SCIM API¶
Info
The SCIM API is still under development and not all endpoints are available ot the information are release in the targeted format at the moment.
What is SCIM¶
SCIM (System for Cross-domain Identity Management) is an open standard for user account and group mamangement across different cloud services. Althoug SCIM describes possibilities for account creation, update and deletion, Helmholtz ID supports only the lookup of user information. The lookup is limited to the /Me endpoint.
How does the SCIM API work¶
To request the user information, an OAuth2 token from the user must be send to the SCIM endpoint. The token must be send in the http basic auth header. The token it self must request special scopes to support the SCIM request.
The dedicated scopes are:
sys:scim:read_profile: request all user attributes, except dedicated group attributesys:scim:read_memberships: request for dedicated group membership attributes
The answer of the request sends a JSON file, containing the user information, or an error message, if an error occured.
Which endpoints are available¶
Info
The Groups endpoint is still under development.
Helmholtz Id offers the /Me and the /Groups endpoint. The /Me endpoint returns the user information. The /Groups endpoints returns the virtual organisations (VOs) where the user is a member and all their members, whithout additional information.
The URLs of the endpoints are:
- Production Me endpoint: https://login.helmholtz.de/scim/Me
- Production Groups endpoint: https://login.helmholtz.de/scim/Groups
- Development Me endopint: https://login-dev.helmholtz.de/scim/Me
- Development Groups endpoint: https://login-dev.helmholtz.de/scim/Groups
Which schemas are supported.¶
At the moment current schemas are supported:
- urn:ietf:params:scim:schemas:core:2.0:User
- urn:ietf:params:scim:schemas:core:2.0:Group
- urn:geant:aarc-community:scim:schemas:core:1.0:User
According to this schemas the following attributes are release:
urn:ietf:params:scim:schemas:core:2.0:User¶
<NAMESPACE>=urn:ietf:params:scim:schemas:core:2.0:User
| Atribute | SCIM Mapping |
|---|---|
| Subject Identifier | id |
| Display Name | <NAMESPACE>:name.formatted |
| Display Name | <NAMESPACE>:displayname |
| Given Name | <NAMESPACE>:name.givenName |
| Family Name | <NAMESPACE>:name.familyName |
<NAMESPACE>:emails.value |
|
| Group information | <NAMESPACE>:entitlements.values |
| Resource Capabilities | <NAMESPACE>:entitlements.value |
urn:ietf:params:scim:schemas:core:2.0:Group¶
<NAMESPACE>=urn:ietf:params:scim:schemas:core:2.0:Group
| Atribute | SCIM Mapping |
|---|---|
| Group identifier | id |
| Display Name | displayName |
| List of membery | members |
At the moment it is not possible to release the groups in the same format like the entitlements attribute. Please follow this table (TBD) for the mapping of the groups.
urn:geant:aarc-community:scim:schemas:core:1.0:User¶
<NAMESPACE>=urn:geant:aarc-community:scim:schemas:core:1.0:User
| Atribute | SCIM Mapping |
|---|---|
| Subject Identifier | <NAMESPACE>:voPersonId |
| Display Name | <NAMESPACE>:displayname |
| Given Name | <NAMESPACE>:name.givenName |
| Family Name | <NAMESPACE>:name.familyName |
<NAMESPACE>:email |
|
| Affiliation | <NAMESPACE>:voPersonScopedAffiliation.value |
| Affiliation | <NAMESPACE>:voPersonExternalAffiliations.value |
| Assurance | <NAMESPACE>:assurance.value |
| Group information | <NAMESPACE>:entitlements.values |
| Resource Capabilities | <NAMESPACE>:entitlements.value |
Need help?¶
Contact us if you need help.