For Grouper 2.6 and above see this page.
https://www.rfc-editor.org/rfc/rfc7643.html#section-4.1
External System
Grouper uses bearer token authentication to connect with SCIM V2 APIs. Create an external system like below.
We have tested SCIM integration for AWS and Github. Even though they both follow SCIM, there are still many differences, so when you configure a SCIM provisioner, we ask for SCIM type. Based on the SCIM type, the provisioner framework can run extra validations to make integration more robust.
AWS SCIM Provisioning
Group fields and attributes - example request to create a group https://docs.aws.amazon.com/singlesignon/latest/developerguide/creategroup.html
Grouper name | Attribute or field | Type | Required? | Description |
---|---|---|---|---|
id | field | String | required | UUID read from AWS. Select only. |
displayName | field | String | required | Display Name of the group in AWS. |
Entity fields and attributes - example request to create a user https://docs.aws.amazon.com/singlesignon/latest/developerguide/createuser.html
Grouper name | Attribute or field | Type | Required? | Description |
---|---|---|---|---|
id | field | String | required | UUID read from AWS. Select only. |
userName | attribute | String | required | User name |
displayName | attribute | String | required | Display name of the user |
familyName | attribute | String | required | Family name (Last name) |
givenName | attribute | String | required | Given name (First name) |
externalId | attribute | String | optional | External id |
formattedName | attribute | String | optional | Formatted name e.g Mr. John Smith, II |
middleName | attribute | String | optional | Middle name |
emailValue | attribute | String | optional | Email value e.g. test@example.com |
emailType | attribute | String | optional | Email type e.g. work |
userType | attribute | String | optional | User type e.g. Employee |
employeeNumber | attribute | String | optional | Employee number |
costCenter | attribute | String | optional | Cost center |
Configure SCIM settings in AWS for development purposes
- Go to AWS Single Sign-On in the AWS management console.
- On the left, click on Settings
- Change Identity source to External Identity Provider
- At the bottom of the page, click on If you don't have a metadata file, you can manually type your metadata values
- Put a random valid URL in IdP Sign-in URL e.g https://abcd.us
- Put a random valid URL in IdP issuer URL e.g https://abcd.us
- Create a local certificate and upload it
- Under Settings → Provisioning → View Details. Generate a new token and keep it somewhere safe. You will need it when configuring the external system.
- Under Settings → Provisioning → View Details, Copy the SCIM endpoint. You will need it when configuring the external system.
Github SCIM Provisioning
Github only supports SCIM for user operations. An organization must already exist for which members need to be managed. If you want to manage memberships of multiple organizations, configure a separate external system for each organization.
User fields and attributes
Grouper name | Attribute or field | Type | Required? | Description |
---|---|---|---|---|
id | field | String | required | UUID read from Github. Select only. |
userName | attribute | String | required | User name |
displayName | attribute | String | optional | Display name of the user |
familyName | attribute | String | required | Family name (Last name) |
givenName | attribute | String | required | Given name (First name) |
externalId | attribute | String | optional | External id |
formattedName | attribute | String | optional | Formatted name e.g Mr. John Smith, II |
emailValue | attribute | String | required | Email value e.g. test@example.com |
emailType | attribute | String | optional | Email type e.g. work |
Configure SCIM settings in Github for development purposes
- Go to Settings → Develop settings → Personal access tokens.
- Generate a new token and keep it safe. You will need it when configuring the external system.
- In your Github organization, you need SAML. For our testing we set up SAML integration between Github and Onelogin. You will need to set up an account on Onelogin. Github and Onelogin both offer trial versions for a few days.
- The SCIM URL that you need to enter while configuring the external system would look like: https://api.github.com/scim/v2/organizations/yourOrgName/
- Here is a video that shows how to integrate Onelogin with the Github organization (though you should integrate with your own saml).