Synchronize users from your on-premises identity systems to RAM through the SCIM protocol, secured by OAuth 2.0 authorization.
Prerequisites
We recommend that a RAM administrator or a RAM user with OAuth management permissions perform the operations in this topic.
Overview
-
SCIM (System for Cross-domain Identity Management) standardizes identity management across cloud applications. SCIM 2.0 uses an object model where all objects inherit from Resource with
id,externalId, andmetaattributes. RFC 7643 extends these with User, Group, and EnterpriseUser. This topic uses the User resource. -
OAuth (Open Authorization) lets third-party applications access user resources without exposing credentials. Alibaba Cloud supports three types of OAuth applications: Web Application, Native Application, and Server Application. Both Web Application and Native Application use 3-legged OAuth, whereas a Server Application uses 2-legged OAuth. SCIM uses 2-legged OAuth for client-to-API communication, as defined in the OAuth 2.0 specification. Overview of OAuth applications.
-
Alibaba Cloud SCIM endpoint:
https://scim.aliyun.com. -
Alibaba Cloud OAuth endpoint for obtaining an
access_token:https://oauth.aliyun.com/v1/token.
Step 1: Create and authorize an OAuth application
-
Log on to the RAM console by using your Alibaba Cloud account.
-
In the left-side navigation pane, click OAuth (Preview).
-
On the Enterprise Applications tab, click Create Application.
For Application Type, select Server Application. Create an application.
After creation, obtain the
client_idfrom the application details page. -
Click the application name. On the OAuth Scope tab, click Add OAuth Scopes.
For OAuth Scope, select /acs/scim. Manage OAuth scopes.
-
Authorize the OAuth application.
-
On the OAuth Scope tab, click Grants.
-
On the Third-party Application Authorization page, select Alibaba Cloud Cross-domain Identity Management Service and then click Grants.
-
-
On the App Secrets tab, click Create Secret to create an application secret.
ImportantThe AppSecretValue is displayed only once during creation and cannot be retrieved. Save it securely.
Step 2: Synchronize user data
You can synchronize user data through a client such as One Identity, or directly through SCIM APIs.
-
Client: Configure SCIM settings in a client such as One Identity to synchronize user data. One Identity documentation.
-
SCIM API: Map on-premises users to RAM users. You can create, delete, query, and update the following RAM user attributes.
-
id: The ID of the RAM user, globally unique and server-generated. -
externalId: A client-specified unique ID that associates a RAM user with a user in your on-premises system.NoteRAM users created on the console do not have the
externalIdattribute. -
userName: A client-specified unique name for each user. -
displayName: The display name of the RAM user, as specified by the client.
-
To synchronize user data using SCIM APIs:
-
Obtain the ID (client_id) and the secret value (AppSecretValue) of the authorized server application.
-
client_id: The application ID. You can obtain the ID from Step 1: Create and authorize an OAuth application.
-
AppSecretValue: The application secret. You can obtain it from Step 1: Create and authorize an OAuth application.
-
-
To obtain an
access_token, send a request containing theclient_idandAppSecretValuetohttps://oauth.aliyun.com/v1/token.The Authorization header must use the format
"Authorization: Basic Base64Encode(client_id:AppSecretValue)". For example, if client_id=cid and AppSecretValue=123456, the Authorization header must be"Authorization: Basic Y2lkOjEyMzQ1Ng==".Sample request:
curl --location --request POST --header "Authorization: Basic Y2lkOjEyMzQ1Ng==" https://oauth.aliyun.com/v1/token?grant_type=client_credentials&client_id=463790568674183****Sample response:
{ "scope": "/acs/scim", "request_id": "8dc768e0-d6fe-4f52-a788-05631dd6c584", "access_token": "eyJ***hKg", "token_type": "Bearer", "expires_in": "3599" } -
Query for the
ResourceTypeandSchemavalues that Alibaba Cloud SCIM supports.To query the supported
ResourceType:curl --location --request GET 'https://scim.aliyun.com/ResourceTypes'To query the supported
Schema:curl --location --request GET 'https://scim.aliyun.com/Schemas' -
Create, query, update, and delete RAM users.
-
Create a RAM user.
Specify the userName, displayName, and externalId that map to the user in your on-premises system.
Sample request:
curl --location --request POST 'https://scim.aliyun.com/Users' \ --header 'Authorization: Bearer eyJ***hKg' \ --header 'Content-Type: application/json' \ --data-raw '{ "displayName": "j2gg0s_****", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "externalId": "6e74eec4-ddb5-4e74-bd12-5e7b99b2****", "userName": "j2gg0screatedbyscim_exa****" }'Sample response:
{ "displayName": "j2gg0s_****", "meta": { "created": "2020-02-14T03:58:59Z", "location": "https://scim.aliyun.com/Users/27648498165273****", "lastModified": "2020-02-14T03:58:59Z", "resourceType": "User" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "externalId": "6e74eec4-ddb5-4e74-bd12-5e7b99b2****", "id": "27648498165273****", "userName": "j2gg0screatedbyscim_exa****" } -
Query a specific RAM user.
-
Use
GET /Users/{id}to query a RAM user byid. -
Use
GET /Users?filter=externalId eq xxxto query a RAM user byexternalId. -
Use
GET /Users?filter=userName eq xxxto query a RAM user byuserName.Sample request:
curl --location --request GET 'https://scim.aliyun.com/Users?filter=userName%20eq%20%22j2gg0screatedbyscim****%22' \ --header 'Authorization: Bearer eyJ***hKg'Sample response:
{ "startIndex": 1, "totalResults": 1, "itemsPerPage": 30, "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "Resources": [ { "displayName": "j2gg0screatedbyscim****", "meta": { "created": "2019-12-11T01:53:19Z", "location": "https://scim.aliyun.com/Users/27769827602919****", "lastModified": "2019-12-11T02:10:39Z", "resourceType": "User" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "externalId": "6e74eec4-ddb5-4e74-bd12-5e7b99b2****", "id": "27769827602919****", "userName": "j2gg0screatedbyscim****" } ] }NoteFor SCIM filters, Alibaba Cloud supports only
andandeqoperations on theid,userName, andexternalIdattributes.
-
-
Update RAM user attributes.
Sample request:
curl --location --request PUT 'https://scim.aliyun.com/Users/27648498165273****' \ --header 'Authorization: Bearer eyJ***hKg' \ --header 'Content-Type: application/json' \ --data-raw '{ "displayName": "j2gg0s_new_****", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "externalId": "6e74eec4-ddb5-4e74-bd12-5e7b99b2****", "userName": "j2gg0screatedbyscim_new_exa****" }'Sample response:
{ "displayName": "j2gg0s_new_****", "meta": { "created": "2020-02-14T03:58:59Z", "location": "https://scim.aliyun.com/Users/27648498165273****", "lastModified": "2020-02-14T04:03:55Z", "resourceType": "User" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "externalId": "6e74eec4-ddb5-4e74-bd12-5e7b99b2****", "id": "27648498165273****", "userName": "j2gg0screatedbyscim_new_exa****"} -
Delete a RAM user.
Sample request:
curl --location --request DELETE 'https://scim.aliyun.com/Users/27648498165273****' \ --header 'Authorization: Bearer eyJ***hKg' \ --header 'Content-Type: application/json'An HTTP 204 status code confirms a successful deletion.
NoteAlibaba Cloud does not support soft delete. Map any soft delete operations to hard delete before synchronizing data.
-