![[8.5.5.8 or later]](../ng_v8558.gif)
This topic applies to WebSphere Application Server Liberty V8.5.5.9 and earlier. For the latest Liberty topics, see the WebSphere Application Server Liberty documentation.
Configuring SCIM for user and group member management
You can configure the scim-1.0 feature in the server.xml file to enable user and group member management. System for Cross-domain Identity Management (SCIM) defines REST APIs to create, retrieve, update, and delete (CRUD) users and groups. Calls are made through a systems management REST WAB. The local calls will be HTTP over localhost through Web API only; no java APIs for local calls.
Procedure
Adding the scim-1.0 feature in the
server.xml file enables SCIM functions. But to complete
the configuration, you must also perform the following configuration
steps:
- SSL Configuration: The REST services are protected and can be accessed only on the HTTPS port. For more information about how to complete the SSL configuration, see Enabling SSL communication in Liberty.
- Configuration of Federation Registry: The SCIM functions is only supported by the Federation Registry. To quickly set up a federation registry by using LDAP, see Configuring LDAP user registries in Liberty.
- Configuration of an administrator role: The REST services are only
accessible by an administrator, so a user needs to be configured with an
administrator role. For more information about mapping the administrator
role to Liberty, see Mapping the administrator role for Liberty.Note: For configuration of the administrator role for SCIM, you cannot use the Quick Start Registry.
- Configuration of HTTPS port (optional): The HTTP end point must be configured. For more information about the httpEndpoint feature element configuration, see the httpEndpoint section in Admin Center.
<server description="server1">
<!-- Enable features -->
<featureManager>
<feature>appSecurity-2.0</feature>
<feature>servlet-3.0</feature>
<feature>ldapRegistry-3.0</feature>
<feature>scim-1.0</feature>
<feature>ssl-1.0</feature>
</featureManager>
<httpEndpoint id="defaultHttpEndpoint" httpPort="9080" httpsPort="9090">
<tcpOptions soReuseAddr="true" />
</httpEndpoint>
<ldapRegistry id="LDAP1" realm="SampleLdapIDSRealm" host="9.127.1.90" port="1389" ignoreCase="true"
baseDN="o=ibm,c=us" ldapType="IBM Tivoli Directory Server" searchTimeout="8m" recursiveSearch="true"
bindDN="cn=xxxx" bindPassword="xxxxxx">
<ldapEntityType name="PersonAccount">
<rdnProperty name="uid" objectClass="inetOrgPerson"/>
<objectClass>inetOrgPerson</objectClass>
</ldapEntityType>
<ldapEntityType name="Group">
<objectClass>groupofnames</objectClass>
<objectClass>ibm-nestedGroup</objectClass>
<rdnProperty name="cn" objectClass="groupofnames"/>
</ldapEntityType>
<attributeConfiguration>
<attribute name="title" propertyName="honorificPrefix" syntax="String" entityType="PersonAccount">
</attribute>
<attribute name="initials" propertyName="middleName" syntax="String" entityType="PersonAccount">
</attribute>
<attribute name="st" propertyName="honorificSuffix" syntax="String" entityType="PersonAccount">
</attribute>
<attribute name="l" propertyName="homeStateOrProvinceName" syntax="String" entityType="PersonAccount">
</attribute>
<attribute name="street" propertyName="homeStreet" syntax="String" entityType="PersonAccount">
</attribute>
<attribute name="postalAddress" propertyName="homeCity" syntax="String" entityType="PersonAccount">
</attribute>
<attribute name="postalCode" propertyName="homePostalCode" syntax="String" entityType="PersonAccount">
</attribute>
<attribute name="postOfficeBox" propertyName="homeCountryName" syntax="String" entityType="PersonAccount">
</attribute>
<attribute name="departmentNumber" propertyName="photoURLThumbnail" syntax="String" entityType="PersonAccount">
</attribute>
<attribute name="description" propertyName="photoURL" syntax="String" entityType="PersonAccount">
</attribute>
</attributeConfiguration>
<groupProperties>
<memberAttribute name="member" dummyMember="uid=dummy" objectClass="groupOfNames" scope="direct"/>
<memberAttribute name="ibm-memberGroup" objectClass="ibm-nestedGroup" scope="direct"/>
</groupProperties>
</ldapRegistry>
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" />
<keyStore id="defaultKeyStore" password="Liberty"/>
<administrator-role>
<user>wasadmin</user>
</administrator-role>
<federatedRepository>
<primaryRealm name="WIMRegistry">
<participatingBaseEntry name="o=ibm,c=us"/>
</primaryRealm>
</federatedRepository>
</server>