In-bound/Out-bound User provisioning with WSO2 Identity Server

Identity Server supports for both In-bound and Out-bound provisions. First let try to understand what is meant by Out/In provisioning

In-bound provisioning

  • Provisioning users/groups to Identity Server’s user stores by an application (Service Provider).
  • Supported via SCIM Standard. Also there is a SOAP based web service API.
  • Users/Groups would be created in primary or secondary user stores. It can be defined in the In-bound provisioning configurations.
  • In-bound provisioning configurations can be found under Service provider configuration UI of the Identity Server.

Out-bound provisioning

  • Provisioning users to Trusted Identity Providers from the Identity Server. Trusted Identity Provider means a Identity provider that supports In-bound provisioning. It can be Google, Salesforce, another Identity Server and etc.
  • Supported via SCIM/SPML standards.  There are Out-bound provisioning connectors for  Google and Salesforce by default. If you need to plug any other custom connector, you can do it as well. You need to write an extension for that.
  • Out-bound provisioning configurations can be found under Identity provider configuration UI of the Identity Server.

You can get more clear idea using following diagram as well.

scim1

Configure In-bound Provisioning

 

Let try to configure In-bound provisioning to provision some users in to Identity Server’ s user store.

Here you have two options.

1. Configure using Resident Service provider

  • This can be used, If your application does not support for OAuth. You can just send Basic Auth secured SCIM request to SCIM end points in identity Server.
  • If you have configured multiple user stores with Identity Server, You can specify the user store domain that you are allowing to user provision the user.

scim7

 

 

  • If you do not specify any user stores in the configuration. (Just keep it without selecting any thing)
    • User would be created in the user store domain that is contained in the SCIM request. In SCIM request, you can send the user name as follow. If Domain Name is not specified with user name, User would be provisioned to primary user store
    • {Domain-Name}/username
  • If you specify the user store in the configuration
    • User would be created in the configured user store domain regardless of the what is contained in the SCIM request.

Sample SCIM request would be as follow.  You can go to user managment UI and see whether user has been created in the configured or requested user store

 curl -v -k --user admin:admin --data "{"schemas":[],"name":{"familyName":"pathberiya","givenName":"asela"},"userName":"asela","password":"asela","emails":[{"primary":true,"value":"asela@soasecurity.org"}]}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users

Following request, I have specified the user store domain

 curl -v -k --user admin:admin --data "{"schemas":[],"name":{"familyName":"pathberiya","givenName":"asela"},"userName":'SOA/asela',"password":"asela","emails":[{"primary":true,"value":"asela@soasecurity.org"}]}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users

2.  Configure using new Service provider.

  • If your application supports for OAuth, you can create Service provider configuration for your application and provision the user using OAuth secured SCIM request.
  • If you have configured multiple user stores with Identity Server, You can specify the user store domain that you are allowing to provision the users. It would be same as above.

scim6

 

Sample SCIM request would be as follow. Basic Auth headers has been replaced with Access Token. You can simply use the client credentials or resource owner grant type to obtain the Access Token

 curl -v -k --header "Authorization: Bearer 8676e9c7292bde86315a717a9b76ac5"  --data "{"schemas":[],"name":{"familyName":"pathberiya","givenName":"asela"},"userName":"asela","password":"asela","emails":[{"primary":true,"value":"asela@soasecurity.org"}]}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users

Configure Out-bound Provisioning

 

Step 1. You need to configure a Trusted Identity Provider that is supported to accept the provisioning request from Identity Server. Lets create new IDP as follows

 

scim1
Here i am going to provision users using SCIM and my Trusted IDP knows to accept SCIM request. (Assume my IDP also another Identity Server, Following configurations are done and I specify that I want to provision users to WSO2 user store domain only)

scim3

 

 

You can add multiple provisioning connector such as Google, Salesforce as extensions to Identity Server. Then those would also pop-up in this UI as well

Step 2. Configure Trusted IDP as Out-bound provisioning connector.

Here you have two options to it.

1. Configure using Resident Service provider.

  • This can be used, If you want to do the Out-bound provisioning for the users/groups that is created from Management console, Web Service API, SCIM API (with Basic Auth)
  • You can select the Trusted IDP that we created earlier and add it as follows

scim8

 

  • There is another option called “Blocking“. It means that out-bound provisioning request must be blocked till response is received. By default, request would be not non-blocking

2. Configure using new Service provider.

  • This can be used, If your application supports for OAuth. Also, If you do not want to create the user in Identity Server user store. When Resident Service provider is used, It does Out-bound provisioning while user is created in the Identity Server.
  • Under SP configurations, you can select the preferred IDP and connector for Out-bound provisioning.

scim9

  • Once you enable “Enable JIT“, Provisioning user would be created in the Identity Server user store as well.
Discuss this article on Stack Overflow

Leave a Reply

Your email address will not be published. Required fields are marked *