Grouper SCIM
Experimental
SCIM support is experimental in the Grouper 2.2 release. We do not guarantee it to be bug-free nor 100% complete. If you would like to assist with testing, please let us know by emailing the Grouper-dev list.
See also this info on the TIER SCIM API. The TIER SCIM API will consum SCIM events, whereas this will produce SCIM event.
Grouper now supports writing group information out to SCIM endpoints. At present, the user-id in the consuming system must match the Subject ID in Grouper. We only emit SCIM to a down-stream endpoint, this is not an alternative to the Grouper Web Service.
Activation
To activate the SCIM support, copy the grouper-scim-VERSION.jar into your grouper lib directory. The jar can be found in the grouperScim directory of the grouper-misc directory. Then add the following to your grouper.properties file|:
scim.endpoint = URL TO SCIM ENDPOINT scim.user = username scim.password = password
The URL should be to the Groups endpoint of the SCIM server. Note, at this time we only support HTTP BASIC for accessing an endpoint.
scim.user should be a user who has admin rights to the Groups endpoint.
scim.password should be a password for the user with basic admin rights.
Next, in grouper-loader.properties, add a new changelog consumer:
changeLog.consumer.scim.class = edu.internet2.middleware.grouper.scim.ScimChangeLogConsumer
Then restart grouper-loader.
How grouper operations translate to SCIM operations
The following operations are supported:
- Create / Remove Group
- Add / Remove Member
Future Work
As this work was based on a no-longer-existent use-case, it has some limitations. Namely, it lacks the following:
- Ability to bulk sync
- Ability to verify sync integrity
- Ability to map grouper subject to SCIM User
When use-cases and suitable test environments emerge we plan to return and finish this module.