The Aserto SCIM service uses the SCIM 2.0 protocol to import data into the Aserto Directory. While not all features have been implemented yet, it supports the basic operations in order to manage users and groups using the SCIM core schemas.
---
logging:
log_level: info
server:
listen_address: ":8080"
auth:
basic:
enabled: true
username: "scim"
password: "scim"
bearer:
enabled: true
token: "scim"
directory:
address: "localhost:9292"
no_tls: true
scim:
user:
object_type: user
identity_object_type: identity
identity_relation: user#identifier
property_mapping:
enabled: active
source_object_type: scim_user
manager_relation: manager
group:
object_type: group
group_member_relation: member
source_object_type: scim_group
role:
object_type: group
role_relation: member
relations:
- object_id: system
object_type: system
relation: admin
subject_id: admins
subject_type: group
subject_relation: membergo run ./cmd/aserto-scim/main.go run -c ./config.yaml
docker run -p 8080:8080 -v {config directory}:/config:ro ghcr.io/aserto-dev/scim:latest run -c /config/config.yaml
curl -X GET \
'http://127.0.0.1:8080/Users' \
--header 'Accept: */*' \
--header 'Authorization: Bearer scim'
curl -X POST \
'http://127.0.0.1:8080/Users' \
--header 'Accept: */*' \
--header 'Authorization: Bearer scim' \
--header 'Content-Type: application/json' \
--data-raw '{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "rsanchez",
"name": {
"givenName": "Rick",
"familyName": "Sanchez"
},
"emails": [{
"primary": true,
"value": "[email protected]",
"type": "work"
}],
"displayName": "Rick Sanchez",
"locale": "en-US",
"groups": [],
"active": true
}'
The create operation will return a user ID, which will be used to identify the user from now on
curl -X 'GET' 'http://127.0.0.1:8080/Users/{user id}'
curl -X GET \
'http://127.0.0.1:8080/Users/rsanchez' \
--header 'Accept: */*' \
--header 'Authorization: Bearer scim'
curl -X 'DELETE' 'http://127.0.0.1:8080/Users/{user id}'
curl -X DELETE \
'http://127.0.0.1:8080/Users/rsanchez' \
--header 'Accept: */*' \
--header 'Authorization: Bearer scim'
curl -X 'PATCH' 'http://127.0.0.1:8080/Users/{user id}'
curl -X PATCH \
'http://127.0.0.1:8080/Users/rsanchez' \
--header 'Accept: */*' \
--header 'Authorization: Bearer scim' \
--header 'Content-Type: application/json' \
--data-raw '{
"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[
{"op":"add","path": "nickName","value": "Madman"},
{"op":"add","path": "emails[type eq \"home\"].value","value": "rick@home"}
]}'
curl -X POST \
'http://127.0.0.1:8080/Groups' \
--header 'Accept: */*' \
--header 'Authorization: Bearer scim' \
--header 'Content-Type: application/json' \
--data-raw '{"displayName": "admin"}'
curl -X PATCH \
'http://127.0.0.1:8080/Users/rsanchez' \
--header 'Accept: */*' \
--header 'Authorization: Bearer scim' \
--header 'Content-Type: application/json' \
--data-raw '{
"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":[
{"op":"add","path": "groups[type eq \"work\"].value","value": "admin"}
]}'
create a relation from an imported group to a user (e.g. giving admin permission to users that are port of an imported group)
relations:
- object_id: system
object_type: system
relation: admin
subject_id: admins
subject_type: group
subject_relation: member
This will create a admin relation with member subject relation between the admins group and the object with id system and type system