You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »


Wiki Home

Grouper Release Announcements

Grouper Guides

Grouper Deployment Guide

Community Contributions

Internal Developer Resources

For Grouper 2.6 and above see this page.


https://www.rfc-editor.org/rfc/rfc7643.html#section-4.1

External System

Grouper uses bearer token authentication to connect with SCIM V2 APIs. Create an external system like below.


We have tested SCIM integration for AWS and Github. Even though they both follow SCIM, there are still many differences, so when you configure a SCIM provisioner, we ask for SCIM type. Based on the SCIM type, the provisioner framework can run extra validations to make integration more robust.

AWS SCIM Provisioning

Group fields and attributes - example request to create a group https://docs.aws.amazon.com/singlesignon/latest/developerguide/creategroup.html

Grouper nameAttribute or fieldTypeRequired?Description
idfieldStringrequiredUUID read from AWS. Select only.
displayNamefieldStringrequiredDisplay Name of the group in AWS.


Entity fields and attributes - example request to create a user https://docs.aws.amazon.com/singlesignon/latest/developerguide/createuser.html

Grouper nameAttribute or fieldTypeRequired?Description
idfieldStringrequiredUUID read from AWS. Select only.
userNameattributeStringrequiredUser name
displayNameattributeStringrequiredDisplay name of the user
familyNameattributeStringrequiredFamily name (Last name)
givenNameattributeStringrequiredGiven name (First name)
externalIdattributeStringoptionalExternal id
formattedNameattributeStringoptionalFormatted name e.g Mr. John Smith, II
middleNameattributeStringoptionalMiddle name
emailValueattributeStringoptionalEmail value e.g. test@example.com
emailTypeattributeStringoptionalEmail type e.g. work
userTypeattributeStringoptionalUser type e.g. Employee
employeeNumberattributeStringoptionalEmployee number
costCenterattributeStringoptionalCost center

Configure SCIM settings in AWS for development purposes

  1. Go to AWS Single Sign-On in the AWS management console.
  2. On the left, click on Settings
  3. Change Identity source to External Identity Provider
  4. At the bottom of the page, click on If you don't have a metadata file, you can manually type your metadata values
  5. Put a random valid URL in IdP Sign-in URL e.g https://abcd.us
  6. Put a random valid URL in IdP issuer URL e.g https://abcd.us
  7. Create a local certificate and upload it
  8. Under Settings → Provisioning → View Details. Generate a new token and keep it somewhere safe. You will need it when configuring the external system.
  9. Under Settings → Provisioning → View Details, Copy the SCIM endpoint. You will need it when configuring the external system.


Github SCIM Provisioning

https://docs.github.com/en/enterprise-cloud@latest/rest/scim?apiVersion=2022-11-28#provision-and-invite-a-scim-user


Github only supports SCIM for user operations. An organization must already exist for which members need to be managed. If you want to manage memberships of multiple organizations, configure a separate external system for each organization.

User fields and attributes

Grouper nameAttribute or fieldTypeRequired?Description
idfieldStringrequiredUUID read from Github. Select only.
userNameattributeStringrequiredUser name
displayNameattributeStringoptionalDisplay name of the user
familyNameattributeStringrequiredFamily name (Last name)
givenNameattributeStringrequiredGiven name (First name)
externalIdattributeStringoptionalExternal id
formattedNameattributeStringoptionalFormatted name e.g Mr. John Smith, II
emailValueattributeStringrequiredEmail value e.g. test@example.com
emailTypeattributeStringoptionalEmail type e.g. work


Configure SCIM settings in Github for development purposes

  1. Go to Settings → Develop settings → Personal access tokens.
  2. Generate a new token and keep it safe. You will need it when configuring the external system. 
  3. In your Github organization, you need SAML.  For our testing we set up SAML integration between Github and Onelogin. You will need to set up an account on Onelogin. Github and Onelogin both offer trial versions for a few days.
  4. The SCIM URL that you need to enter while configuring the external system would look like: https://api.github.com/scim/v2/organizations/yourOrgName/
  5. Here is a video that shows how to integrate Onelogin with the Github organization (though you should integrate with your own saml).


  • No labels