SURF Research Access Management provides SCIM, the System for Cross-domain Identity Management, as an interface for provisioning users and groups to applications. The application can act as a SCIM pull by application and/or SCIM push to application.
- If the application needs to retrieve data about user and/or groups from SRAM SCIM endpoint, the application acts like a SCIM pull by application.
- If the application is capable of receiving SCIM messages, and needs to receive changes to the about user and/or groups, then your application acts like a SCIM push to application.
SCIM pull by application
As a SCIM pull by application, the application connects to the SRAM SCIM endpoints.
Authorization requires a bearer token, generated in the SRAM GUI for the application:
- At the page of your application
- Tab 'Details & settings'
- Section 'SCIM pull by application'
- Enable 'SCIM pull by application'
- Button 'New token'
Available high level SCIM endpoints
| Endpoint | Response OK | Response not authorised |
|---|---|---|
https://sram.surf.nl/api/scim/v2/Users | HTTP 200, all users of all collaborations connected to your application | HTTP 401 |
https://sram.surf.nl/api/scim/v2/Groups | HTTP 200, all groups and memberships of all collaborations connected to your application | HTTP 401 |
https://sram.surf.nl/api/scim/v2/Schemas | HTTP 200, the schema definition of SCIM resources | N/A |
For details, please refer to the SRAM API documentation.
SCIM push to application
As a SCIM push to application, the application receives SCIM messages from SRAM. The SCIM requests will originate from the documented IP addresses.
All updates on identities and groups in collaborations connected to your application will be sent to the SCIM push to application instantly. Optionally, SRAM can periodically update all information, to get started and to fix missed updates called 'SCIM sweep'.
Authorization requires a bearer token, generated in the SCIM push to application and put in the SRAM GUI for the application:
- At the page of your application
- Tab 'Details & settings'
- Section 'SCIM push to application'
- Enable 'SCIM push to application provisioning'
- Enter the full URL of the base address of the SCIM push to application endpoint
For example, if the users endpoint of your SCIM push to application ishttps://example.com/scim/Users, the SCIM push to application base address ishttps://example.com/scim - Enter the bearer token for the SCIM push to application endpoints
- Optional enable SCIM sweeping, a periodic push from SRAM to the application to keep data synchronized
