tutorial:dev:scim_user_role

SCIM module - Creating a user with group assigned

SCIM module was added in CzechIdM 8.1.0.

The aim of this tutorial is to create a new group (~ IdM role), a user (~ IdM identity) with contract (~ IdM identity contract). Then assign him a group (~IdM identity role).

  • We need to install CzechIdM 8.1.0 (and higher). In the example below, we use localhost:8080 as url on which the CzechIdM run.
  • We need to install Scim module into CzechIdM.
  • Create an identity, which has permission to create and read reports. We are using the default admin:admin identity.

Note: Swagger can be used in the example.

Only userName attribute is required for creating a user:

curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Basic YWRtaW46YWRtaW4=' -d '{ 
    "schemas": [ 
      "urn:ietf:params:scim:schemas:core:2.0:User" 
     ],
     "userName": "scimOne"
 }' 'http://localhost:8080/idm/api/v1/scim/Users'

Default contract is created automatically for new user (if default contract is enabled by configuration).

Created contracts for user can be found:

curl -X GET --header 'Accept: application/json' --header 'Authorization: Basic YWRtaW46YWRtaW4=' 'http://localhost:8080/idm/api/v1/scim/Users/scimOne/Contracts'

But if we want to create new contract:

curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Basic YWRtaW46YWRtaW4=' -d '{ 
 "schemas": [ 
     "urn:ietf:params:scim:schemas:CzechIdM:8.1:Contract" 
   ], 
 "user": "scimOne", 
 "position": "test" 
 }' 'http://localhost:8080/idm/api/v1/scim/Contracts'

We will use returned contract id attribute in next requests.

Now we have user and contract. Now we will create new role with this role assigned to user's contract. We can create and assing role with one request:

curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Basic YWRtaW46YWRtaW4=' -d '{ 
       "schemas": [ 
         "urn:ietf:params:scim:schemas:core:2.0:Group" 
       ], 
 "displayName": "roleScimOne", 
 "members": [{ 
 "$ref": "/Users/scimOne/Contracts/5ea857ff-2ec1-4c29-813b-c0d37fc23065" 
 } 
 ] 
 }' 'http://localhost:8080/idm/api/v1/scim/Groups'
Congratulations, you can see from response, group is assigned to given user.