Use the SCIM Interface to Integrate Oracle Identity Cloud Service with Custom Applications

This section provides answers to the following questions to help you understand how to use the SCIM interface to integrate Oracle Identity Cloud Service with custom applications:

Topics:

• Why Integrate with Custom Applications?

• What Is SCIM?

• Why Use SCIM?

• How Do You Use the Generic SCIM App Template?

• Does Your Custom Application Have a SCIM-based Interface?

• How Do You Develop a Custom SCIM Gateway?

Why Integrate with Custom Applications?

Let's say that you want to integrate your applications with Oracle Identity Cloud Service. Your applications are homegrown or aren’t listed in the App Catalog, and an AD Bridge or Provisioning Bridge can’t be used as a link between your applications and Oracle Identity Cloud Service.

A custom application is an application where the App Catalog or a bridge can’t be used to integrate it with Oracle Identity Cloud Service. By integrating your custom applications with Oracle Identity Cloud Service, from one centralized cloud service, you can provide SSO capabilities for your applications, and provision and synchronize your users between the applications and Oracle Identity Cloud Service.

The App Catalog has thousands of applications that integrate with Oracle Identity Cloud Service. For most applications, Oracle Identity Cloud Service provides single sign-on (SSO) and user provisioning capabilities. User provisioning is not only giving users initial access to these applications, but also managing the complete lifecycle of the relationship that the users have with the applications.

What Is SCIM?

In the past, it was common that applications used to have their own user management APIs. Because the APIs for each application behave in a certain way, the developer had to understand the APIs specific to each application to build integrations for the applications.

To integrate your custom applications with Oracle Identity Cloud Service, Oracle recommends that you use the System for Cross-domain Identity Management (SCIM). SCIM provides developers with an abstraction layer. If APIs for the applications are exposed through SCIM, then developers don't have to learn the APIs associated with each application because the JSON format of the APIs is common across all applications.

In addition to SCIM being an open specification that standardizes user and group management across applications, it allows for the automation of user and group provisioning. You can provision and synchronize data for your users and groups across multiple applications.

With SCIM, you can define HTTP endpoints to create, read, update, and delete resources for entities such as users and groups. You can also use SCIM to extend the schemas for your company’s users and groups. The SCIM specification defines a minimum set of attributes for the user schema, but this schema can be extended.

For example, suppose you need to provision the Employee ID custom attribute from the Oracle Identity Cloud Service user schema to your custom application. You can extend the default user schema, add this attribute, and map it between Oracle Identity Cloud Service and your application. The user schema in Oracle Identity Cloud Service can now adhere to the attributes associated with your custom application's identity store.

The SCIM specification also defines security for any request that you make using HTTP endpoints. Security is defined by using a secure (HTTPS) protocol to establish communication between the endpoints and the applications with which you’re integrating, and requiring an authorization token that's used to access the request and perform the operations associated with it.

Use the following table to learn more about the SCIM specification:

Item	URL
Core schema	https://tools.ietf.org/html/rfc7643
Protocol	https://tools.ietf.org/html/rfc7644
Definitions, overview, concepts, and requirements	https://tools.ietf.org/html/rfc7642

Why Use SCIM?

If you look at how integrations used to be built, developers had to understand the APIs exposed for each application. There was no consistency regarding how to represent an identity in these applications.

By using SCIM, there's now a common standard of how you represent an identity in every application. Because all applications comply with the SCIM format, there's a harmonious flow in terms of how these identities are represented. This makes it easier for an identity management cloud service such as Oracle Identity Cloud Service to integrate with these applications.

Having a common standard for representing identities in applications improves developers' work efficiency and productivity because developers don't have to spend time to learn the APIs for each application. From a corporate standpoint, the time it takes to develop an integration from an identity system to the application will be reduced significantly. You can now run automations for the integration because there's a standard in terms of how you represent an identity and how you integrate with that identity.

By exposing your custom application's identity store with a SCIM-based interface, you avoid having to develop a custom connector between your application and Oracle Identity Cloud Service. This can be time-consuming, costly, and can lead to heavy maintenance in a future upgrade.

SCIM automates the user identity lifecycle management process and increases the security of data associated with your company’s users and groups.

