Simple-Cloud-Identity-Management/System-for-Cross-domain-Identity-Management (SCIM) provides an LDAP alternative for provisioning and managing users and groups, as well as syncing users and groups with an upstream identity provider. Using SCIM schema and API, you can utilize Single Sign-on services (SSO) across various tools.
Prior to Docker Enterprise 3.0, when deactivating a user or changing a user’s group membership association in the identity provider, these events were not synchronized with MKE (the service provider). You were required to manually change the status and group membership of the user, and possibly revoke the client bundle. SCIM implementation allows proactive synchronization with MKE and eliminates this manual intervention.
Docker’s SCIM implementation utilizes SCIM version 2.0.
Navigate to Admin Settings -> Authentication and Authorization.
By default, docker-datacenter
is the organization to which the SCIM
team belongs. Enter the API token in the UI or have MKE generate a UUID
for you.
The base URL for all SCIM API calls is
https://<Host IP>/enzi/v0/scim/v2/
. All SCIM methods are accessible
API endpoints of this base URL.
Bearer Auth is the API authentication method. When configured, SCIM API
endpoints are accessed via the following HTTP header Authorization: Bearer
<token>
Note
The following table maps SCIM and SAML attributes to user attribute fields that Docker uses.
MKE | SAML | SCIM |
---|---|---|
Account name | nameID in response |
userName |
Account full name | attribute value in fullname assertion |
user’s name.formatted |
Team group link name | attribute value in member-of assertion |
group’s displayName |
Team name | N/A | when creating a team, use group’s displayName + _SCIM |
For user GET and POST operations:
userName
attribute and
eq
operator. For example, filter=userName Eq "john"
.filter=userName Eq "john"
filter=Username eq "john"
Returns a list of SCIM users, 200 users per page by default. Use the
startIndex
and count
query parameters to paginate long lists of
users.
For example, to retrieve the first 20 Users, set startIndex
to 1 and
count
to 20, provide the following json request:
``GET Host IP/enzi/v0/scim/v2/Users?startIndex=1&count=20
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8``
The response to the previous query returns metadata regarding paging that is similar to the following example:
``{
"totalResults":100,
"itemsPerPage":20,
"startIndex":1,
"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"Resources":[{
...
}]
}``
Retrieves a single user resource. The value of the {id}
should be
the user’s ID. You can also use the userName
attribute to filter the
results.
``GET {Host IP}/enzi/v0/scim/v2/Users?{user ID}
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8``
Creates a user. Must include the userName
attribute and at least one
email address.
``POST {Host IP}/enzi/v0/scim/v2/Users
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8``
Updates a user’s active
status. Inactive users can be reactivated by
specifying "active": true
. Active users can be deactivated by
specifying "active": false
. The value of the {id}
should be the
user’s ID.
``PATCH {Host IP}/enzi/v0/scim/v2/Users?{user ID}
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8``
Updates existing user information. All attribute values are overwritten,
including attributes for which empty values or no values were provided.
If a previously set attribute value is left blank during a PUT
operation, the value is updated with a blank value in accordance with
the attribute data type and storage provider. The value of the {id}
should be the user’s ID.
For group GET
and POST
operations:
Retrieves information for a single group.
``GET /scim/v1/Groups?{Group ID}
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8``
Returns a paginated list of groups, ten groups per page by default. Use
the startIndex
and count
query parameters to paginate long lists
of groups.
``GET /scim/v1/Groups?startIndex=4&count=500 HTTP/1.1
Host: example.com
Accept: application/scim+json
Authorization: Bearer h480djs93hd8``
Creates a new group. Users can be added to the group during group
creation by supplying user ID values in the members
array.
Updates an existing group resource, allowing individual (or groups of)
users to be added or removed from the group with a single operation.
Add
is the default operation.
Setting the operation attribute of a member object to delete
removes
members from a group.
Updates an existing group resource, overwriting all values for a group
even if an attribute is empty or not provided. PUT
replaces all
members of a group with members provided via the members
attribute.
If a previously set attribute is left blank during a PUT
operation,
the new value is set to blank in accordance with the data type of the
attribute and the storage provider.
SCIM defines three endpoints to facilitate discovery of SCIM service provider features and schema that can be retrieved using HTTP GET:
Discovers the resource types available on a SCIM service provider, for example, Users and Groups. Each resource type defines the endpoints, the core schema URI that defines the resource, and any supported schema extensions.
Retrieves information about all supported resource schemas supported by a SCIM service provider.
Returns a JSON structure that describes the SCIM specification features
available on a service provider using a schemas
attribute of
urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig
.