SCIM service configuration files

SCIM service configuration files

Before deploying the SCIM service, modify the configuration files to specify connection settings, user and group mapping, and schemas.
After installing Security Directory Integrator v7.2, we can find a folder named SCIM in the tdi_install directory. When creating the solution directory, either manually or when the server is started, the SCIM folder is automatically copied to the solution directory. Alternately, we can manually copy the SCIM folder to the solution directory.
The SCIM folder contains the following set of files, including the configurations files that we can modify to configure the setup. In most cases, you might be required to update only the SCIM.properties file. Other files might not require any modification.

SCIM.properties

The SCIM.properties file contains the following server system-specific properties, including details of the backend IBM Security Directory Server.

LDAPServer The URL for the IBM Security Directory Server that stores the user data.
userSearchBase The Search Base for users in the IBM Security Directory Server.
groupSearchBase The Search Base for groups in the IBM Security Directory Server.
userObjectClass The list of object classes that are used when a user is created in the IBM Security Directory Server.
groupObjectClass The list of object classes that are used when a group is created in the IBM Security Directory Server.
userSearchFilter Used to find all users in the userSearchBase.
groupSearchFilter Used to find all groups in the groupSearchBase.
dummyGroupMember When new groups are created, if dummyGroupMember has a value and there are no members in the group, this value is added to avoid object violation error.
audit.log Set this parameter to true to create audit logs.
audit.logFile The name of the audit log file.
audit.logFileDatePattern The date pattern specifies how often the log file is rolled over to a backup file. It also specifies how the date is appended to the log file name for the backup files that store previous logs.
Location The externally accessible URL of the SCIM service. It affects only the location headers in SCIM replies.
httpPort The port that the SCIM Service uses for listening. The SCIM Service always uses SSL.
AuthenticationRealm The realm presented to the user when asked for authentication.
audit.syslog Indicates whether syslogging to QRadar® is enabled. Set the value to true to enable.
audit.QRadarHost The host where QRadar is located.
audit.QRadarPort The port number for QRadar.
audit.facility The facility for the audit messages.
audit.eventID The event ID to use in audit logs.
audit.devTimeFormat The date format to use in audit logs.
LDAP.LookupLimit The maximum number of resources that can be found by the SCIM Service. The default value is only 20000, to avoid memory overflow.

UserMapping.json and GroupMapping.json

The UserMapping.json and GroupMapping.json files specify the mapping between SCIM attributes and IBM Security Directory Server user or group attributes. Each entry in these files contains an SCIM attribute name and an LDAP attribute name. The entry might also contain the following extra attributes.

ReadOnly The value is mapped only from LDAP to SCIM and not the other way.
WriteOnly The value is mapped only from SCIM to LDAP and not the other way. This entry must be used for password.
CreateDN The value is also used to create a distinguished name (DN) in the IBM Security Directory Server, by appending the userSearchBase to the value. To be able to create new resources, there must be one entry with the CreateDN attribute, which uses a SCIM attribute name that is always provided.
Type Provides the canonical type for a multi-valued attribute.
Conversion Specifies a conversion of the attribute value. The conversion attribute can have one of the following values:

DateTime converts the value from LDAP date format to SCIM date format.
Group converts the value from an LDAP group to a SCIM group.
NewLines converts the new lines in SCIM values to $ in LDAP values and vice versa.

Note:

There must be only one map entry for each SCIM name, unless the entries have a unique Type.
There must be only one entry for each LDAP name, unless the entries are ReadOnly.

UserSchema.json and GroupSchema.json

The UserSchema.json and GroupSchema.json files provide the schema definition of users or groups as per the SCIM specification. The attributes that are specified must match the attributes that are defined in the UserMapping.json and GroupMapping.json files.

ServiceProviderConfig.json Defines the specification compliance, supported data models, authentication schemes, and so forth.
SCIM.xml The configuration file that implements the SCIM service.

QRadarLogging.map

The QRadarLogging.map file specifies the values for attributes that are sent to the QRadar system when QRadar syslogging is enabled.
For more information, see the Readme.txt file in the SCIM folder in the solution_directory of SDI installation.

Parent topic:
SCIM service in SDI

LDAPServer	The URL for the IBM Security Directory Server that stores the user data.
userSearchBase	The Search Base for users in the IBM Security Directory Server.
groupSearchBase	The Search Base for groups in the IBM Security Directory Server.
userObjectClass	The list of object classes that are used when a user is created in the IBM Security Directory Server.
groupObjectClass	The list of object classes that are used when a group is created in the IBM Security Directory Server.
userSearchFilter	Used to find all users in the userSearchBase.
groupSearchFilter	Used to find all groups in the groupSearchBase.
dummyGroupMember	When new groups are created, if dummyGroupMember has a value and there are no members in the group, this value is added to avoid object violation error.
audit.log	Set this parameter to true to create audit logs.
audit.logFile	The name of the audit log file.
audit.logFileDatePattern	The date pattern specifies how often the log file is rolled over to a backup file. It also specifies how the date is appended to the log file name for the backup files that store previous logs.
Location	The externally accessible URL of the SCIM service. It affects only the location headers in SCIM replies.
httpPort	The port that the SCIM Service uses for listening. The SCIM Service always uses SSL.
AuthenticationRealm	The realm presented to the user when asked for authentication.
audit.syslog	Indicates whether syslogging to QRadar® is enabled. Set the value to true to enable.
audit.QRadarHost	The host where QRadar is located.
audit.QRadarPort	The port number for QRadar.
audit.facility	The facility for the audit messages.
audit.eventID	The event ID to use in audit logs.
audit.devTimeFormat	The date format to use in audit logs.
LDAP.LookupLimit	The maximum number of resources that can be found by the SCIM Service. The default value is only 20000, to avoid memory overflow.

ReadOnly	The value is mapped only from LDAP to SCIM and not the other way.
WriteOnly	The value is mapped only from SCIM to LDAP and not the other way. This entry must be used for password.
CreateDN	The value is also used to create a distinguished name (DN) in the IBM Security Directory Server, by appending the userSearchBase to the value. To be able to create new resources, there must be one entry with the CreateDN attribute, which uses a SCIM attribute name that is always provided.
Type	Provides the canonical type for a multi-valued attribute.
Conversion	Specifies a conversion of the attribute value. The conversion attribute can have one of the following values: DateTime converts the value from LDAP date format to SCIM date format. Group converts the value from an LDAP group to a SCIM group. NewLines converts the new lines in SCIM values to $ in LDAP values and vice versa.

ServiceProviderConfig.json	Defines the specification compliance, supported data models, authentication schemes, and so forth.
SCIM.xml	The configuration file that implements the SCIM service.