scim 2 0 setup
SCIM is an identity management protocol over HTTP(S). We can use it to manage users on the Gluu Server, i.e. create, update and delete users.
This guide shows how to use Gluu Federation's SCIM Client, a Java client library.
SCIM support must be enabled on the server before we can use it. We will also have to take a look at the server configuration in order to get the right properties and files that the client can use later on.
See SCIM Support in the Gluu configuration page.
The Gluu server has by default a SCIM Requesting Party Client enabled. We're going to use that to identify our app with.
It can be found in OpenID Connect -> Clients.
The ID is represented by the iNum. Remember that ID for later; the client application will use it.
The Java client uses a JWKS for encryption. This is stored as a Java keystore coupled to the SCIM RP Client. The default pw of the key store is 'secret'.
(s)cp the keystore to a new and safe location that the client app can access (same machine). It can be found on the server running Gluu in
/opt/gluu-server-${version}/install/community-edition-setup/output/scim-rp.jks.
A good idea is to append the server name and/or version to the destination file, e.g. scim-rp-honegger-3.0.1.jks
Remember the new location for later; the client application will use it.
The Java client needs to have a CA certificate from the domain in the JRE's key store (thus on the client machine). Perform the following steps (replace server names and jdk paths with the ones applicable in your situation):
To get a certificate, ask it or copy it from your browser or (Linux / mac / Git Bash):
$ echo -n | openssl s_client -connect honegger.elis.ugent.be:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/tcblsso-honegger.crt
Then, add it to the certificate key store of the JRE or JDK that will be used by the client:
$ sudo /usr/lib/jvm/java-8-openjdk-amd64/bin/keytool -importcert -alias tcblsso-honegger -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -file /tmp/tcblsso-honegger.crt
The default pw for the cacert keystore is 'changeit'.
If you want to check it's there:
$ /usr/lib/jvm/java-8-openjdk-amd64/bin/keytool -list -v -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts | grep 'tcblsso'
To update the certificate you have to delete it and then repeat the steps to import the new one. To delete:
$ sudo /usr/lib/jvm/java-8-openjdk-amd64/bin/keytool -delete -alias tcblsso-honegger -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts
- Java 8 JDK or higher.
- Maven 3 or higher, to build the project.
- Git, of course.
Make sure your pom.xml has following configuration included:
<properties>
<scim.client.version>3.0.1</scim.client.version> <!-- Version of the Gluu SCIM client. Best the same as the server! -->
</properties>
...
<repositories>
...
<repository>
<id>gluu</id>
<name>Gluu repository</name>
<url>http://ox.gluu.org/maven</url>
</repository>
</repositories>
...
<dependencies>
...
<!-- Gluu SCIM client -->
<dependency>
<groupId>gluu.scim.client</groupId>
<artifactId>SCIM-Client</artifactId>
<version>${scim.client.version}</version>
</dependency>
</dependencies>
Now we will create a properties file that serves as a configuration for the client. It is recommended to create a file per server.
Here's an example, let's call it client-honegger.properties. The comments refer to documentation on this page.
# the domain of the identity provider server
domain = https\://honegger.elis.ugent.be/identity/seam/resource/restv1
# url to UMA config.
umaMetaDataUrl = https\://honegger.elis.ugent.be/.well-known/uma-configuration
# the client ID (see 1.2 RP Client ID)
umaAatClientId = @!9F63.6CBE.72FE.B419!0001!1029.EDB8!0008!5896.06A2
# key store of client (see 1.3 JWKS)
umaAatClientJksPath = /home/ghaesen/projects/TCBL/config/scim-rp-honegger.jks
# password of the key store (this is the default)
umaAatClientJksPassword = secret
# key id (not used apparently)
umaAatClientKeyId =All you have to do now is write code :)
For an example, see TestScimClient.java. It uses the same properties file.