As your company grows, your users and groups increase. Through the day-to-day operations of your company, you may experience situations such as employee turnover or the memberships that your users have with your company’s groups may change. Your company’s user accounts, groups, and group memberships increase significantly.

Because SCIM is a standard, your company’s user and group data is stored in a consistent way and can be communicated as such across different apps (including your custom apps). You can automate the provisioning and deprovisioning process and have Oracle Identity Cloud Service function as a single point to manage permissions and group memberships. By transferring your company’s user and group data automatically, you mitigate the risk of inadvertent errors.

By implementing SCIM, you improve your company’s security. Through SSO, your company's employees no longer have to sign on to each of their accounts individually. You can ensure security policy compliance for your users and their access to your company's applications.

When your employees are terminated or leave your company, you want your company's offboarding process to be consistent. This way, there's no chance that your company's administrators will forget to deprovision user accounts for applications that contain sensitive data. With SCIM, when users depart from your company, your administrators can terminate the accounts in Oracle Identity Cloud Service, and have peace of mind because these accounts will also be suspended or deleted in your SCIM-enabled apps.

How Do You Use the Generic SCIM App Template?

In the App Catalog, there are thousands of applications that integrate with Oracle Identity Cloud Service. You may have your applications running on your premises or in the cloud, or you may be building your applications in different infrastructure systems such as Amazon Web Services or Oracle Cloud Infrastructure.

Oracle Identity Cloud Service has to provide not only integrations with the applications that are listed in the App Catalog, but also tools so that you can build integrations for your custom applications without developing code.

With the Generic SCIM App Template, you can configure your custom applications so that the SCIM APIs are exposed, and you don't have to develop a single line of code. All that's required is to go to the App Catalog and search for a SCIM-managed app template. To use this template, you only have to provide your endpoint URL and the details that Oracle Identity Cloud Service requires to connect to your application, and then map the attributes between your application and Oracle Identity Cloud Service.

With the Generic SCIM App Template, you can provision or synchronize users between your custom applications and Oracle Identity Cloud Service.

Description of the illustration scim-app-template-architeture.png

In this diagram, the Generic SCIM App Template has been configured to enable Oracle Identity Cloud Service to communicate with a custom application that has a SCIM-based interface. This interface uses REST API endpoints to provision and synchronize users between Oracle Identity Cloud Service and the custom application.

Before You Begin

Before you begin to use the Generic SCIM App Template:

• Get access to an instance of Oracle Identity Cloud Service.

• Make sure that you have the appropriate permissions to register applications and to manage security components in the Identity Cloud Service console.

• Ensure that there’s HTTP(S) communication between Oracle Identity Cloud Service and the SCIM-based interface for your custom application.

• Make sure that you have a basic knowledge of the SCIM specification.

Assign Administrator Roles to Your User Account

Although you have access to an instance of Oracle Identity Cloud Service, you must be assigned to the following administrator roles in Oracle Identity Cloud Service to use the Generic SCIM App Template in the Identity Cloud Service console:

• Security administrator: To configure the security aspects of your Oracle Identity Cloud Service instance.

• Application administrator: To add a custom application and use the Generic SCIM App Template.

To assign these administrator roles to your user account:

1. Sign in to Oracle Identity Cloud Service with the credentials of your user account.
2. In the Identity Cloud Service console, expand the Navigation Drawer, click Security, and then click Administrators.
3. Expand the node for the Security Administrator role.
4. Click Add, select the check box for your user account, and then click OK.
5. Repeat steps 3 and 4 to assign the application administrator role to your user account.

Does Your Custom Application Have a SCIM-based Interface?

In this section, you learn what to do, based on whether your custom application has a SCIM-based interface.

If your custom application has this interface, then you can configure the Generic SCIM App Template to provision Oracle Identity Cloud Service users with your application. See Configure the Generic SCIM App Template.

If your custom application doesn't have this interface, then you can develop a custom SCIM gateway to act as the interface between Oracle Identity Cloud Service and your custom application. See How Do You Develop a Custom SCIM Gateway?

