Directory Configuration Properties (SCIM Directory)

A list of the properties in the CmDirectoryConfigurationSCIM class.

The following table shows the directory configuration properties for SCIM Directory.
  • For authorization, use Administration Console for Content Platform Engine to view or modify editable properties.
Restriction: Use care when you enter values for the directory configuration properties. The use of unsupported attributes or incorrectly entered attributes as values for the directory configuration properties can result in a failure of the Content Platform Engine to start. To resolve the problem, you might have to revert to the most recent valid global configuration database (GCD) epoch before the directory configuration properties changes, or you might have to contact IBM Software Support for additional assistance with the resolution.
Remember: Follow the LDAP standards for characters that are allowable in a DN. For example, do not use encoded characters, and do not use extra backslashes or commas that are not being used as delimiters in the value list.
List of properties for the CmDirectoryConfigurationSCIM class, whether it can be edited, and a description for each property.
Property Name Editable? Description Default for IAM
AuthenticationRealmName   Not used  
AllowEmailOrUPNShortNames Yes Set this property to True to allow the at(@) symbol in user names.  
DirectoryServerHost Yes Specifies the name of the host that is running the directory server product. platform-identity-management.<iam_namespace>.svc
DirectoryServerPassword Yes Value depends on whether the SCIM Directory supports username and password authentication or Bearer Token authentication.

If the SCIM Directory supports username/password authentication, then this property specifies the user password.

If the SCIM Directory supports Bearer token authentication, then the OAuth client_credentials grant is used to get the Bearer token where this property contains the clientSecret part of that grant.

 The client secret that is registered in IM.
DirectoryServerPort Yes Specifies the port number of the directory server. The value of this property defaults to port 443. "443"
DirectoryServerProviderClass No Specifies the directory server provider class name: com.filenet.engine.directory.scim.SCIMProvider SCIM (com.filenet.engine.directory.scim.SCIMProvider)
DirectoryServerUserName Yes Value depends on whether the SCIM Directory supports username and password authentication or Bearer Token authentication.

If the SCIM Directory supports username/password authentication, then this property specifies the username.

If the SCIM Directory supports Bearer token authentication, then the OAuth client_credentials grant is used to get the Bearer token where this property contains the clientId part of that grant.

 The client id that is registered in IM.
DirectoryServiceType No Specifies the type of directory server: SCIM SCIM
DisplayName Yes The user-readable, provider-specific name of an object. This property is usually the designated Name property of the object's class. The user-readable, provider-specific name of an object. This property is usually the designated Name property of the object's class.
GroupBaseDN Yes The base DN for searching for groups in the directory server.

This is used only if the SCIM provider has no GroupDNAttribute. It is used to artificially create a DN based on the group DisplayName. Administrators should set GroupBaseDN such that the distinguished names produced using it, are certain not to collide with those from any of their other directories. For example, cn=TaskAdmins,ou=groups,ou=somerealm,dc=scim.

If not set and the SCIM provider has an attribute that contains the group’s DN, then the SCIM GroupDNAttribute should be populated.

If not set and the SCIM provider does not have an attribute containing the group’s DN, an artificial base DN is automatically used based on the realm name such as ou=groups,ou=<realm name>,dc=scim.

 The value that is set for the parameter ldap_configuration.lc_ldap_group_base_dn should be used.
GroupDisplayNameAttribute Yes Specifies the display name for a Group object that is generated by the authentication provider. "displayName"
GroupDNAttribute Yes

(Optional) If provided, this is the SCIM attribute containing a group’s DN at the SCIM provider(for example - id, externalId).

If not set, then the groupDN is constructed based on the value of GroupBaseDN, but searches are performed based on the DisplayName attribute

 "externalID"
GroupMembershipSearchFilter Yes This filter is used to specify whether the SCIM directory returns all groups including nested parent groups for a given user or group. If nested parent groups are returned only for users, but not groups, then the value should be set to nestedGroupsReturned=users. If nested parent groups are returned only for groups, but not users, then the value should be set to nestedGroupsReturned=groups. If nested parent groups are returned for both users and groups, then the value should be set to nestedGroupsReturned=users,groups. This filter is used to specify whether the SCIM directory returns all groups including nested parent groups for a given user or group. If nested parent groups are returned only for users, but not groups, then the value should be set to nestedGroupsReturned=users. If nested parent groups are returned only for groups, but not users, then the value should be set to nestedGroupsReturned=groups. If nested parent groups are returned for both users and groups, then the value should be set to nestedGroupsReturned=users,groups.
GroupNameAttribute Yes Specifies the display name for a Group object that is generated by the authentication provider. "displayname"
GroupSearchFilter Yes This filter can be used to limit the results that are returned from queries to the SCIM directory. For example, if your SCIM directory supports multiple user repositories, this filter can limit queries to search a given repository. If the filter starts with the ampersand(&) character, the filter is treated as a URL query parameter in the SCIM query. Otherwise, the filter is appended to the SCIM query by using the "and" operator.

For example, if the groupSearchFilter property contains value &ldapId=cp4ba-prod-100, then this value is added as a URL query parameter to requests to the SCIM directory. https://scim-directory/scim/Groups?filter=displayName eq "mygroup"&ldapId=cp4ba-prod-100.

If the groupSearchFilter property contains value urn:ietf:params:scim:schemas:extension:ibmcp:2.0:Group:realmName eq "cp4ba-prod-100" , then this value is added to the SCIM query filter. https://scim-directory/scim/Groups?filter=displayName eq "mygroup" and urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User:realmName eq "cp4ba-prod-100".

  
GroupUniqueIDAttribute Yes The directory service attribute that serves as the security identifier (SID) for each group. Select an attribute whose values are unique and do not change over time. Typically, this attribute is the same as the UserUniqueIDAttribute.

