From: Sander A. <sa....@fz...> - 2022-05-31 06:52:57
Attachments:
smime.p7s
|
Good morning Krzysztof, good morning Roman, at the moment we are trying to setup the scim API and we have some questions. 1. Do we need to configure the endpoint in core.module like the other endpoints as well? I assume yes. 2. Do we need to configure all attributes which are available scim within unity.endpoint.scim.membershipAttributes.* ? 3. Do we need to configure all groups which are available scim within unity.endpoint.scim.membershipGroups.* ? 4. Is schema and mapping definition only online possible? I assume yes. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
From: Krzysztof B. <kb...@un...> - 2022-05-31 11:16:34
|
[resending my answer - by mistake I've excluded ML when answering] Good morning Sander, W dniu 31.05.2022 o 08:52, Sander Apweiler pisze: > Good morning Krzysztof, > good morning Roman, > > at the moment we are trying to setup the scim API and we have some > questions. > > 1. Do we need to configure the endpoint in core.module like the other > endpoints as well? I assume yes. If you are not configuring it with console, then the setup of the endpoint in configuration file is all the same as all other endpoints. Whether you are putting that in the core.module file, or elsewhere is up to you. > 2. Do we need to configure all attributes which are available scim > within unity.endpoint.scim.membershipAttributes.* ? No. This configuration option should enumerate all SCIM attribute names (typically just one: "groups") which hold information about user group memberships. This configuration is influencing authorization in case of OAuth access: there are separate scopes for accessing group membership data. > 3. Do we need to configure all groups which are available scim within > unity.endpoint.scim.membershipGroups.* ? The groups listed in that config setting will be subject to mapping to SCIM membership attributes. So yes, however note that child groups are also going to be included, what should limit the number of entries greatly. > 4. Is schema and mapping definition only online possible? I assume yes. No, you can also do it with config file. However, we haven't documented the JSON format :-). It is so complex that I think it is anyway the only way to do it with a help of proper UI. Still if you want to eventually have this file configured we can easily add an option to export schema with mapping as a file. Then it would be only pointed in the configuration. How does it sound? BTW note that in UI you can import schema file (w/o mappings) already. Best, Krzysztof |
From: Krzysztof B. <kb...@un...> - 2022-06-08 07:31:12
|
Hi Sander, W dniu 31.05.2022 o 13:16, Krzysztof Benedyczak pisze: >> 4. Is schema and mapping definition only online possible? I assume yes. > > No, you can also do it with config file. However, we haven't > documented the JSON format :-). > > It is so complex that I think it is anyway the only way to do it with > a help of proper UI. > > Still if you want to eventually have this file configured we can > easily add an option to export schema with mapping as a file. Then it > would be only pointed in the configuration. How does it sound? > > BTW note that in UI you can import schema file (w/o mappings) already. In case you missed that: in 3.9.1 the export feature mentioned above is already available. HTH, Krzysztof |
From: Sander A. <sa....@fz...> - 2022-06-02 08:57:32
Attachments:
smime.p7s
|
Good morning Krzysztof, thanks again for the information. It is working for password authentication. Now we want to enable it for OAuth token as well. Can we use normal tokens from unity, if they request sys:scim:read_profile scope? Or do we need to configure a full authenticator beside of our default OAauth authenticator? Best regards, Sander On Tue, 2022-05-31 at 13:16 +0200, Krzysztof Benedyczak wrote: > > [resending my answer - by mistake I've excluded ML when answering] > > Good morning Sander, > > W dniu 31.05.2022 o 08:52, Sander Apweiler pisze: > > Good morning Krzysztof, > > good morning Roman, > > > > at the moment we are trying to setup the scim API and we have some > > questions. > > > > 1. Do we need to configure the endpoint in core.module like the > > other > > endpoints as well? I assume yes. > > If you are not configuring it with console, then the setup of the > endpoint in configuration file is all the same as all other > endpoints. > > Whether you are putting that in the core.module file, or elsewhere is > up > to you. > > > 2. Do we need to configure all attributes which are available scim > > within unity.endpoint.scim.membershipAttributes.* ? > > No. This configuration option should enumerate all SCIM attribute > names > (typically just one: "groups") which hold information about user > group > memberships. This configuration is influencing authorization in case > of > OAuth access: there are separate scopes for accessing group > membership data. > > > 3. Do we need to configure all groups which are available scim > > within > > unity.endpoint.scim.membershipGroups.* ? > > The groups listed in that config setting will be subject to mapping > to > SCIM membership attributes. So yes, however note that child groups > are > also going to be included, what should limit the number of entries > greatly. > > > > 4. Is schema and mapping definition only online possible? I assume > > yes. > > No, you can also do it with config file. However, we haven't > documented > the JSON format :-). > > It is so complex that I think it is anyway the only way to do it with > a > help of proper UI. > > Still if you want to eventually have this file configured we can > easily > add an option to export schema with mapping as a file. Then it would > be > only pointed in the configuration. How does it sound? > > BTW note that in UI you can import schema file (w/o mappings) > already. > > Best, > Krzysztof > > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
From: Krzysztof B. <kb...@un...> - 2022-06-02 09:15:42
|
Good morning Sander, W dniu 02.06.2022 o 10:57, Sander Apweiler pisze: > Good morning Krzysztof, > thanks again for the information. It is working for password > authentication. Now we want to enable it for OAuth token as well. Can > we use normal tokens from unity, if they request sys:scim:read_profile > scope? Or do we need to configure a full authenticator beside of our > default OAauth authenticator? Great to hear that. Sure, you can use your "normal" tokens from Unity, after enabling SCIM scopes on the IdP OAuth endpoint which issue those tokens (and of course requesting them by your client). I'm sure what do you mean by "full" vs "default" OAuth authenticator. To enable access with OAuth tokens you need to add oauth-rp authenticator to your scim endpoint, and this authenticator should validate tokens issued by Unity (or any other provider which you choose). If you have one like that already - sure, you can reuse it, just enable it on the SCIM endpoint. Best, Krzysztof |