User Repository for SCIM Federation REST API
The Repository/ScimFed endpoint allows binding and managing a SCIM federated user repository (such as Microsoft Azure) to HID Authentication Service.
To use the version-specific parameters/attributes, you must add api-version=N to the query parameter.
Previous versions of the API are also supported with the corresponding functionality.
Method Details
HTTPS Method | Entity Action | Request URI | Description |
---|---|---|---|
Read |
/configuration/{tenant}/v2/User/Repository/ScimFed |
Retrieve the list of all SCIM federated user repositories |
|
Read |
/configuration/{tenant}/v2/User/Repository/ScimFed/{uid} |
Retrieve an SCIM federated user repository |
|
Create |
/configuration/{tenant}/v2/User/Repository/ScimFed |
Create an SCIM federated user repository |
|
Replace |
/configuration/{tenant}/v2/User/Repository/ScimFed/{uid} |
Replace an SCIM federated user repository |
|
Delete |
/configuration/{tenant}/v2/User/Repository/ScimFed/{uid} |
Delete an SCIM federated user repository |
Required Permissions
Function | Required Permissions |
---|---|
GET |
|
GET ALL |
|
CREATE |
|
REPLACE |
|
DELETE |
|
TEST CONNECTION |
|
Get All SCIM Federated User Repositories
GET /User/Repository/ScimFed
Sample Response
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": 1,
"resources": [ {
"schemas": ["urn:hid:scim:api:idp:2.0:User:Repository"],
"id": "DS_c",
"meta": {
"resourceType": "UserRepository",
"location": "https://[base-server-url]/configuration/tenant/v2/User/Repository/ScimFed/DS_c",
"version": "1"
},
"name": "scim fed AAD",
"type": "SCIM_FED_AD",
"adminGroupAssignment": {
"type": "Group",
"value": "USG_FTEMP",
"$ref": "https://[base-server-url]/scim/tenant/v2/Groups/USG_FTEMP"
},
"roleAssignments": [
{
"roleId": "RL_AUDITV",
"mappingCriteria": {"groupMembership": "475f23fa-ad47-4ca9-b535-9792c9494daa"}
},
{
"roleId": "RL_DEVADM",
"mappingCriteria": {"groupMembership": "b94f8737-0885-4193-b91e-6249974d9df3"}
}
],
"provisioningAgentCredential": {
"type": "User",
"value": "123",
"$ref": "https://[base-server-url]/scim/tenant/v2/Users/123"
},
"userAuthenticationEndpoint": {
"issuerUri": "<url of your Microsoft Azure AD or ADFS Oauth2 provider>",
"clientId": "4fafef0d-79fc-470b-9e5e-7a1ed4fd549f"
}
}]
}
Get SCIM Federated User Repository
GET /User/Repository/ScimFed/{uid}
Sample Response
{
"schemas": ["urn:hid:scim:api:idp:2.0:User:Repository"],
"id": "DS_a",
"meta": {
"resourceType": "UserRepository",
"location": "https://[base-server-url]/configuration/ONLINEBANK/v2/User/Repository/ScimFed/DS_a",
"version": "1"
},
"name": "scim fed AAD",
"type": "SCIM_FED_AD",
"adminGroupAssignment": {
"type": "Group",
"value": "USG_FTEMP",
"$ref": "https://[base-server-url]/scim/ONLINEBANK/v2/Groups/USG_FTEMP"
},
"roleAssignments": [
{
"roleId": "RL_AUDITV",
"mappingCriteria": {"groupMembership": "557bb2dc-290a-4c88-a288-720010f5d542"}
},
{
"roleId": "RL_DEVADM",
"mappingCriteria": {"groupMembership": "cb383a5c-0738-485c-a610-c5b3fa5025ca"}
}
],
"provisioningAgentCredential": {
"type": "User",
"value": "123",
"$ref": "https://[base-server-url]/scim/ONLINEBANK/v2/Users/123"
},
"userAuthenticationEndpoint": {
"issuerUri": "<url of your Microsoft Azure AD or ADFS Oauth2 provider>",
"clientId": "7b88e68a-ee84-4bdb-8a85-0449914ccf44"
},
"federatedAttributes": [
{
"type": "AttributeType",
"value": "ATR_EMAIL",
"$ref": "https://[base-server-url]/configuration/ONLINEBANK/v2/User/AttributeType/ATR_EMAIL"
},
{
"type": "AttributeType",
"value": "LASTNAME",
"$ref": "https://[base-server-url]/configuration/ONLINEBANK/v2/User/AttributeType/LASTNAME"
},
{
"type": "AttributeType",
"value": "ATR_MOBILE",
"$ref": "https://[base-server-url]/configuration/ONLINEBANK/v2/User/AttributeType/ATR_MOBILE"
},
{