You must use only those LDAP attributes that return Java String in the LDAP Java API.

Content Platform Engine defines an LDAP attribute as the default for this property to obtain the unique SIDs. You can choose to configure a different LDAP attribute, a non-default LDAP attribute, for this property. If you do so, remember that the workflow system places additional limitations on the size of the SID. These limitations are related to how the Content Engine API returns the string representation for the user and group SIDs. The limit for an SID value for use with the workflow system is 256 characters. For more specific information about SID limits, see What are access rights?

 "id"
IsSSLEnabled Yes Defines whether Secure Sockets Layer (SSL) protocol is enabled for a given DirectoryConfiguration object. The default value is True, indicating that SSL is enabled. True
PrincipalCategory   Not used. Not used
RestrictMembershipToConfiguredRealms Yes

Restricts a group membership search to within the realms configured in Administration Console for Content Platform Engine.

A user can be in a configured realm but belong to a group in an unconfigured realm. By default (that is, when the property value is False), the server automatically searches cross-realm group membership (also called cross-domain group membership in Active Directory). If it reaches a realm that is not configured in Administration Console for Content Platform Engine, the server returns a Realm not found error and group membership search processing stops. However, if the property value is True when this situation occurs, the server logs an informational message to the server error log and the group membership search continues.

  
SCIMAuthenticationURL Yes The OAuth token URL of the identity provider from which a request is made to obtain a Bearer token. Populate only if the authentication to SCIM Directory uses a Bearer token that is obtained via the OAuth client_credentials grant.

By default, the OAuth client_credentials grant uses a scope of openid. If your SCIM directory requires a different scope and/or additional parameters on the client_credentials grant, then they can be added to this value by separating each parameter with a comma (for example, https://login.microsoftonline.com/000-00-000/oauth2/v2.0/token,scope=api://111-11-1111/.default ).

"https://platform-identity-provider.<iam_namespace>.svc:4300/v1/auth/token"
SCIMContextPath Yes Context path to SCIM endpoint. For IAM, a sample context path looks like idmgmt/identity/api/v1/scim "identity/api/v1/scim/"
SCIMServiceType Yes The property helps identify the SCIM Directory provider. This allows Content Platform Engine to better support differences in the implementation of the SCIM standard among various Identity Providers. The property can have the following values:
  • AUTO_DETECT (Content Platform Engine tries to detect the features available in the SCIM provider)
  • SCIM_11 (SCIM provider only supports the SCIM 1.1 specification)
  • SCIM_20 (SCIM provider supports the SCIM 2.0 specification)
  • IBM_IAM (SCIM provider is IBM IAM used in CP4BA deployments)
  • IBM_Verify (SCIM provider is IBM Verify)
In new CP4BA deployments, IBM_IAM is set as the default. AUTO_DETECT should be selected unless it is known that the SCIM provider only supports the features that are described in one of the other types.		 "IBM_IAM"
UserBaseDN Yes

This is used only if the SCIM provider has no UserDNAttribute. It is used to artificially create a DN based on the userName. Administrators should set UserBaseDN such that the distinguished names produced by using it are certain not to collide with those from any of their other directories. For example,cn=CEAdmin,ou=users,ou=somerealm,dc=scim

If not set and the SCIM provider has an attribute that contains the user’s DN, then the SCIM UserDNAttribute should be populated.

If not set and the SCIM provider does not have an attribute containing the user’s DN, an artificial BaseDN is automatically used based on the realm name. For example, ou=users,ou=<realm name>,dc=scim

 The value that set for the ldap_configuration.lc_ldap_base_dn parameter should be used.
UserDisplayNameAttribute Yes Specifies the display name for a User object that is generated by the authentication provider. The default property value is SCIM DisplayName or constructed from SCIM name attributes. "displayname"
UserDNAttribute Yes (Optional) If provided, this is the SCIM attribute containing a user’s DN at the SCIM provider (for example - id, externalId). If not set, then the userDN is constructed based on the value of UserBaseDN, but searches are performed based on the userName attribute "externalId"
UserNameAttribute   Displays the user name. "userName"
UserSearchFilter Yes This filter can be used to limit the results that are returned from queries to the SCIM directory. For example, if your SCIM directory supports multiple user repositories, this filter can limit queries to search a given repository. If the filter starts with the ampersand(&) character, the filter is treated as a URL query parameter in the SCIM query. Otherwise, the filter is appended to the SCIM query by using the "and" operator.

For example, if the userSearchFilter property contains value &ldapId=cp4ba-prod-100, then this value is added as a URL query parameter to requests to the SCIM directory. https://scim-directory/scim/Users?filter=userName eq "myuser"&ldapId=cp4ba-prod-100.

If the userSearchFilter property contains value urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User:realmName eq "cp4ba-prod-100", then this value is added to the SCIM query filter. https://scim-directory/scim/Users?filter=userName eq "myuser" and urn:ietf:params:scim:schemas:extension:ibmcp:2.0:User:realmName eq "cp4ba-prod-100".

  
UserUniqueIDAttribute Yes

The directory service attribute that serves as the security identifier (SID) for each user. Select an attribute whose values are unique and do not change over time. Typically, this attribute is the same as the GroupUniqueIDAttribute.

You must use only those LDAP attributes that return Java String in the LDAP Java API.

Content Platform Engine defines an LDAP attribute as the default for this property to obtain the unique SIDs. You can choose to configure a different LDAP attribute, a non-default LDAP attribute, for this property. If you do so, remember that the workflow system places additional limitations on the size of the SID. These limitations are related to how the Content Engine API returns the string representation for the user and group SIDs. The limit for an SID value for use with the workflow system is 256 characters. For more specific information about SID limits, see What are access rights?

"id"