Configure the Generic SCIM App Template

In this section, you add an application using the Generic SCIM App Template, enable and configure connectivity for provisioning for your application, configure the application’s attribute mappings for provisioning, select the provisioning operations for your application, enable and configure synchronization for your application, and test your application to verify that users are provisioned to it.

Add an Application Using the Generic SCIM App Template

In this section, you use the Generic SCIM App Template to add an application.

1. In the Identity Cloud Service console, expand the Navigation Drawer, click Applications, click Add, and then select App Catalog.
2. In the Type of Integration section, click Provisioning, chose one of the following templates, and then click Add:
   • GenericScim - Basic: A Generic SCIM Template for SCIM interfaces that support basic authentication.
   • GenericScim - Bearer Token: A Generic SCIM Template for SCIM interfaces that support JWT tokens submitted as an authorization bearer.
   • GenericScim - Client Credentials: A Generic SCIM Template for SCIM interfaces that support client credentials for authentication.
   • GenericScim - Resource Owner Password: A Generic SCIM Template for SCIM interfaces that support the resource owner grant type.
3. In the Details pane of the corresponding template page, provide a name and description for your application, and then click Next.
4. In the Provisioning pane, click Finish. An instance of your application is created with five tabs: Details, Provisioning, Import, Users, and Groups.
   In the next section, you’ll use the Provisioning tab to enable and configure connectivity for provisioning for your application.

Enable and Configure Connectivity for Provisioning for Your Application

In this section, you enable provisioning for your application and provide connectivity information for it. Oracle Identity Cloud Service uses this information to connect to your application's SCIM REST API endpoint for provisioning purposes.

1. Click the Provisioning tab.
2. Turn on the Enable Provisioning switch.
3. In the Confirmation window, click OK.
4. Use the following table to populate the fields of the Configure Connectivity section of the Provisioning tab.

