SCIM Extension in WSO2 IS

System for Cross-domain Identity Management (SCIM) is an open standard for automating the exchange of user identity information between identity domains, or IT systems [1]. Simply SCIM used for managing user identity information.

WSO2 Identity Server support for SCIM 1.1 standard. You can refer basic SCIM operations through WSO2 documentation [2]. Through that you may identify managing users or groups via cURL commands through SCIM API.

By default WSO2 IS support fixed set of attributes for the user object. Those are default attributes defined through specification. But in reality, organizations in industry will have their own attributes defined for the users.These attributes are already there in their LDAP schemas. Therefore SCIM should be extensible enough to cope with these custom attributes of the users. WSO2 IS cater this requirement and provide extensible SCIM user schema.

You can use two methods to implement SCIM extension through IS. There is wso2 extension which is already defined. In that, You will find some of default attributes and still you can introduce new attributes under that. Or you can create a new specification rather than wso2 extension(Ex: enterprise user extension as defined in spec. Still implementing method will be unique to WSO2 IS)

1. WSO2 extension

1. Locate the provisioning-config.xml file in the path [IS-HOME]/repository/conf/identity/provisioning-config.xml.
 2. Open the file and locate the “user-schema-extension-enabled” property and set it to true.

<Property name="user-schema-extension-enabled">true</Property>

3. Save the file and restart the server.
 4. Go to management console of IS and create a new claim dialect as “urn:scim:schemas:extension:wso2:1.0” (Note: you may have to add a claim while creating a dialect)

Adding new claim dialect

You can add new attributes this dialect and those attributes should be added in “scim-schema-extension.config” ([IS-HOME]/repository/conf/scim-schema-extension.config). For testing purpose, I added new property as “country” and you may find sample scim-schema-extension.config as follows;

Note: When you adding new attributes, you may have to restart server to made changes visible to Identity Server.

5. Now you can make curl command accordingly.

curl -v -k --user admin:admin --data "{"schemas":[],"userName":"DilshaniS","password":"Wso2@123","wso2Extension":{"organization":"WSO2","country":"SriLanka"}}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users

Sample Response:


2. User defined extensions

  1. Add relevant configuration in “scim-schema-extension.config” ([IS-HOME]/repository/conf/scim-schema-extension.config). You can find sample configuration as follows;

2. Locate the provisioning-config.xml file in the path [IS_HOME]/repository/conf/identity/provisioning-config.xml.
 3. Open the file and locate the “user-schema-extension-enabled” property and set it to true.

<Property name="user-schema-extension-enabled">true</Property>

4. Save the file and restart the server.
 5. Go to management console of IS and create a new claim dialect as “urn:scim:schemas:extension:enterprise:1.0”.
 You can add new attributes to this dialect and those attributes should be added in “scim-schema-extension.config” ([IS-HOME]/repository/conf/scim-schema-extension.config).

Note: When you adding new attributes, you may have to restart server to made changes visible to Identity Server.

6. Now you can make curl command accordingly.

curl -v -k --user admin:admin --data "{"schemas":[],"userName":"Dilshani","password":"Wso2@123","enterprise":{"organization":"WSO2Org"}}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users

Sample Response:


Note: Every attribute you defined in “scim-schema-extension.config”,should be available in LDAP schema.Otherwise IS will drop values when there is no any attribute in LDAP to map.

You will have to map (In WSO2 IS claims) every attribute you defined in “scim-schema-extension.config”. Otherwise it will give following error when there is no any mapped attributes.

{"Errors":[{"code":"500","description":"Error in adding the user: Dilshani to the user store. InvalidClaimUrl Invalid claim uri has been provided."}]}

[1] https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management

[2] https://docs.wso2.com/display/IS510/SCIM+APIs