This topic describes how to use the System for Cross-domain Identity Management (SCIM) protocol to provision accounts from Alibaba Cloud IDaaS (EIAM). The standard SCIM interface lets you efficiently synchronize user and organization data to third-party applications. This process simplifies identity management and improves operational efficiency. This topic covers the configuration steps, API calls, and important notes to help you quickly integrate identity information across systems.
Notes
Because the SCIM specification does not support organization synchronization, IDaaS (EIAM) cannot synchronize organizations to downstream applications.
IDaaS (EIAM) supports the synchronization of both groups and accounts. However, the ability to synchronize them to a downstream application depends on that application's integration capabilities. For example, Alibaba Cloud RAM supports only account synchronization, whereas Alibaba Cloud CloudSSO supports both account and group synchronization.
RAM is not case-sensitive. To prevent conflicts when you synchronize accounts to RAM or CloudSSO using SCIM, the values of account fields are converted to lowercase before synchronization.
Configuration method
On the Application Management tab, under Account Synchronization, select the SCIM protocol as the synchronization method. This lets you synchronize accounts to applications that support the SCIM protocol.
To configure SCIM synchronization, you must perform configurations in both IDaaS and the target application. For example, to synchronize accounts to Alibaba Cloud Resource Access Management (RAM) or CloudSSO, refer to the documentation for those applications and this topic. If you want to synchronize accounts to a different application, find the SCIM synchronization guide for that application and use it in conjunction with this topic.
Application | Document |
Alibaba Cloud CloudSSO |
The process for configuring SCIM synchronization is similar to configuring event-based callbacks. First, specify the synchronization scope, and then configure the SCIM client parameters.
The following table describes the parameters.
New field | Description |
Outbound IP | Add the IDaaS outbound IP addresses to the allowlist in your security settings. This ensures that IDaaS requests can reach the recipient. |
SCIM Base URL | Enter the address of the client that receives SCIM synchronization requests. For example, the SCIM Base URL for Alibaba Cloud RAM is fixed at: https://scim.aliyun.com. |
Authorization | Different SCIM clients may require different authorization methods. IDaaS supports OAuth Client Mode and Key Mode. Configure this parameter based on your client's requirements. For example, Alibaba Cloud RAM supports OAuth Client Mode to authorize SCIM requests, as shown in the following figure:
|
Operations to Invoke | Subscribe to specific change events to receive instant push notifications. When a subscribed change occurs in IDaaS, a synchronization is automatically triggered to update the application.
Note The selected operations apply to both incremental and full synchronization. |
Full Push Scope | When you perform a full push (full synchronization), only data of the selected types within the application's synchronization scope is pushed to the downstream application. For example, you can choose to push only account data.
Note This scope applies only to full synchronization, not incremental synchronization. |
Field Mapping | Displays and lets you edit the field mappings for the SCIM synchronization process.
|
After you save the configuration, click Test Connectivity to verify that the configuration is correct.
If needed, you can use the one-click push feature to synchronize all accounts within the scope to the application at once.
IDaaS (EIAM) SCIM support status
Platform | SCIM support | Supports retrieving existing users | Supports modifying existing users | Existing users successfully associated |
Alibaba Cloud RAM | Supported | Supported | Not supported | Not supported |
Alibaba Cloud CloudSSO | Support | Not supported | Not supported | Supported (Implicitly supported through the CloudSSO overwrite logic for identical names) |
Huawei Cloud IAM | Not supported | |||
Huawei Cloud IAM Identity Center | Supported | Supported | Supported | Supported |
Tencent Cloud CAM | Not supported | |||
Tencent Cloud Group Management | Supported | Supported | Support | Supported (Username cannot be changed) |
Volcengine IAM | Not supported | |||
Volcengine Cloud Identity Center | Supported | Not supported | Not supported | Not supported |
AWS/International Site IAM | Not supported | |||
AWS/International Site IAM Identity Center | Supported | Supported | Supported | Supported |