Reputation: 135
Limit SCIM capability to only deleting users
We need to implement a way for various IDPs to send our system user create/update/delete calls so that their IDP system would automatically push user changes to ours. The creation and updating we already have implemented as user provisioning through SSO. It is the deletion part which we need. We were doing some research and found out about SCIM. This seems like it is a pretty useful protocol since our application does not need to be configured for each client as IDP can discover what our app can do through SCIM. One SCIM and also sync users with another SCIM system, so that is something which we might use also.
We want to start out with a very limit set of available actions through SCIM; mainly we only want to allow the IDP to deactivate the user. I started looking through how to limit the discovery metadata so that IDP only know about this, but I am not certain I found the place.
I am also not sure if Querying users is needed for any SCIM implementation. So do I implement the Get() and the Delete() methods on a SCIM user controller and return BadRequest for everything else?
Upvotes: 0
Views: 293
Answers (1)
Reputation: 912
Speaking from the perspective of a product manager for a SCIM client for a major IDP - what you want isn't unheard of, but it leads to a pretty bad experience. Creating users via SSO (aka JIT/"Just-in-time" provisioning) is helpful, especially in scenarios where a user may be hired/added to an app and need to use the app almost immediately.
There are some bumps in the road here, however - if a user is able to SSO into an app and is not correctly configured to the SCIM side of things, the user ends up getting created but not deleted/deactivated. An occasional scenario here would be user is granted access and SSOs in -> account created -> IT admin realizes this was a mistake and the access isn't needed, removes/unassigns them from the app in the IDP. If this all happens in relatively short order, the user may never get picked up by the SCIM provisioning functionality. For reasons like this, I'm an advocate for leaving user provisioning entirely in the hands of a provisioning service/SCIM and not relying on a mixture of JIT + SCIM.
To your implementation-specific questions, not all IDPs will pull all users (i.e.: a simple GET /Users). Some do targeted requests and will only request data about users assigned/in scope for provisioning on the IDP side. In that case, you'll almost exclusively see filtered requests targeting a single user (i.e.: GET /Users?filter=userName eq "[email protected]")
Upvotes: 0
Related Questions
- Okta scim user automatic provision of user failed
- Is it possible to use authentication by OIDC and provisioning of users/groups by SCIM at the same time?
- Using SCIM, can my app ask the IdP whether the user is part of a group?
- OneLogin User Provisioning with SCIM 2.0
- Is is possible avoid deleting a user via SCIM provisioning when AccountEnabled=false in an Azure AD Enterprise Application?
- OneLogin Provisioning using SCIM
- How to manage my own users using SCIM in WSO2 Identity Server