Menu
▾
▴
Re: [Unity-idm-discuss] configure scim api
|
From: Sander A. <sa....@fz...> - 2022-06-02 08:57:32
|
Good morning Krzysztof, thanks again for the information. It is working for password authentication. Now we want to enable it for OAuth token as well. Can we use normal tokens from unity, if they request sys:scim:read_profile scope? Or do we need to configure a full authenticator beside of our default OAauth authenticator? Best regards, Sander On Tue, 2022-05-31 at 13:16 +0200, Krzysztof Benedyczak wrote: > > [resending my answer - by mistake I've excluded ML when answering] > > Good morning Sander, > > W dniu 31.05.2022 o 08:52, Sander Apweiler pisze: > > Good morning Krzysztof, > > good morning Roman, > > > > at the moment we are trying to setup the scim API and we have some > > questions. > > > > 1. Do we need to configure the endpoint in core.module like the > > other > > endpoints as well? I assume yes. > > If you are not configuring it with console, then the setup of the > endpoint in configuration file is all the same as all other > endpoints. > > Whether you are putting that in the core.module file, or elsewhere is > up > to you. > > > 2. Do we need to configure all attributes which are available scim > > within unity.endpoint.scim.membershipAttributes.* ? > > No. This configuration option should enumerate all SCIM attribute > names > (typically just one: "groups") which hold information about user > group > memberships. This configuration is influencing authorization in case > of > OAuth access: there are separate scopes for accessing group > membership data. > > > 3. Do we need to configure all groups which are available scim > > within > > unity.endpoint.scim.membershipGroups.* ? > > The groups listed in that config setting will be subject to mapping > to > SCIM membership attributes. So yes, however note that child groups > are > also going to be included, what should limit the number of entries > greatly. > > > > 4. Is schema and mapping definition only online possible? I assume > > yes. > > No, you can also do it with config file. However, we haven't > documented > the JSON format :-). > > It is so complex that I think it is anyway the only way to do it with > a > help of proper UI. > > Still if you want to eventually have this file configured we can > easily > add an option to export schema with mapping as a file. Then it would > be > only pointed in the configuration. How does it sound? > > BTW note that in UI you can import schema file (w/o mappings) > already. > > Best, > Krzysztof > > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