   Parameter	Description and Value Information	Additional Information
   Host Name	The host name of your application's SCIM REST API endpoints. If the SCIM interface's URL is https://api.example.com/scimgate/Users, then the host name is api.example.com.	This parameter appears in the UI for all Generic SCIM App Templates.
   Base URI	The base relative URL of your application's SCIM REST API. For example, if the SCIM interface's URL is https://api.example.com/scimgate/Users, then the Base URI is /scimgate.	This parameter appears in the UI for all Generic SCIM App Templates.
   Administrator Username	The administrator's user name for your API authentication service. This value is sent as part of the body message of each request to your application's SCIM REST API. Format: Plain text.	This parameter appears in the UI for the GenericScim - Basic and GenericScim - Resource Owner Password templates.
   Administrator Password	The administrator's password for your API authentication service. This value is sent as part of the body message of each request to your application's SCIM REST API. Format: Plain text.	This parameter appears in the UI for the GenericScim - Basic and GenericScim - Resource Owner Password templates.
   HTTP Operation Types	By default, the template request uses the PATCH HTTP operation for any user's update operation. If your SCIM interface uses the PUT HTTP operation for user attribute updates, then use this field as per the example below. Example: __ACCOUNT__.Update=PUT	This parameter appears in the UI for all Generic SCIM App Templates.
   Access Token	The value of the access token to be used by the template when communicating with your application's SCIM REST API. Format: Plain text.	This parameter appears in the UI for the GenericScim - Bearer Token template.
   Client Id	The client ID for your API authentication service. Format: Plain text.	This parameter appears in the UI for the GenericScim - Client Credentials and GenericScim - Resource Owner Password templates.
   Client Secret	The client secret for your API authentication service. Format: Plain text.	This parameter appears in the UI for the GenericScim - Client Credentials and GenericScim - Resource Owner Password templates.
   Scope	The scope for your application. Example: https://www.example.com/auth/adm.direct.group https://www.example.com/auth/admin.direct.user	This parameter appears in the UI for the GenericScim - Client Credentials and GenericScim - Resource Owner Password templates.
   Authentication Server Url	The URL of your authentication service. Example: https://api.example.com/oauth2/v1/token	This parameter appears in the UI for the GenericScim - Client Credentials and GenericScim - Resource Owner Password templates.
   Custom Authentication Headers	Used to send additional static header values to your API authentication service. Example: Basic authorization base64encodedusernamepassword	This parameter appears in the UI for the GenericScim - Client Credentials and GenericScim - Resource Owner Password templates.
   Connection Timeout	How long (in milliseconds) Oracle Identity Cloud Service will wait to establish communication with your application's SCIM REST API. Format: Plain text.	You can’t update the value for this parameter in the UI. To update this parameter value, use Oracle Identity Cloud Service’s REST APIs.
   Socket Timeout	How long (in milliseconds) Oracle Identity Cloud Service will wait to receive data from your application's SCIM REST API. Format: Plain text.	You can’t update the value for this parameter in the UI. To update this parameter value, use Oracle Identity Cloud Service’s REST APIs.
   Port Number	The port number of your application's SCIM REST API endpoints. The default port number for this parameter is 443. For example, if the URL is https//api.example.com:6355/scimgate/Users, then set the port number value to 6355.	You can’t update the value for this parameter in the UI. To update this parameter value, use Oracle Identity Cloud Service’s REST APIs.
   SSL Enabled	If your application's SCIM REST API endpoints don’t require SSL, then set the value of this parameter to false. Default value: true	You can’t update the value for this parameter in the UI. To update this parameter value, use Oracle Identity Cloud Service’s REST APIs.
   JSON Resource Tag	The name of the attribute used in JSON messages when your application's SCIM REST API returns multiple resources. The default value is Resources. For example, if the response message of the user for the GET operation is: { "users": [ {user1}, {user2} ] } then change the value to users.	You can’t update the value for this parameter in the UI. To update this parameter value, use Oracle Identity Cloud Service’s REST APIs.
   UID Attributes	The mapping between the __UID__ (guid) internal attribute and your application's SCIM attribute for user and group object classes. Default value: ["Users=id", "Groups=id"]	You can’t update the value for this parameter in the UI. To update this parameter value, use Oracle Identity Cloud Service’s REST APIs.
   Name Attributes	The mapping between the __NAME__ internal attribute and your application's SCIM attribute for user and group object classes. Default value: ["Users=userName", "Groups=displayName"]	You can’t update the value for this parameter in the UI. To update this parameter value, use Oracle Identity Cloud Service’s REST APIs.
   Status Attributes	The mapping between the __ENABLE__ (status) internal attribute and your application's SCIM attribute for the user object class. Default value: Users=active	You can’t update the value for this parameter in the UI. To update this parameter value, use Oracle Identity Cloud Service’s REST APIs.
   Password Attributes	Your application's SCIM REST API attribute that corresponds to the user's password. This is used for masking the password attribute in the log files. Default value: Users=password	You can’t update the value for this parameter in the UI. To update this parameter value, use Oracle Identity Cloud Service’s REST APIs.
   Date Attributes	The list of date attributes available for your application's SCIM REST API. Example: Users=meta.lastModified,joiningDate	You can’t update the value for this parameter in the UI. To update this parameter value, use Oracle Identity Cloud Service’s REST APIs.
   Date Format	The date-and-time format of the date attributes available for your application's SCIM REST API. Example: MMM d, yyyy h:mm:ss a z	You can’t update the value for this parameter in the UI. To update this parameter value, use Oracle Identity Cloud Service’s REST APIs.
   Content Type	The content-type header that your application's SCIM REST API expects Oracle Identity Cloud Service to send as a header HTTP request. Default value: application/scim+json	You can’t update the value for this parameter in the UI. To update this parameter value, use Oracle Identity Cloud Service’s REST APIs.
   Accept Type	The content-type header that is expected as an HTTP response from your application's SCIM REST API. Default value: application/scim+json	You can’t update the value for this parameter in the UI. To update this parameter value, use Oracle Identity Cloud Service’s REST APIs.
   Custom Headers	Used to send additional static header values to the SCIM REST API endpoints of your application. Format: <headerName1>=<value>,<headerName2>=<value>	You can’t update the value for this parameter in the UI. To update this parameter value, use Oracle Identity Cloud Service’s REST APIs.
   SCIM Version	The version of your application's SCIM REST API. Default value:13. The range for this attribute varies from 1 to 19.	You can’t update the value for this parameter in the UI. To update this parameter value, use Oracle Identity Cloud Service’s REST APIs.
   OClass Mapping	Used to map an attribute of one object class to an attribute of another object class. For example, if the groups attribute of the __ACCOUNT__ object class must be mapped to the __GROUP__ object class, then enter __ACCOUNT__.groups=__GROUP__.	You can’t update the value for this parameter in the UI. To update this parameter value, use Oracle Identity Cloud Service’s REST APIs.
   Default Batch Size	The default page or batch size for the GET operation. Default value: 200	You can’t update the value for this parameter in the UI. To update this parameter value, use Oracle Identity Cloud Service’s REST APIs.
   Managed Object Classes	The classification type of the schemas that your application must manage. Default value: ["Users", "Groups"]	You can’t update the value for this parameter in the UI. To update this parameter value, use Oracle Identity Cloud Service’s REST APIs.

