Identity as a Service (IDaaS) allows administrators to synchronize accounts to an application by using the System for Cross-domain Identity Management (SCIM) protocol. In the synchronization process, IDaaS serves as the SCIM client, and the application serves as the SCIM server.
The SCIM protocol standardizes data sharing principles and API definitions between identity systems. This enhances the interoperability between identity systems.
Configuration
On the Provisioning tab of the application management page, administrators can set the Push Mode parameter to SCIM Protocol. This way, accounts can be synchronized to a SCIM-enabled application by using SCIM.
The method for configuring SCIM-based account synchronization is similar to that for configuring the event callback-based shortcut mode. You need to determine the organization nodes to be synchronized, and then configure the client parameters of SCIM.
The following table describes the parameters involved.
Parameter | Description |
Outbound IP Address | Add the outbound IP address of IDaaS to the whitelist of your application to ensure that IDaaS requests can be received as expected. |
SCIM Base URL | Specify the address of the client that receives SCIM-based synchronization requests. For example, set the SCIM Base URL parameter to https://scim.aliyun.com for RAM. |
Grant Type | The API authentication method may vary based on the SCIM client. You can set the Grant Type parameter to OAuth 2.0 Client Credentials or Bearer Token Mode based on the SCIM client. For example, RAM supports OAuth 2.0 Client Credentials to authenticate SCIM requests. The following figure shows the configuration example. |
Operation | Administrators can subscribe to change events that they want to follow to receive instant push notifications. When a change occurs in IDaaS, IDaaS automatically synchronizes the change to the application. |
Field Mapping | This parameter displays the field mappings involved in SCIM-based synchronization.
|
After you save the configuration, we recommend that you click Test Connectivity to check whether the configuration is correct.
You can click Push Now to synchronize all accounts in the specified synchronization scope to the application based on your business requirements.
Notices
You can synchronize only accounts to an application by using SCIM. You cannot synchronize groups or organizations to an application by using SCIM.
Field values in RAM are not case-sensitive. When you synchronize accounts to RAM or CloudSSO by using SCIM, the values of the account fields are converted to lowercase before the accounts are synchronized. This prevents data conflicts.