Question regarding SCIM Driver

Dear Forum,

I have never been challenged implementing a SCIM driver before, and I am wondering, if someone here would be able to answer a few questions ;-)

1) is there a kind of Test Application available online or some code I can install to act as an integration endpoint for local testing?

2) I found one Test API, but it does not offer either OAUTH 2.0 or basic Authentication, but only a temporary Bearer-Key, to be provided in an Authorization header.

Since the Driver can be only configured for either OAuth 2.0 or basic Authentication, I am wondering, if it is possible to configure the driver to use such an authorization header!

3) I assume, that all effective SIM operations are trigger through the operation data "scim-driver-operation-data" prepared by the driver's OTP! Any ordinary XDS event like add, modify, delete will not affect the target app, will it?

I am asking, because I am considering to deploy the driver in an operative mode, which will allow establishing the connection and run queries, but will suppress all writing operation.

Kind regards

Thorsten

Tags:

  • Verified Answer

    +1  

    Hi Thorsten,

    1) Look for sample or mock server implementation on GitHub. Eg. Test Your SCIM Endpoint · AzureAD/SCIMReferenceCode Wiki · GitHub

    2) You can set the driver to OAuth2.0 manual mode and provide a token.

    3) The XDS to SCIM+JSON conversion is always done by the DriverShim. If you don't have the SCIM JSON package installed, the SCIM shim will handle all XDS commads like other shims do. With that package, there is an OTP policy that will ask the Shim (via a query for convertXDSToJSON) to convert XDS to JSON and put that value ($applicationContent) into scim-driver-operation-data. That allows you to post-process the JSON if needed.

    If you don't want to modify the target app, veto add/modify/rename/delete in CTP.

    Norbert

  • 0   in reply to   

    Hi Norbert,

    Just to be sure that I understand it correctly, the xds2json and json2xds conversion is not nessearry with the SCIM driver - the scim will handle it, if the json package is not added to the driver ?

    Thanks,

  • 0 in reply to   

    Hi Norbert,

    Thanks for your fast reply!

    Analyzing the convertXDS2JSON I found, as you wrote, the convention of the XDS to JSON is really performed by the DriverShim by running a query against the dest-attr convertXDS2JSON, or something.

    I am wondering, if the code used for this conversion can be used without running the driver? I am asking, because it could be quite useful in other scenarios and especially when running tests with Designer. 

    BTW: does the Shim handle JSON2XML conversion as well?

    This is also true for two external functions, which are called from the rs namespace (com.microfocus.nds.dirxml.driver.scim.utils.PolicyUtils). Those are not accessible running a simulation in Designer. Do you know if it is possible to put some additional jar files to one of the Designer directories to allow those functions to be used?

    Cheers

    Thorsten

  • 0   in reply to 

    HI Thorsten,

    You can add the jar files in question to Desiger in Preferences -> NetIQ -> Identity Manager -> Simulator, then it will be possible to use with Simulator.

    I've not done it with the SCIM driver, but for the REST Driver it's RESTCommon.jar you need to add.

  • 0 in reply to   

    Hi Casper,

    thanks for this hint - I simply forgot this option ;-)

    But this possibly only helps with the external functions from the rs namespace!

    It would be even more exciting to use the conversion function/methods provided by the shim. Those are utilized by the driver by an XDS query for a "virtual" attribute! I believe it should be possible to import those classes/methods in an ECMAScript and use this within the driver Policy, without running a XDS query, what do you think?

    Cheers

    Thorsten

  • 0 in reply to   

    Hi Casper,

    your idea war correct, but the jar files belonging to the SCIM driver are not compatible with Designer:

    java.lang.UnsupportedClassVersionError: com/microfocus/nds/dirxml/driver/scim/utils/PolicyUtils has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0

    I am not a JAVA geek, but I believe this is related to the fact all drivers are now JAVA 11 ready, and Designer is still bound to JAVA 8!

  • 0   in reply to 

    Hi Throsten,

    Designer is using Java8, if you take a driver for IDM 4.9 then it's compiled with Java11 and will not work. You need to take a driver for IDM 4.8 (or earlier).

    Cheers,

    Casper

  • 0   in reply to 

    Hi Thorsten,

    convertXDSToJSON is not a simple static method that you could call. Such a conversion needs context (SCIM schema) and a live connection to the connected system to get the current state of the resource to be able to generate modifies via PUT.

    The shim also does the reverse JSON to XML transformation.

    That's the benefit over generic REST. SCIM is properly defined so a shim can do the transformation. The downside is that the SCIM v2 standard is quite complex and every SCIM server has its quirks or implements just parts of the standard. So customization is still needed in many cases.

    Norbert

  • 0 in reply to   

    Hi Casper,

    I used the two jar files provided for the JAVA8 based SCIM driver, but this ended up with another class not found error! 

    It should not be so difficult to use those two functions in a simulation - I bet those are more or less simple functions, which could be provided in an ECMA Script object ;-)

    Cheers 

    Thorsten

  • 0 in reply to   

    Hi Norbert,

    thanks for this information - I believe it would be great to find this in the official documentation, along with an example how the scim-operation-data should be composed. I believe this more or less the same structure, the REST driver is using, is it not?

    Cheers

    Thorsten