5. After populating the fields accordingly, click Test Connectivity to verify whether Oracle Identity Cloud Service can communicate with your application's SCIM REST API endpoints.

   If a successful connection can be established, then a Connection successful. message appears.

   If you receive an error message, check the values that you provided, and then click Test Connectivity again. If the problem persists, then contact your system administrator.

   Before testing, you can save the application and use Oracle Identity Cloud Service REST APIs to update the parameter values that don’t appear in the UI. After updating the parameter values, open the application again using the Identity Cloud Service console, and then click Test Connectivity.

Configure Attribute Mappings for Provisioning

You can change the default attributes mapped between Oracle Identity Cloud Service and your application's SCIM REST API.

1. In the Provisioning tab of your application page, scroll to the Configure Attribute Mapping section, and then click Attribute Mapping. The Attribute Mapping window appears, and shows the default attribute mappings.
2. In the Attribute Mapping window, add, modify, or remove attribute mappings, according to your application's SCIM user schema.
3. Click OK.

Select Provisioning Operations

You can select which provisioning operations are supported by your application's SCIM REST APIs.

1. In the Provisioning tab of your application page, scroll to the Select Provisioning Operations section.
2. Select the following operations:

   • Authoritative Sync: If you enable this operation, then your application will become an authoritative source for Oracle Identity Cloud Service. Users in the application will be synchronized into Oracle Identity Cloud Service. If you select this operation, then the other provisioning operations will be deactivated.

   • Create Account: If a user is assigned to your application in Oracle Identity Cloud Service, then an account will be created for the user in the application.

   • Update Account: If an administrator edits the values of the provisioning form for a user who is assigned to your application, then these changes will be propagated to the application.

   • De-activate Account: If an administrator activates or deactivates a user who is assigned to your application, then this change will be propagated to the application.

   • Delete Account: If a user is removed from your application in Oracle Identity Cloud Service, then the user's account will be removed from the application.

Enable and Configure Synchronization for Your Application

By enabling and configuring synchronization for your application, Oracle Identity Cloud Service can synchronize user accounts from your application and match these accounts to corresponding Oracle Identity Cloud Service users.

1. Turn on the Enable Synchronization switch.
2. If you want Oracle Identity Cloud Service to communicate with your application's SCIM REST API to synchronize groups from the application into Oracle Identity Cloud Service as application roles, then click Refresh Application Data. Otherwise, go to the next step.
3. Use the following table to populate the fields of the Configure Synchronization section of the Provisioning tab.

   Parameter	Description and Value Information
   User Identifier	The Oracle Identity Cloud Service user attribute that matches user accounts synchronized from the application with users in Oracle Identity Cloud Service.
   Application Identifier	The user attribute of your application's SCIM REST API that matches user accounts synchronized from the application with users in Oracle Identity Cloud Service.
   When exact match is found	Use the values in this menu to control whether Oracle Identity Cloud Service or an application administrator confirms any user accounts that are synchronized from the application into Oracle Identity Cloud Service. Values are: Link and confirm: Link the synchronized user accounts to corresponding Oracle Identity Cloud Service users automatically. Link but do no confirm: Link the synchronized user accounts to corresponding Oracle Identity Cloud Service users, but application administrators need to confirm the linking operation in the Import tab manually.
   Max. number of creates	The value that you enter in this field represents the maximum number of user accounts that are created in Oracle Identity Cloud Service from the application. If you don't want to limit how many user accounts are created, then leave this field blank.
   Max. number of deletes	The value that you enter in this field represents the maximum number of user accounts that are deleted in Oracle Identity Cloud Service after these accounts are deleted from the application. If you don't want to limit how many user accounts are deleted, then leave this field blank.
   Synchronization schedule	Specify how often (in hours, days, or weeks) synchronization happens between the application and Oracle Identity Cloud Service automatically. If you want to synchronize the user accounts manually, then select Never.

