How to use SCIM in Soffid
Introduction
Soffid has implemented a version of the SCIM protocol 2.0. Some optional recommendations have also been included to improve the usage of this specification within the Soffid context.
This functionality is available only by installing the SCIM add-on. This add-on is available in the download section of the Soffid website.
Discovery
Soffid provides some endpoints to discover supported features and specific attribute details:
Service provider config
This endpoint provides additional information about the Soffid SCIM implementation.
Request
GET https://<your-domain>/soffid/webservice/scim2/v1/ServiceProviderConfigResponse 200 OK
{
"patch": {
"supported": true
},
"filter": {
"maxResults": 1000,
"supported": true
},
"documentationUri": "https://bookstack.soffid.com/books/scim",
"authenticationSchemes": [
{
"documentationUri": "https://bookstack.soffid.com/book/scim",
"name": "HTTP Basic",
"description": "Authentication scheme using the HTTP Basic Standard",
"specUri": "http://www.rfc-editor.org/info/rfc2617",
"type": "httpbasic"
}
],
"meta": {
"location": "http://soffid.pat.lab:8080/webservice/scim2/v1/ServiceProvider",
"resourceType": "ServiceProviderConfig"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
],
"etag": {
"supported": false
},
"sort": {
"supported": true
},
"bulk": {
"supported": false
},
"changePassword": {
"supported": true
}
}Resources Types
An endpoint used to discover the types of resources available.
List resources types
The SCIM protocol is focused on resource management, such as users, groups, accounts, etc. To know all the resources that Soffid provides you can use this REST web service:
Request
GET https://<your-domain>/soffid/webservice/scim2/v1/ResourceTypesResponse 200 OK
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 20,
"startIndex": 1,
"Resources": [
{
"schema": "urn:soffid:com.soffid.iam.api.Account",
"endpoint": "http://soffid.pat.lab:8080/webservice/scim2/v1/Account",
"meta": {
"location": "http://soffid.pat.lab:8080/webservice/scim2/v1/ResourceTypes/Account",
"resourceType": "ResourceType"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"name": "Account",
"description": "Account object",
"id": "Account"
},
{
"schema": "urn:soffid:com.soffid.iam.api.Group",
"endpoint": "http://soffid.pat.lab:8080/webservice/scim2/v1/Group",
"meta": {
"location": "http://soffid.pat.lab:8080/webservice/scim2/v1/ResourceTypes/Group",
"resourceType": "ResourceType"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"name": "Group",
"description": "Group object",
"id": "Group"
},
...............
]
}Query resource type
To query a specific resource type, you can use this REST web service:
Request
GET http://<your-domain>/soffid/webservice/scim2/v1/ResourceTypes/{Resource}Example
GET http://<your-domain>/webservice/scim2/v1/ResourceTypes/UserResponse 200 OK
{
"schema": "urn:soffid:com.soffid.iam.api.User",
"endpoint": "http://soffid.pat.lab:8080/webservice/scim2/v1/User",
"meta": {
"location": "http://soffid.pat.lab:8080/webservice/scim2/v1/ResourceTypes/User",
"resourceType": "ResourceType"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
],
"name": "User",
"description": "User object",
"id": "User"
}Response 404
404 Not FoundSchemas
Schema definition for a specific resource.
Request
GET http://<your-domain>/soffid/webservice/scim2/v1/Schemas/{Schema_URL}Example
GET http://<your-domain>/soffid/webservice/scim2/v1/Schemas/urn:soffid:com.soffid.iam.api.RoleResponse 200 OK
{
"meta": {
"location": "http://soffid.pat.lab:8080/webservice/scim2/v1/Schemas/urn:soffid:com.soffid.iam.api.Role",
"resourceType": "Schema"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Schema"
],
"name": "Role",
"description": "Role object",
"attributes": [
{
"uniqueness": "none",
"name": "name",
"mutability": "readWrite",
"type": "string",
"caseExact": true,
"returned": "default",
"multiValued": false,
"required": true
},
{
"uniqueness": "none",
"name": "description",
"mutability": "readWrite",
"type": "string",
"caseExact": true,
"returned": "default",
"multiValued": false,
"required": true
},
{
"uniqueness": "none",
"name": "system",
"mutability": "readWrite",
"type": "string",
"caseExact": true,
"returned": "default",
"multiValued": false,
"required": true
},
{
"uniqueness": "none",
"name": "category",
"mutability": "readWrite",
"type": "string",
"caseExact": true,
"returned": "default",
"multiValued": false,
"required": false
},
{
"uniqueness": "none",
"name": "informationSystemName",
"mutability": "readWrite",
"type": "string",
"caseExact": true,
"returned": "default",
"multiValued": false,
"required": true
},
{
"uniqueness": "none",
"name": "domain",
"mutability": "readWrite",
"type": "string",
"caseExact": true,
"returned": "default",
"multiValued": false,
"required": false
},
{
"uniqueness": "none",
"name": "bpmEnabled",
"mutability": "readWrite",
"type": "boolean",
"caseExact": true,
"returned": "default",
"multiValued": false,
