4. SCIM Schema
A collection of attribute definitions
e.g.
{
}
"id": "urn:scim:schemas:core:2.0:User",
"name": "User",
"description": "Core User",
"attributes":[
{
"name":"id",
"type":"string",
"multiValued":false,
"description":"Unique identifier for the SCIM ressource. REQUIRED.",
"readOnly":true,
"required":true,
"caseExact":false
},
...
4
5. SCIM Schema...
Simple Attribute
e.g. userName – a user's name
Complex Attribute
e.g. name – a collection of firstName, lastName etc.
Multi-valued Attribute
e.g. emails – a collection of all emails
Sub-attribute
e.g. familyName – a user's family name
5
7. SCIM Data Model
User
Name : Naveen S
UID : naveens
Last Name : Sivashankar
First Name : Naveen
{
}
"schemas": ["urn:scim:schemas:core:2.0:User"],
"id": "45ceb739-1695-4c03-ab18-33ac71e91875",
"userName": "naveens",
"displayName": "Naveen S",
"active": true,
"name": {
"familyName": "Sivashankar",
"givenName": "Naveen Sivashankar"
},
"emails" : [{"naveens@example.com"},{"ns@mymail.com"}],
…
7
8. SCIM Data Model...
e.g. Extended user
User
Enterprise User
Name : Naveen S
UID : naveens
Employee No : 11011
Cost Center : 007
{
"schemas": ["urn:scim:schemas:core:2.0:User",
"urn:scim:schemas:extension:enterprise:2.0:User"],
"id": "45ceb739-1695-4c03-ab18-33ac71e91875",
"userName": "naveens",
...
"urn:scim:schemas:extension:enterprise:2.0:User": {
"employeeNumber": "11011",
"costCenter": "007"
…
}
}
9. SCIM Data Model...
Group
Name : Administrators
Members : naveens
{
"schemas": ["urn:scim:schemas:core:2.0:Group"],
"id": "484fbc39-ae09-427b-896f-d469d28895ad",
"displayName": "Administrators",
"members": [
{
"value": "45ceb739-1695-4c03-ab18-33ac71e91875",
"$ref": "http://localhost:8080/v2/Users/45ceb739-16954c03-ab18-33ac71e91875",
"display": "naveens"
} ]
}
9
11. What Is eSCIMo
An implementation of SCIM v2.0
Supports LDAP as a backend by default
Can work with any LDAP server
Embeddable in ApacheDS
11
15. How Does It Work?
Attribute mapping
Mapping a simple attribute -
e.g. "id": "45ceb739-1695-4c03-ab18-33ac71e91875"
"userName": "naveens"
<attribute name="id" mappedTo="entryUUID" />
<attribute name="userName" mappedTo="uid" />
15
16. How Does It Work...
Attribute mapping contd...
Mapping a complex attribute
e.g.
"name": {
"familyName": "Sivashankar",
"givenName": "Naveen Sivashankar"
}
<complex-attribute name="name">
<at-group>
<attribute name="familyName" mappedTo="sn" />
<attribute name="givenName" mappedTo="cn" />
</at-group>
</complex-attribute>
16
17. How Does It Work...
Attribute mapping contd...
Mapping a multi-valued attribute
e.g. "emails"
: [{"naveens@example.com"},{"ns@mymail.com"}]
<multival-attribute name="emails">
<at-group>
<attribute name="value" mappedTo="mail" />
</at-group>
</multival-attribute>
17
18. How Does It Work...
Attribute mapping contd...
e.x "groups": [
{
"id": "484fbc39-ae09-427b-896f-d469d28895ad",
"$ref": "http://localhost:8080/v2/Groups/484fbc39-ae09-427b-896fd469d28895ad",
"display": "Administrators"
}]
"id" - How can we fetch the ID of the member entry?
"$ref" - How do we build a URL dynamically?
18
19. How Does It Work...
Attribute Handlers
Handler Implementation
public class GroupsAttributeHandler extends LdapAttributeHandler {
public void read();
public void write();
public void patch();
}
Handler definition
<handler name="groupsHandler"
class="org.apache.directory.scim.ldap.handlers.GroupsAttributeHandler" />
Handler mapping
<multival-attribute name="groups" baseDn="ou=system"
filter="(uniqueMember=$entryDn)" handlerRef="groupsHandler" />
19
21. eSCIMo Client
Works with the generated model classes
e.x. Adding a User resource
User user = new User();
user.setUserName( "naveens" );
user.setDisplayName( "Naveen Sivashankar" );
user.setPassword( "secret" );
Name name = new Name();
name.setFamilyName( "Sivashankar" );
name.setGivenName( "Naveen" );
user.setName( name );
EscimoResult result = client.addUser( user );
21