The SCIM connector allows data synchronization between applications supporting the SCIM (System for Cross-domain Identity Management) 2.0 standard and RAC/M Identity. To do this, the connector uses the SCIM REST API. The SCIM standard is defined in RFC 7642, RFC 7643, and RFC 7644.
WARNING
SCIM support varies among applications. In general, not all functionality is available to the SCIM API. Please refer to your application's SCIM documentation to understand which features are supported.
Configuration
The connector supports several authentication methods. To determine which method to use, refer to your application's SCIM documentation. Additionally, OKIOK has tested some specific SCIM implementations and provides specific configuration parameters for them. See the dedicated pages for each implementation.
Common Parameters
The following parameters are required regardless of the authentication type:
| Configuration | Description |
|---|---|
| Authentication | Select the authentication method: token (API token), jwt-bearer-token (JWT bearer token), or oauth-client-credentials (OAuth Client Credentials Flow). |
| SCIM Endpoint | Enter the SCIM endpoint path on the service provider (e.g., /services/scim). |
| SCIM Version | Enter the SCIM API version supported by the service provider (e.g., /v1 or /v2). |
| Proxy Address | Enter the proxy server address (hostname or IP address). |
| Proxy Port Number | Enter the port number of the proxy server. |
| Default Charset | Enter the default character encoding used when the response doesn't specify a charset (e.g., UTF-8). |
| Base URL | Enter the base URL of the service. |
Token Authentication
The token authentication method is a simple "Bearer" token added to the Authorization header of the request.
When using token as the authentication type, the following parameters are required:
| Configuration | Description |
|---|---|
| Token | Enter the API token used for token-based authentication. |
JWT Bearer Token Authentication
The jwt-bearer-token authentication method generates a signed JWT token using a private key and sends it to the authentication endpoint. The authentication endpoint then returns an OAuth access token that can be used to authenticate the request.
When using jwt-bearer-token as the authentication type, the following parameters are required:
| Configuration | Description |
|---|---|
| Private Key (PEM) | Enter the private key in PEM format (PKCS#8). Required for JWT bearer token authentication. See Private Key Format below for details. |
| JWT Authentication Endpoint | Enter the URL of the authentication endpoint that accepts JWT bearer tokens and returns OAuth access tokens. |
| JWT Issuer | Enter the issuer (iss) claim value to include in the JWT token. |
| JWT Subject | Enter the subject (sub) claim value to include in the JWT token. |
| JWT Audience | Enter the audience (aud) claim value to include in the JWT token. |
| JWT Expiration Seconds | Enter the JWT token expiration time in seconds (default: 300 seconds / 5 minutes). |
Private Key Format
The private key must be provided in PEM format using PKCS#8 encoding. The key should start with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY-----.
Supported format:
- PKCS#8:
-----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----
Not supported:
- PKCS#1:
-----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----
If your private key is in a different format, use the following commands to convert it:
Convert PKCS#1 to PKCS#8:
bashopenssl pkcs8 -topk8 -nocrypt -in key.pem -out key_pkcs8.pemConvert DER to PKCS#8 PEM:
bashopenssl pkcs8 -topk8 -nocrypt -inform DER -in key.der -out key_pkcs8.pemConvert PKCS#12 (.p12 or .pfx) to PKCS#8 PEM:
bashopenssl pkcs12 -in key.p12 -nocerts -nodes -out key_pkcs8.pemExtract private key from a certificate and key pair:
bashopenssl pkcs8 -topk8 -nocrypt -in private_key.pem -out key_pkcs8.pem
OAuth Client Credentials Flow Authentication
The oauth-client-credentials authentication method uses the OAuth 2.0 Client Credentials Flow to obtain an access token. This method authenticates using client credentials (client ID and client secret) and optionally username/password, then exchanges them for an OAuth access token at the authentication endpoint.
When using oauth-client-credentials as the authentication type, the following parameters are required:
| Configuration | Description |
|---|---|
| Username | Enter the service account username for the SCIM-enabled service (required for OAuth Client Credentials Flow). |
| Password | Enter the service account password for the SCIM-enabled service (required for OAuth Client Credentials Flow). |
| Client ID | Enter the client ID generated by the service endpoint for application integration (required for OAuth Client Credentials Flow). |
| Client Secret | Enter the client secret generated by the service endpoint for application integration (required for OAuth Client Credentials Flow). |
| Login URL | Enter the URL address for login/authentication (required for OAuth Client Credentials Flow). |
| Grant Type | Enter the URL path and grant type parameter for OAuth Client Credentials Flow authentication (e.g., /services/oauth2/token?grant_type=password) (required for OAuth Client Credentials Flow). |