Provisioning with SCIM Integration

swimlane turbine supports integration with system for cross domain identity management (scim) 2 0 this helps to streamline user management by automating onboarding and offboarding of users managing groups and the association of users to groups can be handled efficiently without manual intervention swimlane turbine supports scim 2 0 integration with docid\ igbo7vpycl0 agil6ce3z docid\ igbo7vpycl0 agil6ce3z with scim integration you can create a new user with group create a new user without any group retrieve a user by id create a new user without any group that exists in swimlane turbine delete a user disable user delete the user in turbine and not let them login to the application activating a user in an idp activates the user in turbine update user profile information to update in swimlane turbine create a group with users create a group without users update a group delete a group prerequisites for configuring scim supported idp verify that your identity provider (idp) supports scim integration scim compatible configuration ensure swimlane is configured to support scim integration and provides the required scim endpoints network configuration confirm that network settings allow communication between your idp and swimlane over https authentication credentials obtain necessary credentials (for example, oauth tokens, api keys) for secure communication configuring scim provisioning a scim (system for cross domain identity management) application in an identity provider (idp) involves configuring the idp to communicate with the service provider (sp) using the scim protocol, ensuring efficient user identity management and automation see your idp documentation for more information on provisioning scim in your idp if you already have saml and ldap, you can still enable scim rest api endpoints for scim following are the endpoints as part of the implementation on the tenant service (swimlane tenant) user endpoints post /tenant/api/account/{account id}/scim/v2/users get /tenant/api/account/{account id}/scim/v2/users/{userid} delete /tenant/api/account/{account id}//scim/v2/users/{userid} patch /tenant/api/account/{account id}/scim/v2/users/{userid} put /tenant/api/account/{account id}//scim/v2/users/{userid} groups endpoints post /tenant/api/account/{account id}/scim/v2/groups get /tenant/api/account/{account id}/scim/v2/groups/{groupid} put /tenant/api/account/{account id}/scim/v2/groups/{groupid} delete /tenant/api/account/{account id}/scim/v2/groups/{groupid} patch /tenant/api/account/{account id}/scim/v2/groups/{groupid} user endpoint examples get accepts startindex and count query param by default items perpage should be 100 accepts a filter query string like filter=username eq "${email}" returns the list of users or empty array schema for empty response { "schemas" \["urn\ ietf\ params\ scim\ api\ messages 2 0\ listresponse"], "totalresults" 0, "startindex" 1, "itemsperpage" 0, "resources" \[] } schema for response with users { "schemas" \["urn\ ietf\ params\ scim\ api\ messages 2 0\ listresponse"], "totalresults" 0, "startindex" 1, "itemsperpage" 0, "resources" \[ { "schemas" \["urn\ ietf\ params\ scim\ schemas\ core 2 0\ user"], "id" "23a35c27 23d3 4c03 b4c5 6443c09e7173", "username" " mailto\ test user\@okta local ", "name" { "givenname" "test", "familyname" "user" }, "emails" \[{ "primary" true, "value" " mailto\ test user\@okta local ", "type" "work" }], "displayname" "test user", "locale" "en us", "externalid" "00ujl29u0le5t6aj10h7", "active" true, "groups" \[], "meta" { "resourcetype" "user" } } ] } get a specific user get users/userid response schema for getting a user { "schemas" \["urn\ ietf\ params\ scim\ schemas\ core 2 0\ user"], "id" "23a35c27 23d3 4c03 b4c5 6443c09e7173", "username" " mailto\ test user\@okta local ", "name" { "givenname" "test", "middlename" "", "familyname" "user" }, "active" true, "emails" \[{ "primary" true, "value" " mailto\ test user\@okta local ", "type" "work", "display" " mailto\ test user\@okta local " }], "groups" \[], "meta" { "resourcetype" "user" } } create post it accepts the user details from scim and returns the user with additional fields added by swimlane request schema { "schemas" \["urn\ ietf\ params\ scim\ schemas\ core 2 0\ user"], "username" " mailto\ test user\@okta local ", "name" { "givenname" "test", "familyname" "user" }, "emails" \[{ "primary" true, "value" " mailto\ test user\@okta local ", "type" "work" }], "displayname" "test user", "locale" "en us", "externalid" "00ujl29u0le5t6aj10h7", "groups" \[], "active" true } response schema { "schemas" \["urn\ ietf\ params\ scim\ schemas\ core 2 0\ user"], "id" "23a35c27 23d3 4c03 b4c5 6443c09e7173", "username" " mailto\ test