Grouper SCIM
Experimental
SCIM support is experimental in Grouper 2.2. We do not guarantee it to be bug-free nor 100% complete. If you would like to assist with testing, please let us know by emailing the Grouper-dev list.
See also this info on the TIER SCIM API. The TIER SCIM API will consume SCIM events as a server, whereas this will produce SCIM calls as a client.
Grouper now supports writing group information out to SCIM endpoints. At present, the user-id in the consuming system must match the Subject ID in Grouper. We only emit SCIM to a down-stream endpoint, this is not an alternative to the Grouper Web Service.
Activation
To activate the SCIM support, copy the grouper-scim-VERSION.jar into your grouper lib directory. The jar can be found in the grouperScim directory of the grouper-misc directory. Then add the following to your grouper.properties file|:
scim.endpoint = URL TO SCIM ENDPOINT scim.user = username scim.password = password
The URL should be to the Groups endpoint of the SCIM server. Note, at this time we only support HTTP BASIC for accessing an endpoint.
scim.user should be a user who has admin rights to the Groups endpoint.
scim.password should be a password for the user with basic admin rights.
Next, in grouper-loader.properties, add a new changelog consumer:
changeLog.consumer.scim.class = edu.internet2.middleware.grouper.scim.ScimChangeLogConsumer
Then restart grouper-loader.
How Grouper operations translate to SCIM operations
The following operations are supported:
- Create / Remove Group
- Add / Remove Member
Future Work
As this work was based on a no-longer-existent use-case, it has some limitations. Namely, it lacks the following:
- Ability to bulk sync
- Ability to verify sync integrity
- Ability to map grouper subject to SCIM User
When use-cases and suitable test environments emerge we plan to return and finish this module.
See Also