"required": false
},
{
"uniqueness": "none",
"name": "approvalStart",
"mutability": "readOnly",
"type": "dateTime",
"caseExact": true,
"returned": "default",
"multiValued": false,
"required": false
},
{
"uniqueness": "none",
"name": "approvalEnd",
"mutability": "readOnly",
"type": "dateTime",
"caseExact": true,
"returned": "default",
"multiValued": false,
"required": false
}
],
"id": "urn:soffid:com.soffid.iam.api.Role"
}Response 404
404 Not FoundSoffid Resources
Soffid provides the following resources:
|
Resource
|
Description
|
|---|---|
| User |
Management of the users included in the Soffid solution. A user is an identity that represents only one person. |
| Group |
Management of the groups included in the Soffid solution. A group could be part of a hierarchical group tree. Users are assigned to a primary group and optionally could be in some secondary groups. |
| Account |
Management of the accounts included in the Soffid solution. An account is a representation of one application access. A user may have a lot of accounts and may have some accounts for the same applications with different roles and restrictions. |
|
(addon version 1.2.0+) |
Management of the applications (Information Systems) included in the Soffid solution. An application is a way of gather and joins different roles and agents in the same conceptual place. Every agent (of an external system) manages these roles through one or more applications. By default, an application with the same name as an agent is created. |
|
(addon version 1.2.0+) |
Management of the roles included in the Soffid solution. Every role is created in one application, so an application has a list of roles. |
|
Management of the GroupTypes included in the Soffid solution. |
|
|
Management of the GroupTypes included in the Soffid solution. |
|
|
Management of the GroupUsers included in the Soffid solution. |
|
|
Management of the RoleAccounts included in the Soffid solution. |
|
|
Management of the Hosts included in the Soffid solution. |
|
|
Management of the MailDomains included in the Soffid solution. |
|
|
Management of the MailLists included in the Soffid solution. |
|
|
Management of the DomainValues included in the Soffid solution. |
|
|
Management of the VaultFolders included in the Soffid solution. |
|
|
Management of the Systems included in the Soffid solution. Agent |
|
|
Management of the CustomObjects included in the Soffid solution. |
|
|
Management of the TaskInstances included in the Soffid solution. |
|
|
Management of the ProcessInstances included in the Soffid solution. |
|
|
Management of the ProcessDefinition included in the Soffid solution. |
You can view all resource data models and schemas on Resource data model & schema chapter
Soffid Operations
For every resource the following operations are available:
|
Operation |
HTTP method |
URL example |
Description |
|---|---|---|---|
|
List all |
GET |
.../soffid/webservice/scim/<resource> |
List all resources |
|
Search by id |
GET |
.../soffid/webservice/scim/<resource>/<id> |
Search the resource with the <id> specified |
|
Search by filter |
GET |
.../soffid/webservice/scim/<resource>?filter=<filter-language> |
Search all resources that fulfil the <filter-language> filter (please see filtering language here 5. SCIM filter language) |
|
Create |
POST |
.../soffid/webservice/scim/<resource> |
Create a resource |
|
Update all |
PUT |
.../soffid/webservice/scim/<resource>/<id> + <JSON in the body> |
Update all attributes specified in the JSON stream (the attributes not included will be cleared) |
|
Update partial |
PATCH |
.../soffid/webservice/scim/<resource>/<id> + <JSON in the body> |
Update only the attributes specified in the JSON stream (the other attributes will not be updated) |
|
Delete |
DELETE |
.../soffid/webservice/scim/<resource>/<id> |
Delete a resource |
HTTP request
In every HTTP request the following HTTP header parameters are required:
|
Parameter
|
Value
|
Description
|
|---|---|---|
| URL | https://<your-domain>/soffid/webservice/scim/<resource> | URL with the <resource> to be managed |
| Method | [ GET | POST | PUT | PATCH | DELETE ] | Method allowed in SCIM REST protocol |
| Content-Type | application/scim+json | SCIM specification |
| Accept | application/scim+json | SCIM specification |
| Authorization | Basic YWRtaW46Y2hhbmdlaXQ= | Only BASIC authentication is implemented in this version. A Soffid user (+password) with SCIM access is required to generate this parameter |
| Accept-Language | [ EN | ES | CA | NL ] | This parameter is OPTIONAL. The default language is EN |
HTTP codes
The following HTTP codes are managed in the HTTP response:
|
Code |
Status |
User case |
|---|---|---|
|
200 |
Ok |
After: list all, search by id, search by filter, update all, update partial |
|
201 |
Created |
After: create |
|
204 |
No content |
After: delete |
|
404 |
Not found |
After: resource not found |
|
500 |
Error |
After: internal error, PATCH DELETE |