System for Cross-domain Identity Management (SCIM)

Liferay DXP 2024.Q1+ Release Feature

System for Cross-domain Identity Management or SCIM, is an open standard that automates user provisioning. In other words, it’s a standard way to create, update, and deactivate user identities. SCIM provides a unified, RFC-compliant way to keep user/group data in sync between different applications. It consists of

Important

SCIM was released behind a beta feature flag in Liferay DXP 2024.Q1. Starting Liferay DXP 2024.Q4, it is available under a release feature flag (LPS-96845).

Using SCIM, you can automate the exchange of user identity information between your company’s applications and service providers like Liferay securely. This is useful if your company uses multiple applications and wants to keep user data in sync without custom implementations.

Registering a SCIM Client

  1. Open the Global Menu (Global Menu) and navigate to Control PanelInstance SettingsSecuritySCIM.

  2. Enter a name in the OAuth 2 Application Name field.

    The name entered here is used to generate the SCIM client ID. This ID links users and groups with the SCIM client. If your SCIM client name is Test SCIM Client, the generated SCIM client ID is SCIM_test-scim-client.

  3. Set the Matcher Field to userName or email.

    The SCIM client uses this field to match the user data in the service provider and the connected application. This avoids issues with provisioning and prevents data duplication.

    Enter a name and set the matcher field for the new SCIM client.

  4. The Access Token field is empty at first. Click Generate and click OK to populate the field with an access token. An access token expires after 1 year unless revoked. If this is not the first time you’re generating an access token, it overwrites the existing token, but it remains valid for at most 10 more days. You can use this grace period to configure the new token in the client application.

    You can invoke the SCIM APIs by setting the access token in the Authorization request header. To revoke all access tokens, click Revoke and click OK.

  5. Click Save.

Note

A scheduler runs daily to retrieve all OAuth 2 applications that start with the SCIM_ prefix. If the access token’s expiry is within 30 days, 10 days, or 1 day, all administrators are notified in Liferay. A warning message also appears in the above page, instructing administrators to generate a new token before the expiry date.

Resetting a SCIM Client

Liferay DXP 2024.Q4+ Beta Feature

To register a new SCIM client, you must reset the existing one to remove the SCIM client data and generated OAuth 2 token.

  1. Open the Global Menu (Global Menu) and navigate to Control PanelInstance SettingsSecuritySCIM.

  2. Click Reset and then click OK.

This clears the following fields: Access Token, Matcher Field, and OAuth 2 Application Name. It also deletes the OAuth 2 application associated with the SCIM client.

Capabilities

Product

Contact Us

Connect

Powered by Liferay
© 2024 Liferay Inc. All Rights Reserved • Privacy Policy