oo
Analytics Cloud
Commerce
DXP / Portal
Liferay Cloud
Reference
Securing Liferay

System for Cross-domain Identity Management (SCIM)

Liferay DXP 2024.Q1+ Beta Feature

System for Cross-domain Identity Management or SCIM, is an open standard that automates user provisioning. In other words, it’s a standard way to create, update, and deactivate user identities. SCIM provides a unified, RFC-compliant way to keep user/group data in sync between different applications. It consists of

Important

This feature is currently behind a beta feature flag.

Using SCIM, you can automate the exchange of user identity information between your company’s applications and service providers like Liferay securely. This is useful if your company uses multiple applications and wants to keep user data in sync without custom implementations.

Registering a SCIM Client

  1. Open the Global Menu (Global Menu) and navigate to Control PanelInstance SettingsSecuritySCIM.

  2. Enter a name in the OAuth 2 Application Name field.

    The name entered here is used to generate the SCIM client ID. This ID links users and groups with the SCIM client. If your SCIM client name is Test SCIM Client, the generated SCIM client ID is SCIM_test-scim-client.

  3. Set the Matcher Field to userName or email.

    The SCIM client uses this field to match the user data in the service provider and the connected application. This avoids issues with provisioning and prevents data duplication.

    Enter a name and set the matcher field for the new SCIM client.

  4. The Access Token field is empty at first. Click Generate and click OK to populate the field with an access token. An access token expires after 1 year unless revoked. If this is not the first time you’re generating an access token, it overwrites the existing token, but it remains valid for 10 more days. You can use this grace period to configure the new token in the client application.

    You can invoke the SCIM APIs by setting the access token in the Authorization request header. To revoke all access tokens, click Revoke and click OK.

  5. Click Save.

Note

A scheduler runs daily to retrieve all OAuth 2 applications that start with the SCIM_ prefix. If the access token’s expiry is 30 days, 7 days, or 1 day, all administrators are notified in Liferay and by email.

Linking a User to a SCIM Client

  1. Open the Global Menu (Global Menu) and navigate to Control PanelUsers and Organizations.

  2. Select a user from the Users tab.

  3. Scroll down to the CUSTOM FIELDS section and enter the SCIM client ID in the Scimclientid field.

    Enter the SCIM client ID to link the user to the SCIM client.

  4. Click Save.

Linking a User Group to a SCIM Client

  1. Open the Global Menu (Global Menu) and navigate to Control PanelUsers Groups.

  2. Select a user group, click Actions (Global Menu) and select Edit.

  3. Enter the SCIM client ID in the Scimclientid field.

    Enter the SCIM client ID to link the user group to the SCIM client.

  4. Click Save.

Capability:
Security
Deployment Approach:
Liferay PaaS
Liferay SaaS
Liferay Self-Hosted
Feature:
DXP Configuration
Identity Management and Authentication