Grouper SCIM


SCIM support is experimental in Grouper 2.2. We do not guarantee it to be bug-free nor 100% complete. If you would like to assist with testing, please let us know by emailing the Grouper-dev list.

See also this info on the TIER SCIM API.  The TIER SCIM API will consume SCIM events as a server, whereas this will produce SCIM calls as a client.

Grouper now supports writing group information out to SCIM endpoints. At present, the user-id in the consuming system must match the Subject ID in Grouper. We only emit SCIM to a down-stream endpoint, this is not an alternative to the Grouper Web Service.


To activate the SCIM support, copy the grouper-scim-VERSION.jar into your grouper lib directory. The jar can be found in the grouperScim directory of the grouper-misc directory. Then add the following to your file|:

scim.endpoint = URL TO SCIM ENDPOINT
scim.user = username
scim.password = password

The URL should be to the Groups endpoint of the SCIM server. Note, at this time we only support HTTP BASIC for accessing an endpoint.

scim.user should be a user who has admin rights to the Groups endpoint.
scim.password should be a password for the user with basic admin rights.

Next, in, add a new changelog consumer:

changeLog.consumer.scim.class = edu.internet2.middleware.grouper.scim.ScimChangeLogConsumer

Then restart grouper-loader.

How Grouper operations translate to SCIM operations

The following operations are supported:

  1. Create / Remove Group
  2. Add / Remove Member

Future Work

As this work was based on a no-longer-existent use-case, it has some limitations. Namely, it lacks the following:

  • Ability to bulk sync
  • Ability to verify sync integrity
  • Ability to map grouper subject to SCIM User

When use-cases and suitable test environments emerge we plan to return and finish this module.


See Also