user\@okta local ", "name" { "givenname" "test", "familyname" "user" }, "emails" \[{ "primary" true, "value" " mailto\ test user\@okta local ", "type" "work" }], "displayname" "test user", "locale" "en us", "externalid" "00ujl29u0le5t6aj10h7", "active" true, "groups" \[], "meta" { "resourcetype" "user" } } if the user already exists then response should be returned in following schema { "schemas" \["urn\ ietf\ params\ scim\ api\ messages 2 0\ error"], "detail" "user already exists in the database ", "status" 409 } update put /users/$userid request schema to update the user { "schemas" \["urn\ ietf\ params\ scim\ schemas\ core 2 0\ user"], "id" "23a35c27 23d3 4c03 b4c5 6443c09e7173", "username" " mailto\ test user\@okta local ", "name" { "givenname" "another", "middlename" "excited", "familyname" "user" }, "emails" \[{ "primary" true, "value" " mailto\ test user\@okta local ", "type" "work", "display" " mailto\ test user\@okta local " }], "active" true, "groups" \[], "meta" { "resourcetype" "user" } } response should return the updated user patch patch /users/$userid to activate/deactivate/password sync the user, patch is used example request schema for { "schemas" \["urn\ ietf\ params\ scim\ api\ messages 2 0\ patchop"], "operations" \[{ "op" "replace", "value" { "active" false } }] } response for patch should be updated user or 204 delete delete is not directly supported from okta patch is used for deprovisioning or deactivating the user group endpoint examples get /groups accepts startindex and count query param by default items perpage should be 100 get should accept query string filter = displayname eq "${groupname}" sample request /scim/v2/groups?filter=displayname%20eq%20%22test%20scimv2%22\&startindex=1\&count=100 response schema if group exists { "schemas" \[ "urn\ ietf\ params\ scim\ api\ messages 2 0\ listresponse" ], "totalresults" 1, "startindex" 1, "itemsperpage" 1, "resources" \[ { "id" "e7d09e9b3faa4888b65cf9e9316cba1c", "meta" { "created" "2024 05 15t09 21 23", "lastmodified" "2024 05 15t09 21 23", "version" "v1 0" }, "displayname" "test scimv1" }, ] } response schema if no group exists { "schemas" \["urn\ ietf\ params\ scim\ api\ messages 2 0\ listresponse"], "totalresults" 0, "startindex" 1, "itemsperpage" 0, "resources" \[] } get a specific group /groups/$groupid response schema { "schemas" \["urn\ ietf\ params\ scim\ schemas\ core 2 0\ group"], "id" "abf4dd94 a4c0 4f67 89c9 76b03340cb9b", "displayname" "test scimv2", "members" \[{ "value" "b1c794f24f4c49f4b5d503a4cb2686ea", "display" "scim 2 group a" }], "meta" { "resourcetype" "group" } } post request schema, response should be group object same as get example { "schemas" \[ "urn\ ietf\ params\ scim\ schemas\ core 2 0\ group" ], "displayname" "testgroup", "members" \[ { "value" "584a1e86 5de0 4634 80a6 f357156de9f3", "display" " mailto\ aashmi chaudhary+okta\@swimlane com " } ] } { "schemas" \["urn\ ietf\ params\ scim\ schemas\ core 2 0\ group"], "displayname" "test scimv2", "members" \[] } put patch /groups/$groupid patch is used to update the group object like name request schema for patch to update group name { "schemas" \["urn\ ietf\ params\ scim\ api\ messages 2 0\ patchop"], "operations" \[{ "op" "replace", "value" { "id" "abf4dd94 a4c0 4f67 89c9 76b03340cb9b", "displayname" "test scimv2" } }] } response for patch could be the updated group object or 204 users can be added by patch for oin app request schema { "schemas" \["urn\ ietf\ params\ scim\ api\ messages 2 0\ patchop"], "operations" \[{ "op" "remove", "path" "members\[value eq \\"89bb1940 b905 4575 9e7f 6f887cfb368e\\"]" }, { "op" "add", "path" "members", "value" \[{ "value" "23a35c27 23d3 4c03 b4c5 6443c09e7173", "display" " mailto\ test user\@okta local " }] }] } response should the updated group or 204 delete /groups/$groupid should return 204 authentication the scim endpoint uses user pat token defined for the user at an account level the base url will include {accountid} in the following format and will be used as identifier of the account for which users and groups are created /tenant/api/account/{account id}/scim/v2/ authorization user with account admin privilege should be able to access the endpoints cross account access is restricted all the roles assigned in turbine for the users and groups will not be overwritten by the scim api endpoint call field mapping with swimlane scim swimlane username email name givenname firstname name familyname lastname displayname displayname groups groups active disabled when provisioning from azure , only userprincipalname and displayname are required if firstname , lastname , or email are not provided by azure, swimlane will automatically substitute them using the value from userprincipalname