Written by
  • email
  • twitter
  • linkedin
  • linkedin

SCIM is a standard for automating the exchange of user identity information between identity domains.

SCIM (System for Cross-domain Identity Management) communicates user identity data between identity providers (such as companies with multiple individual users) and service providers requiring user identity information (such as enterprise SaaS apps).

Syncope exposes a fully compliant SCIM 2.0 RESTful interface available under /scim, it translates the incoming/outgoing payloads from/to SCIM formats to/from Syncope standard formats, and it is developed as an extension.

The idea of this blog post is to turn LDAP Directory into a SCIM 2.0 provider by adding OpenLDAP to Syncope, defining the scheme for inetOrgPerson, providing the mapping and then configuring SCIM accordingly. For implementing this in Syncope, the steps are as follows:

Create a project from maven archetype

First it is to start with a simple embedded Syncope project from archetype:

$ mvn archetype:generate \
    -DarchetypeGroupId=org.apache.syncope \
    -DarchetypeArtifactId=syncope-archetype \
    -DarchetypeRepository=http://repo1.maven.org/maven2 \

By default, the embedded mode is populated with example data. If you prefer to work in an empty Syncope project, this can be done by running the following commands:

$ cp core/src/main/resources/domains/MasterContent.xml \

Then build it with "all" profile in order to load SCIM extension:

$ mvn -P all clean install && cd enduser && mvn -P embedded,all

Now, from your browser, login to Syncope Console at http://localhost:9080/syncope-console/
using the default "admin" / "password" credentials.

Add OpenLDAP to Syncope

Here we need to:

  • Configure LDAP connector instance; as an important note, we are going to work with inetOrgPerson object class thus, in case you do not have an LDAP connector already configured, it is needed to add a new one with the required values depending on your actual OpenLDAP instance.
  • Configure the OpenLDAP External Resource.
  • Configure USER mapping between Syncope user attributes and OpenLDAP user attributes: here make sure to map all mandatory LDAP attributes; please notice that, since in case you are working with a clean Syncope project, some schemas (as fullname and surname, for example) might need to be created.

Configure SCIM

Go to Extensions --> SCIM from the left panel, and then choose User tab, here you need to map between Syncope user attributes and SCIM user attributes.

More attributes can be mapped, but for our purpose it is necessary to add the mapping with Syncope attributes that we already used to map with the attributes of OpenLDAP.

Provision a user dynamically to OpenLDAP resource

While creating a user from SCIM, it is needed to provision the user dynamically to OpenLDAP resource. One of the easiest solution is by creating a Group with a “Dynaamic USER assignment”, with a condition that satisfies the case, as follows (users will always feature non-null username values).

scim azure img5

After following the steps above, the communication to OpenLDAP by using SCIM v2 REST APIs is fully set up.
The SCIM endpoint is http://localhost:9080/syncope/scim/v2, some examples are shown below:

  • Create a user request:

    POST http://localhost:9080/syncope/scim/v2/Users

    Accept: application/scim+json
    Content-Type: application/scim+json
        "formatted":"Dima Ayash",
      "displayName":"Dima Ayash",
  • Get all users request:

    GET http://localhost:9080/syncope/scim/v2/Users

  • Get a specific user:

    GET http://localhost:9080/syncope/scim/v2/Users/{id}

  • Delete a specific user:

    DELETE http://localhost:9080/syncope/scim/v2/Users/{id}

Now that SCIM 2.0 through OpenLDAP is working via Syncope, it's time to instruct Azure Active Directory to provision via SCIM by following the steps mentioned in the official docs.

7 VOTIGoodGood
Ti è stato utile questo articolo?
From Tirasa's Blog
The place where we share what we do, learn and discover day by day.
Go to blog >