Setup
The SCIM application can be accessed internally via the Advanced Access Control endpoints or securely exposed externally using the web reverse proxy with some additional setup.
Access to the SCIM application is controlled by the Advanced Access Control user registry. Administration tasks can be performed by users in the Administration Group specified on the SCIM Configuration page. By default, the account easuser is present in the default Administration Group.
Only use the administration accounts internally or as service accounts for other points of contact (such as the web reverse proxy) to authenticate to the SCIM application.
Authenticating as an ISAM user to the SCIM Application
The SCIM application supports authentication as Security Verify Access users via the web reverse proxy. To set up the web reverse proxy as a point of contact for the SCIM application, create a junction to the Advanced Access Control listening interface with the following settings:
- Identity parameters
- HTTP header identity information:
- IV-USER
- IV-GROUPS
- IV-CREDS
- Authentication
- The junction authenticates using the credentials for a service account that is part of the Administration Group.
- Depending on the configuration of the Advanced Access Control Runtime, this can be basic authentication or mutual SSL authentication.
The SCIM application can interpret the IV-USER/IV-GROUPS/IV-CREDS headers and determine which ISAM user is authenticated. Specifically, the SCIM application determines the user based on the AZN_CRED_PRINCIPAL_NAME attribute. Using this information, the SCIM application resolves the /Users/Me endpoint to the current user and grants the following access:
- Read/write access to only the user’s own profile
- No access to other user profiles or listing of all users
As the user is determined by the SCIM application based on the value of AZN_CRED_PRINCIPAL_NAME, this value must be a normalized and globally unique value for any entity that can authenticate in the ISAM environment. This includes users in local or federated user registries, users from federated single sign-on, and users from EAI applications.
Authenticating as SCIM users to the web reverse proxy
It is possible to use the SCIM users as basic users to authenticate to the web reverse proxy. This is useful in scenarios where we do not want to create all of your SCIM users within the ISAM registry.
SCIM users can authenticate if the ISAM Runtime is configured with basic user support. For further information, see Configure the runtime to authenticate basic users.
Ensure the LDAP server and suffix containing the SCIM users is configured and the principal attribute (basic-user-principal-attribute) is set to the LDAP attribute the SCIM userName attribute is mapped to. By default, the SCIM userName attribute is mapped to the LDAP attribute uid.
URL Filtering
Resource responses include URLs that will not be filtered or rewritten by the web reverse proxy by default. To rewrite URLs within SCIM JSON responses, make the following changes to the web reverse proxy configuration file:
[filter-content-types] type = application/scim+json [script-filtering] script-filter = yes rewrite-absolute-with-absolute = yes
Parent topic: User Self-Care with the SCIM API