Reputation: 109
SCIM2 - How to associated externalId with Identity Provider (IdP)?
Within the SCIM2 specification, it is possible to provide the externalId. This is needed to associate a user with an Identity Provider (IdP). However, the SCIM2 specification itself does not provide a mechanism to specify the IdP.
The end goal is to implement support for multiple IdPs, such as Google Workspace and Entra ID(Azure).
I assume that externalId is not guaranteed to be unique across different IdPs.
Considering the future possibility of using multiple IdPs, is there a recommended approach within SCIM2 to associate the externalId with a specific IdP?
SCIM Core documentation: https://scim.cloud for more information about SCIM 2.0.
Upvotes: 0
Views: 173
Answers (1)
Reputation: 912
The language around externalId in the SCIM spec mentions this, which I suspect is what you're trying to solve for:
The service provider MUST always interpret the externalId as scoped to the provisioning domain.
The problem you then ran into - how to identify the IdP/SCIM client - and then ambiguity on what "provisioning domain" means - has led to the majority of SCIM service providers implement externalId as a simple no-frills string. One way to look at that is that the "provisioning domain" is being interpreted by the SCIM service provider to be the specific directory/tenant in the application, rather than anything related to the IdP or whatever data is represented by the SCIM client.
Upvotes: 0
Related Questions
- SCIM Customize Attribute mapping to support multitenant
- How to handle PUT of a group resource in SCIM? What happens with members?
- Lapse in Identity Provider connection to a SCIM application
- create user with extended claim with scim2 in wso2
- Where is the Swagger definition located of Scim2 on WSO2 Identity server
- Cannot create askPassword user with scim2
- How to identify IDP entity in OpenLogin SCIM Provisioning