SCIM is an open standard for Identity Provisioning. In simple words SCIM is designed to create, maintain (read,update) and deactivate (delete) user accounts and related identities which reside in one or more systems/applications.
In this blog post, I'm going to explain a tricky way to modify the userName claim. Why I said a tricky way is because you will not be able to simply update it via a curl command as userName claim in carbon user stores is immutable. If you have ever tried updating the userName claim, you might have ended up with an error like this.
{"Errors":[{"description":"User name is immutable in carbon user store.","code":"500"}]}
In order to test this, start a WSO2 IS (tested with IS 4.5.0) connected to Active Directory as back-end data store. (You can do it by modifying the user-mgt.xml to connect to a AD instance.)
And then go to Configure --> Claim Management and select urn:scim:schemas:core:1.0
Now we have to map the SCIM claims to the existing attributes of the Active Directory. Because when we add a user via SCIM, apart from the userName SCIM claim there are four other SCIM attributes that is being added behind the scene.
( Make sure that you map String type attributes from the AD with the SCIM claims. You can find the AD attributes here. )
( Make sure that you map String type attributes from the AD with the SCIM claims. You can find the AD attributes here. )
CLAIM URI | AD Attribute |
urn:scim:schemas:core:1.0:userName | |
urn:scim:schemas:core:1.0:meta.location | streetAddress |
urn:scim:schemas:core:1.0:meta.created | homePhone |
urn:scim:schemas:core:1.0:meta.lastModified | pager |
urn:scim:schemas:core:1.0:id | homePostalAddress |
Apart from the above mapping add the following mappings as well. (This is for better explanation of this post.)
CLAIM URI | AD Attribute |
urn:scim:schemas:core:1.0:name.givenName | givenName |
urn:scim:schemas:core:1.0:name.familyName | company |
First of all let's Create a user via SCIM.
curl -v -k --user username:password --data "{"schemas":[],"name":{"familyName":"Madurapperuma", "givenName":"Tani"},"userName":"tanya@wso2.com","password":"testing123@"}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users
You will get a response payload as follows.
{"id":"5c05a64c-4f9b-44c7-9092-27cd4dc15640","schemas":["urn:scim:schemas:core:1.0"],"name":{"familyName":"Madurapperuma","givenName":"Tani"},"userName":"tanya@wso2.com","meta":{"lastModified":"2013-10-20T09:47:35","location":"https://localhost:9443/wso2/scim/Users/5c05a64c-4f9b-44c7-9092-27cd4dc15640","created":"2013-10-20T09:47:35"}}
As I have mentioned above, you will not be able to update the userName SCIM claim after the creation of the user since the userName claim is immutable in carbon user store.
So with this tricky method you will be able to modify it.
Map the AD attribute that you have mapped to the userName claim to another SCIM claim and try modifying the newly mapped claim.
In our case we have mapped AD attribute "mail" to SCIM claim "userName". So we will map it to SCIM claim "Emails" as well.
Now we have the following additional mapping as well.
As I have mentioned above, you will not be able to update the userName SCIM claim after the creation of the user since the userName claim is immutable in carbon user store.
So with this tricky method you will be able to modify it.
Map the AD attribute that you have mapped to the userName claim to another SCIM claim and try modifying the newly mapped claim.
In our case we have mapped AD attribute "mail" to SCIM claim "userName". So we will map it to SCIM claim "Emails" as well.
Now we have the following additional mapping as well.
CLAIM URI |
AD Attribute
|
urn:scim:schemas:core:1.0:emails |
mail
|
Now let's try updating SCIM claim "emails".
curl -v -k --user username:password -X PUT -d "{"schemas":[],"userName":"tanya@wso2.com", "emails":"tani@wso2.com"}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users/5c05a64c-4f9b-44c7-9092-27cd4dc15640
At this point, you might be worrying that it did not work seeing the response payload. Wait !!! The response payload that I got is as follows.
{"id":"5c05a64c-4f9b-44c7-9092-27cd4dc15640","schemas":["urn:scim:schemas:core:1.0"],"userName":"tanya@wso2.com","emails":"tani@wso2.com","meta":{"lastModified":"2013-10-20T09:54:20","location":"https://localhost:9443/wso2/scim/Users/5c05a64c-4f9b-44c7-9092-27cd4dc15640","created":"2013-10-20T09:47:35"}}
So hasn't the trick worked ?
Let's get the updated user and see what has happenned.
curl -v -k --user username:password https://localhost:9443/wso2/scim/Users/5c05a64c-4f9b-44c7-9092-27cd4dc15640
Response payload is as follows.
{"id":"5c05a64c-4f9b-44c7-9092-27cd4dc15640","schemas":["urn:scim:schemas:core:1.0"],"name":{"familyName":"Madurapperuma","givenName":"Tani"},"userName":"tani@wso2.com","emails":["tani@wso2.com"],"phoneNumbers":[{"value":"2013-10-01T09:54:20","type":"pager"},{"value":"2013-10-01T09:47:35","type":"home"}],"addresses":[{"value":"https://localhost:9443/wso2/scim/Users/5c05a64c-4f9b-44c7-9092-27cd4dc15640","type":"streetAddress"}],"meta":{"lastModified":"2013-10-20T09:54:20","created":"2013-10-20T09:47:35","location":"https://localhost:9443/wso2/scim/Users/5c05a64c-4f9b-44c7-9092-27cd4dc15640"}}
No more worries :) It has worked. You may notice that it is the same user that we created a while ago. See the familyName and the giveName values if you are not sure.
So in summing up, all you have to do is just map the AD attribute that you mapped to SCIM claim userName to another AD attribute that is mutable.
Acknlowlegement
Hi Tanya,
ReplyDeleteFollowing your approach I'm able to update the username of a given user. Getting the user with SCIM I can see the updated username.
However if I go to the Identity Server admin console users are still listed with their old usernames. Also, I can not create a new user with a previous username (the username that was replaced) using SCIM (I get an error saying that the username already exists).
Any help is welcome. My requirement is to have emails as usernames but being able to change the email/username later.
Thanks!
Hi,
DeleteSorry for the late reply. With which version of IS did you tried? This is tested with IS 4.5.0 and since this is a tricky way, in new versions this might have been fixed.
Thanks.
Hello Tanya
DeleteI am using WSO2 5.11.0 version. What steps need to follow for this same issue>