"type": "AttributeType",
"value": "FIRSTNAME",
"$ref": "https://[base-server-url]/configuration/ONLINEBANK/v2/User/AttributeType/FIRSTNAME"
}
]
}
Create SCIM Federated User Repository
POST /User/Repository/ScimFed
Sample Request
{
"schemas": ["urn:hid:scim:api:idp:2.0:User:Repository"],
"id": "DS_aad1",
"name": "scim fed AAD",
"type": "SCIM_FED_AD",
"adminGroupAssignment": {
"value": "USG_FTEMP"
},
"provisioningAgentCredential": {
"value": "123"
},
"userAuthenticationEndpoint": {
"issuerUri": "<url of your Microsoft Azure AD or ADFS Oauth2 provider>",
"clientId": "HIDauthnService"
},
"roleAssignments": [
{
"roleId": "RL_AUDITV",
"mappingCriteria": {
"groupMembership": "475f23fa-ad47-4ca9-b535-9792c9494daa"
}
},
{
"roleId": "RL_DEVADM",
"mappingCriteria": {
"groupMembership": "b94f8737-0885-4193-b91e-6249974d9df3"
}
}
],
"federatedAttributes": [ {
"value": "LASTNAME"
}, {
"value": "FIRSTNAME"
}, {
"value": "ATR_MOBILE"
}, {
"value": "ATR_EMAIL"
}]
}
Sample Response
{
"schemas": ["urn:hid:scim:api:idp:2.0:User:Repository"],
"id": "DS_aad1",
"meta": {
"resourceType": "UserRepository",
"location": "https://[base-server-url]/configuration/tenant/v2/User/Repository/ScimFed/DS_aad1",
"version": "1"
},
"name": "scim fed AAD",
"type": "SCIM_FED_AD",
"adminGroupAssignment": {
"type": "Group",
"value": "USG_FTEMP",
"$ref": "https://[base-server-url]/configuration/tenant/v2/Groups/USG_FTEMP"
},
"roleAssignments": [
{
"roleId": "RL_AUDITV",
"mappingCriteria": {"groupMembership": "475f23fa-ad47-4ca9-b535-9792c9494daa"}
},
{
"roleId": "RL_DEVADM",
"mappingCriteria": {"groupMembership": "b94f8737-0885-4193-b91e-6249974d9df3"}
}
],
"provisioningAgentCredential": {
"type": "User",
"value": "123",
"$ref": "https://[base-server-url]/configuration/tenant/v2/Users/123"
},
"userAuthenticationEndpoint": {
"issuerUri": "<url of your Microsoft Azure AD or ADFS Oauth2 provider>",
"clientId": "HIDauthnService"
},
"federatedAttributes": [
{
"type": "AttributeType",
"value": "ATR_EMAIL",
"$ref": "https://[base-server-url]/configuration/tenant/v2/User/AttributeType/ATR_EMAIL"
},
{
"type": "AttributeType",
"value": "LASTNAME",
"$ref": "https://[base-server-url]/configuration/tenant/v2/User/AttributeType/LASTNAME"
},
{
"type": "AttributeType",
"value": "FIRSTNAME",
"$ref": "https://[base-server-url]/configuration/tenant/v2/User/AttributeType/FIRSTNAME"
},
{
"type": "AttributeType",
"value": "ATR_MOBILE",
"$ref": "https://[base-server-url]/configuration/tenant/v2/User/AttributeType/ATR_MOBILE"
}
]
}
Update SCIM Federated User Repository
PUT /User/Repository/ScimFed/{uid}
Sample Request
{
"roleAssignments": [
{
"roleId": "RL_AUDITV",
"mappingCriteria": {"groupMembership": "557bb2dc-290a-4c88-a288-720010f5d542"}
},
{
"roleId": "RL_DEVADM",
"mappingCriteria": {"groupMembership": "cb383a5c-0738-485c-a610-c5b3fa5025ca"}
},
{
"roleId": "RL_SSPADM",
"mappingCriteria": {"groupMembership": "cb383a5c-0738-485c-a610-c5b3fa5025ca"}
},
{
"roleId": "RL_SSPADM",
"mappingCriteria": {"groupMembership": "557bb2dc-290a-4c88-a288-720010f5d542"}
}
],
"provisioningAgentCredential": {
"value": "122"
},
"userAuthenticationEndpoint": {
"issuerUri": "<url of your Microsoft Azure AD or ADFS Oauth2 provider>",
"clientId": "2a18e6ca-08ja-p2e3-8a85-0evy14ccfea4"
},
"federatedAttributes": [
{
"type": "AttributeType",
"value": "FIRSTNAME"
},
{
"type": "AttributeType",
"value": "LASTNAME"
}]}
Sample Response
{
"schemas": ["urn:hid:scim:api:idp:2.0:User:Repository"],
"id": "DS_a",
"meta": {
"resourceType": "UserRepository",
"location": "https://[base-server-url]/configuration/ONLINEBANK/v2/User/Repository/ScimFed/DS_a",
"version": "1"
},
"name": "scim fed AAD",
"type": "SCIM_FED_AD",
"adminGroupAssignment": {
"type": "Group",
"value": "USG_FTEMP",
"$ref": "https://[base-server-url]/scim/ONLINEBANK/v2/Groups/USG_FTEMP"
},
"roleAssignments": [
{
"roleId": "RL_AUDITV",
"mappingCriteria": {"groupMembership": "557bb2dc-290a-4c88-a288-720010f5d542"}
},
{
"roleId": "RL_DEVADM",
"mappingCriteria": {"groupMembership": "cb383a5c-0738-485c-a610-c5b3fa5025ca"}
},
{
"roleId": "RL_SSPADM",
"mappingCriteria": {"groupMembership": "cb383a5c-0738-485c-a610-c5b3fa5025ca"}
},
{
"roleId": "RL_SSPADM",
"mappingCriteria": {"groupMembership": "557bb2dc-290a-4c88-a288-720010f5d542"}
}
],
"provisioningAgentCredential": {
"type": "User",
"value": "122",
"$ref": "https://[base-server-url]/scim/ONLINEBANK/v2/Users/122"
},
"userAuthenticationEndpoint": {
"issuerUri": "<url of your Microsoft Azure AD or ADFS Oauth2 provider>",
"clientId": "2a18e6ca-08ja-p2e3-8a85-0evy14ccfea4"
},
"federatedAttributes": [
{
"type": "AttributeType",
"value": "LASTNAME",
"$ref": "https://[base-server-url]/configuration/ONLINEBANK/v2/User/AttributeType/LASTNAME"
},
{
"type": "AttributeType",
"value": "FIRSTNAME",
"$ref": "https://[base-server-url]/configuration/ONLINEBANK/v2/User/AttributeType/FIRSTNAME"
}
]
}
Delete SCIM Federated User Repository
DELETE /User/Repository/ScimFed/{uid}
- If there are no users or groups bound to it, the datasource is deleted directly and the sessions for the provisioning agent are removed.
- If the datasource does have bound users and groups, it is marked "to be deleted" and as a background process:
SearchUsers is called to find all users provisioned by the datasource and they are deleted (progressively to avoid impacting the service).
When all the users are deleted, the security groups bound to this datasource are deleted.
Then the datasource itself is deleted.
You can no longer provision users with the associated provisioning agent.
All authentications are blocked for the users provisioned with this datasource and will return the failure response ‘REASON_USER_REPO_DELETED’:
CopySample Response
HTTP/1.1 400 Bad Request
{
"hid_failure": {
"reason": 60,
"authType": "AT_LDAP"
},
"error_description": "Invalid grant: Resource owner username or password is invalid (User repository is deleted):Resource owner username or password is invalid",
"error": "invalid_grant"
}
Test Connection
POST /User/Repository/ScimFed/{uid}
Sample Request
POST /configuration/{tenant}/v2/User/Repository/ScimFed/DS_a
{
"urn:hid:scim:api:idp:2.0:Action": {
"action": "TEST-CONNECTION"
}
}
Sample Response
{
"schemas": ["urn:hid:scim:api:idp:2.0:Action"],
"attributes": [
{
"name": "CONNECTION_SUCCESS",
"value": "true"
},
{
"name": "AUTHENTICATION_SUCCESS",
"value": "true"
}
]
}
Error Codes
Function | Use Case | HTTP Error | Error code |
---|---|---|---|
|
Using a session that does not match any provisioning agent. |
500 |
9009 - There is no datasource with matching provisioningAgent. |
|
Using a session that does not match any provisioning agent, on a group that is bound to a datasource |
400 |
9009 - There is no datasource with matching provisioningAgent. |
|
Not using the prov agent that provisioned the user. |
400 |
9011 - User is bound to a datasource that does not match this session. Use the provisioning agent from the dedicated datasource. |
|
Not using the prov agent that provisioned the security group. |
400 |
9012 - Security Group is bound to a datasource that does not match this session. Use the provisioning agent from the dedicated datasource. |
|
Using a provisioning agent on a security group that is not bound to a datasource. (= security group not created by a provisioning agent) |
400 |
9013 - Security Group is not bound to a datasource. |
|
Adding a non SCIM_FED User into a group bound to a datasource, using the provisioning agent for this datasource |
400 |
9014 - Cannot add a non-SCIM_FED User into a security group bound to a datasource. |