4. Click Finish.

Test the Provisioning Operations You Selected

After you use the Generic SCIM App Template to configure your application, you must test the provisioning operations you selected to verify that they are operable.

1. In the Applications page, select and activate your application, and then click it to open the Details tab.
2. Click the Users tab, and then click Assign.
3. In the Assign Users window, choose a user, and then click Assign.
4. In the Assign Application window, populate any form fields needed to provision a user account to your application, and then click Save. Oracle Identity Cloud Service starts the provisioning operation to create a user account in your application.
5. Verify that the user account has been created in your application.
6. In the Users tab, deactivate the user, activate the user again, and remove the user from your application. Each change you make is reflected in the user account for your application.
7. Click the Import tab, and then click Import.

   Oracle Identity Cloud Service communicates with your application's SCIM REST API to get a list of all user accounts. Oracle Identity Cloud Service tries to match each user account with an existing user in Oracle Identity Cloud Service. If a user exists, then the user is assigned to your application. If the user doesn't exist, then you can perform one of the following actions manually:

   • Assign Existing User: Assign the user account to any user in Oracle Identity Cloud Service.

   • Create New User and Link: Add a new user to Oracle Identity Cloud Service, and then assign the user account to this newly created user.

How Do You Develop a Custom SCIM Gateway?

If your custom application doesn't provide a SCIM-based interface, then you can develop a custom SCIM gateway to act as the interface between Oracle Identity Cloud Service and your custom application. This gateway exposes your application's identity store as SCIM-based REST APIs, and then you can use the Generic SCIM App Template to integrate Oracle Identity Cloud Service with your application for provisioning or synchronization purposes.

Before developing your custom SCIM gateway, if you're a new developer who isn’t familiar with the SCIM standard, then you must first understand the SCIM protocol. Then, see which identity attributes are available for your custom application and model them as SCIM-based attributes. Next, utilize open-standard libraries to expose your custom application’s APIs as SCIM APIs. Last, familiarize yourself with the create, read, update, and delete (CRUD) operations that you want your custom SCIM gateway to perform.

Supported Operations

User is a type of resource in the SCIM specification. To manage this resource, the SCIM gateway must expose REST API endpoints to enable operations such as creating, searching for, updating, and deleting users. The HTTP request for the operation that you want to perform and the HTTP response from that operation must be in a JSON format.

You can implement the following user operations:

User Operation	Description	HTTP Operation	HTTP Endpoint
Create a User	Create a user account in your custom application.	POST	https://app.example.com/scimgate/Users
Search Users	Obtain a list of all users with their attributes that are in your custom application.	GET	https://app.example.com/scimgate/Users
Search a User	Retrieve information about a specific user and their attributes in your custom application.	GET	https://app.example.com/scimgate/Users/<id>
Update a User Attribute	Update an attribute value of a user account in your custom application.	PUT	https://app.example.com/scimgate/Users/<id>
Delete a User	Remove a user account from your custom application.	DELETE	https://app.example.com/scimgate/Users/<id>

How Do You Secure the Custom SCIM Gateway?

Because you don't want unauthorized users or clients to access your custom SCIM gateway, you must secure it. To do this, use an authorization token to protect the HTTP(S) endpoints of your gateway. This token will validate the user or client to allow them to make appropriate HTTP calls to the gateway endpoints. If the token isn't present or is invalid, then the endpoints will return a 401 HTTP response code because Oracle Identity Cloud Service isn't authorized to access the endpoints.

