzysztof