SCIM Introduction
This section refers to SCIM 2.0 integration with Horizon, used to provision users and groups in Horizon.
Description
SCIM (System for Cross-domain Identity Management) is an open standard protocol for automating the exchange of groups and users identity information between identity domains and Horizon, users and groups are synchronized between the two systems with a rich but simple set of operations:
-
GET
-
POST
-
PUT
-
PATCH
-
DELETE
The SCIM protocol is detailed in the following RFCs:
|
Horizon does not support the full RFC, Horizon only supports the minimum of the RFC and ensures compatibility with Azure Ad and Okta. |
Prerequisites
According to the context, you need:
-
An application that is compatible with SCIM 2.0.
-
Have users or groups configured in your identity manager for provisioning
Authentication with Horizon
-
Have a bearer token or basic Auth
To build the bearer token you must encode in base 64 → Login:Password
Endpoint
SCIM 2.0 Base Url corresponds to: https://<horizonUrl>/security/scim/<scimProfileName>/
Limitations
Filters
List of operators supported for filtering:
-
eq
-
and
-
( )
-
[ ]
List of attributes supported for filtering:
-
userName
-
displayName
Horizon only have one email for SCIM user, it is the mail type in SCIM Profile.
SCIM User
The id of a SCIM User corresponds to the identifier of a Principal Info.
Synchronization in Horizon
To synchronize between the SCIM groups and the roles and teams there is an object called a SCIM Profile. This object serves as an intermediary between SCIM and Horizon.