Oracle Identity Cloud Service uses the administrator's user name and password, which are configured when you register your custom application, to request an access token from the custom SCIM gateway. Oracle Identity Cloud Service can then use this token to access the gateway endpoints as an authorization bearer header.

Sample Implementation of a Custom SCIM Gateway

Oracle provides a sample Node.js application that conforms to SCIM specifications, and which you can use to develop a custom SCIM gateway to integrate it with your custom application.

This custom gateway exposes HTTP endpoints to enable operations such as creating, searching for, updating, and deleting users. The custom gateway stores information about the users locally in the db.json file. This file has the JSON format.

Description of the illustration sample-app-architecture.png

The sample application uses express and body-parser packages. The server.js file implements a route for users' endpoints:

"...
var express = require('express')
var app = express()
var bodyParser = require('body-parser');
app.use(bodyParser.json());
var config = require('./config.js');
..."

The routes/users.js file defines the SCIM REST API endpoints, and maps each endpoint to the corresponding JavaScript function:

"...
//Get operation for /Users endpoint
app.get('/scimgate/Users', users.findAll);

//Get operation for /Users/:id endpoint
app.get('/scimgate/Users/:id', users.findOne);

//Put operation for /Users endpoint
app.post('/scimgate/Users', users.create);

//Put operation for /Users endpoint
app.put('/scimgate/Users/:id', users.update);

//Delete operation for /Users endpoint
app.delete('/scimgate/Users/:id', users.delete);
..."

The user.controller.js file implements JavaScript functions to create, read, update, and delete users in the local user store, represented by the userdb.json file:

"...
exports.findAll = function(req, res){
console.log('Entering findAll function.');
...
};

exports.findOne = function(req, res) {
console.log('Entering findOne function.');
...
};

exports.create = function(req, res){ console.log('Entering create function.');
...
};

exports.update = function(req, res){
console.log('Entering update function.');
...
};

exports.delete = function(req, res){ console.log('Entering delete function.');
...
};

..."

The userdb.json file contains an array of users, and the structure of each user entry follows the SCIM specification standard, using a subset of the user attributes:

{
  "resources": [
    {
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "id": "1",
      "externalId": "1",
      "userName": "user1@example.com",
      "name": {
        "formatted": "User 1 Name",
        "familyName": "Name",
        "givenName": "User 1"
      },
      "displayName": "User 1 DisplayName",
      "active": true,
      "password": "User1Password",
      "emails": [
        {
          "value": "user1@example.com",
          "type": "work",
          "primary": true
        }
      ]
    }
  ]
}

To authorize the client to make HTTP requests, the sample SCIM gateway application makes use of two environment variables that you must set before running the application: ADMINUSER and ADMINPASS. These variables represent the administrator's user name and password for your API authentication service. You provide values for these variables by setting up the run.sh shell script for Unix or Mac environments, or the run.bat batch script for Windows environments.

Oracle Identity Cloud Service sends these administrative credentials in the form of an authorization header for all requests to authenticate the administrator’s credentials, and then accesses the custom SCIM gateway using the basic grant type.

You can modify the sample application's source code and implement other types of authentication methods to match your requirements.

You can also change the sample application's source code so that instead of contacting the local user store (represented by the userdb.json file), the new sample application contacts your application's identity store to create, read, update, and delete users.

Configure and Run the Custom SCIM Gateway Sample Application

In this section, you configure and run the custom SCIM gateway sample application to work with the GenericScim - Basic template.

1. Edit the run script file in the root folder of the sample SCIM gateway application, update the ADMINUSER and ADMINPASS values, and then save the file.

   If you're running the sample application in a Unix or Mac environment, then use the run.sh script. If you're using Windows, then use run.bat.

2. Open a command prompt or terminal, navigate to the root folder of the sample application, execute the run script by typing the name of the file, and then press Enter to start the sample application. You'll see log information that will help you to understand what the sample application is doing.
   Make sure the hostname of this sample application is reachable through the Internet so that Oracle Identity Cloud Service can contact the application.

Register the Custom SCIM Gateway Application

In this section, you register the custom SCIM gateway sample application with Oracle Identity Cloud Service.

