SCIM 2.0 API Questions

I am looking for some assistance with SCIM 2.0 APIs. See below.

  1. Can someone confirm which of the below SCIM 2.0 end points are supported by Identity Now SCIM 2.0 connectors.

SCIM: System for Cross-domain Identity Management (simplecloud.info)

Have been referring below documentation, but couldn’t find the above info. Please share if there’s any more documentation providing the above details ?

Integrating SailPoint with SCIM 2.0

  1. Are Replace and Update both Supported by SCIM 2.0 Connector. If yes, then what will be the difference between the two from Identity Now perspective.

Thanks in advance.

Hi,

SCIM 2.0 supports basic operations:

  • Create
  • Read
  • Replace/Update
  • Search
  • Delete
    I do not think Bulk is supported.
    Whether the connector is supporting Replace or Update (Patch) depends on the configuration: see usePatch parameter (cf. Additional Settings)

Filtering is supported (cf
Aggregation Settings to define filters and attribute list)

Thanks , Please also see additional queries below:

  1. The Documentation below states that
    “CAUTION: SCIM 2.0 source doesn’t have the default Create Profile. However, SailPoint recommends that you work with Services to define a Create Profile specific to your company’s needs.”

https://documentation.sailpoint.com/connectors/scim_2_0/help/integrating_scim2/provisioning_policy.htmlhttps://documentation.sailpoint.com/connectors/scim_2_0/help/integrating_scim2/provisioning_policy.html

Does this means that only SailPoint Services can create the “Create Profile” ?
Can’t we create the profile using APIs ?

  1. **Group update from Create User Request:
    **Refer additional settings documentation: Additional Settings
    It states that " The SCIM 2.0 source now supports modification of groups’ information through the Users endpoint. Add the updateGroupsViaUsers attribute with true as a value to the source XML file using IdentityNow REST API (For example, ). "

Does this means that Identity Now can add or remove members within the create request, and /Groups need not be called seperately ?

  1. Additionally, Please confirm if ETag and Version attributes are optional in the response send by SCIM API to Identity Now SCIM 2.0 Connector ? We do have have this clarity in the documentation.
  1. You can create the provisioning policy through the API (cf. SailPoint - Beta SaaS API). If you do not know how to do it, you may need to engage PS
  2. As explained in the documentation, by default, to update group members, you use the /groups endpoint. Groups are also part of the User object. So if you want to update the groups of a user through the /Users endpoint, you can.
  3. If these headers are not mention, it is probably because they are not used.

Thanks Yannick, Will the group update from /Users be enabled by making updateGroupsViaUsers attribute as true. Can you please confirm ?

In case we keep updateGroupsViaUsers****strong text as false, do we need any additional configurations for updating group using /Groups ?

Hi @mandeepsingh,

My answers:

  1. Yes, setting updateGroupsViaUsers to “true” will force the connector to create an update call to the /Users endpoint that contains the group membership that needs to be added or removed (patch operation I believe).
  2. You don’t need to do additional configurations to update groups via the /Groups endpoint. By default, the connector send a patch operation that updates the /members/value attribute on the group with the users that need to be added/removed.

I do have a follow-up question that I’m still trying to get my head around. Perhaps someone knows the answers: how do I aggregate group memberships from the /groups-endpoint? In my case, our SCIM-server does not save group memberships on the user-object (so the groups-attribute on the user object is empty). The memberships are only stored on the groups-object. I don’t know if this is per SCIM-specification as I couldn’t find it in the specs. But I do know that SailPoint only aggregates the /Users-endpoint during an account aggregation, so how do I retrieve the group memberships? Perhaps @yannick_beot has the answer?

1 Like

Hi @yannick_beot , @randall_holt

  1. we are unable to grab the HTTP requests (generated by SCIM API Connector), even after following all the steps given in below documentation:

CCG Enable Debug Log by Connector - Compass (sailpoint.com)

  1. After implementing above steps, The logs generated become much more detailed and show logging level as Debug, but HTTP requests generated by SCIM 2.0 connector are simply not there. These are vital for us to troubleshoot issues and integrate faster with other systems, so that we can meet timelines in a fast paced environment.

  2. Below are the current configurations done to grab HTTP requests:

    Enabled Development Mode on SCIM2 Connector
    Updated log4j2.properties with below changes :

  •   **Enabled Debug Mode** on ***openconnector.connector.scim2*** Connector
    
  •   **Enabled Debug mode on openconnector.connector.scim2.SCIM2Connector**
    

Try below loggers , they should work. Executionmediator should give you api calls being made.

logger.sailpoint.name = connector.common.http
logger.sailpoint.level = debug
logger.sailpoint.additivity = false
logger.sailpoint.appenderRef.rolling.ref = STDOUT


logger.sailpoint.name = connector.sdk.webservices
logger.sailpoint.level = debug
logger.sailpoint.additivity = false
logger.sailpoint.appenderRef.rolling.ref = STDOUT

logger.sailpoint.name = connector.sdk.webservices.ExecutionMediator
logger.sailpoint.level = trace
logger.sailpoint.additivity = false
logger.sailpoint.appenderRef.rolling.ref = STDOUT

logger.sailpoint.name = sailpoint.connector.webservices.v2
logger.sailpoint.level = debug
logger.sailpoint.additivity = false
logger.sailpoint.appenderRef.rolling.ref = STDOUT