1. In the Identity Cloud Service console, expand the Navigation Drawer, click Applications, click Add, and then select App Catalog.
2. In the Type of Integration section, click Provisioning, locate the GenericScim - Basic template, and then click Add.
3. In the Details pane of the GenericScim - Basic page, enter SCIM Gateway Application for both the name and description of your application, and then click Next.
4. In the Provisioning pane, turn on the Enable Provisioning switch.
5. In the Confirmation window, click OK.
6. Use the following table to populate the fields of the Configure Connectivity section of the Provisioning tab.

   Parameter	Value
   Host Name	Enter the host name of your application.
   Base URI	/scimgate
   Administrator Username	admin
   Administrator Password	Enter the administrator's password you have set in the run script of the sample application.
   HTTP Operation Types	__ACCOUNT__.Update=PUT

   For more information about the fields of the Configure Connectivity section, see the table in Enable and Configure Connectivity for Provisioning for Your Application.

7. Click Finish to save the application.

If you deploy and run the sample application in a non-HTTPS server or a server which doesn't contain a valid certificate, then you may need to use Oracle Identity Cloud Service's REST API to change the SSLEnabled parameter to false. If the server doesn't listen to the default HTTP(s) port numner, then change the Port parameter to the corresponding port number your application runs. After you update these parameters you can test connectivity between the application and Oracle Identity Cloud Service, and then activate the application.

Use REST APIs to Update the Custom SCIM Gateway Application

In this section, you use Oracle Identity Cloud Service REST APIs to update the port, and sslEnabled parameters of the custom SCIM gateway application.

1. Use a client credential application in Oracle Identity Cloud Service to acquire an access token. If a client credential application hasn’t been created in your environment, then add one.
2. Use the access token as an authorization bearer to execute a GET request to the following endpoint: https://yourtenant.identity.oraclecloud.com/admin/v1/Apps?filter=displayName co "SCIM Gateway Application"
   The JSON response contains an ID value for this application.
3. Use the ID value and the access token from the previous steps to execute a PATCH request to the following endpoint: https://yourtenant.identity.oraclecloud.com/admin/v1/Apps/”ID”
   Replace the ID value with the ID value of your application, set the Content-type header to application/json, and provide the following content for the body:

   {
     "schemas": [
       "urn:ietf:params:scim:api:messages:2.0:PatchOp"
     ],
     "Operations": [
        {
         "op": "replace",
         "path": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:bundleConfigurationProperties[name eq \"sslEnabled"].value",
         "value": [ "false"]
       },
        {
         "op": "replace",
         "path": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:bundleConfigurationProperties[name eq \"port\"].value",
         "value": [ "6355"]
       }
     ]
   }

4. In the Identity Cloud Service console, expand the Navigation Drawer, click Applications, and then select SCIM Gateway Application.
5. In the Provisioning pane, click Test Connectivity to verify that a connection can be established between Oracle Identity Cloud Service and your custom SCIM gateway application.
6. Click Finish, and then click Activate to activate the application.

Test Your Custom SCIM Gateway Sample Application

Test your custom SCIM gateway sample application by provisioning Oracle Identity Cloud Service users with it.

1. In the Applications page, select your application, and then click it to open the Users tab.
2. In the Users tab, click Assign.
3. In the Assign Users window, choose a user, and then click Assign.
4. In the Assign Application window, populate the Username, Full Name, Family Name, Given Name, Display Name, and Primary Email form fields with values, and then click Save.
5. In the Assign Users window, click OK.
   Oracle Identity Cloud Service creates a user account in the userdb.json file of your application.
6. Open the userdb.json file and verify that a user account has been created. Then, close the file.
7. In the Users tab, click the Action menu to the right of the user, and then select Deactivate.
8. After one minute, open the userdb.json file and verify that the corresponding user account has a false value for the active attribute. Then, close the file.
9. In the Users tab, click the Action menu to the right of the user, and then select Activate.
10. After one minute, open the userdb.json file and verify that the corresponding user account has a true value for the active attribute. Then, close the file.
11. In the Users tab, select the user, and then click Revoke.
12. In the Confirmation window, click OK.
13. After the Confirmation window closes, open the userdb.json file and verify that the corresponding user account has been removed. Then, close the file.