We sometimes manage user identities in multiple nodes and we need to synchronize all the nodes when one node gets updated.
In this post we will look at how we can leverage SCIM - an open standard for identity provisioning, to achieve this requirement of Identity Synchronization.
As I have mentioned in my previous post, WSO2 Identity Server (IS) supports identity provisioning with SCIM, based on WSO2 Charon which is the implementation of the specification.
Identity Server can act as both SCIM Consumer and Service Provider.
To achieve the aforementioned requirement, we leverage both those capabilities of IS at once.
Let me describe a use case and then provides steps how to implement that with WSO2 Identity Server.
Use Case:
Lets say we have an organization which has multiple stores distributed across a region. Each store maintains a user store. And there is a central store as well. When one sub store updates its user accounts, that update should be propagated to central node and the central node sends that update to all the other sub stores.
If an update happens in the central node, that should also be propagated to all the sub stores.
Following diagram depicts this better: The directions that each node's updates propagate, are indicated by arrows with specific colour of each node.
Aside each node, I have listed a list of 'Provisioning Admins' along with their provider, if they have any.
Let me describe it. We send a provisioning request to a SCIM provider node from a consumer node. Therefore, we need to register providers at the nodes which plays the role of a consumer at a particular time.
And you need to have an account in the provider node, with proper permission to do provisioning. Because, as I mentioned in the previous post, SCIM Service Provider authenticates and authorizes your provisioning request and fulfils it only it is authenticated and authorized.
Lets implement the above scenario step by step so that you will have a better idea:
Step 1: Setting up three nodes..
Download Identity Server 4.0.0 and unzip it into three folders named: 'store1', 'central', 'store2'.
Since we are starting in the same machine, we need to change the port of set of each IS instance.
Go to [IS_Home]/repository/conf and open carbon.xml. In 'central' instance, make Ports->OffSet to 1 and in 'store2' instance, make Ports->OffSet to2.
Start the three instances.
Now our three instances are running in following ports.
store1: 9443
central: 9444
store2: 9445
Step 2: Registering Provisioning Administrators...
Lets now create user accounts in each node which has privileges to register SCIM providers and/or perform provisioning on behalf of each store, as listed in the above image.
Store1:
Got to management console of store1 IS instance by typing url: https://localhost:9443/carbon/ in a browser, login to management console as admin,admin and go to configure-> users and roles
Create 'centraladmin', 'store2admin' user accounts.
Also create a role called 'provisioning admin' and assign that role the above two users and the two permissions: 'login' and 'Identity Provisioning' as shown in the following diagram.
Now, centraladmin user has the permission to provision user account updates happen in central store, to store1. In this case, central store becomes a SCIM Consumer and store1 becomes a SCIM Service Provider.
And store2admin user has the permission to send provisioning requests to store 1, via central store in order to propagate updates happen in store 2.
Default admin account of store1, which has all the permission, provision the updates happen in store1, to central store.
In this way, please create the relevant provisioning admin user accounts in central store and store2 IS instances as well, as illustrated in the first diagram above and assign them to the provisioning admin role with the two permissions.
Step3: Registering Providers
Identity Server allows consumer nodes to register SCIM providers in two ways:
1. Registering global providers - any user management operation performed in a particular tenant space will be provisioned to the global providers.
2. Registering providers specific to particular user account - any user management operation comes through SCIM Service Provider endpoints of a particular node will be further provisioned to the providers registered under the account from which SCIM requests was authenticated and authorized.
Lets look at how to register SCIM Providers at the central store in our scenario so that both above mechanisms will be clear to you.
1. Registering global SCIM providers at the central store.
According to our requirement, any user management operation performed by users in the admin role of central store should be provisioned to store1 and store2.
- Login as default admin user in central node (https://localhost:9444/carbon/admin/login.jsp)
- Access Main->Manage->SCIM
- Register New SCIM Provider.
We need to register both store1 and store 2 as global providers.
Following image shows the configuration of store1 SCIM provider.
Here we need to define a provier id, and provide user name and password to authenticated and authorized to SCIM provider node(in this case it is centraladmin account which we registered in both store1 ans store2 in the previous step) and the URLs of the SCIM User & Group endpoints.
You need to register store2 also as a global provider with relevant configuration.
2. Registering SCIM providers specific to user accounts, at the central store.
According to our requirement, any provisioning request coming to central store from store1 should be provisioned to all the other sub stores except to store1.
Therefore, user account of the store1admin in the central store should be able to define to which providers my scim provisioning request should be further provisioned to, from the central node.
- Login to central node as store1admin.
- Access Main -> My Identity -> My SCIM Providers
- Now as the store1admin, you can register store2 as the SCIM Provider by providing relevant configuration as shown below.
- And then login to central node as the store2admin account and register SCIM provider pointing to store1 endpoints.
Now we are done configuring central node for our provisioning scenario.
Then login to store1 and store2 IS instances as default admin and register central node as the global provider in both store1 and store2 as shown below.
Store1:
Store2:
Please refer the very first image in this post to make sure that you have created all the relevant provisioning admin user accounts in each IS node, given them proper permission and registered the corresponding SCIM providers as listed in that diagram for each node.
Step 4: Test Identity Synchronization
Now login to store1 as default admin and create a user account. Observe the logs at the backend console of each node. You will observe info logs mentioning that the user created at store1 is also created at central store and store2.
You can login to management console of central store and store2 and verify that the user created in store1 is listed in other two nodes as well.
You can perform other user and role management operations as well in each node and verify whether it is synchronized with other nodes as expected in our use case.
Following are the list of user management operations currently supported in WSO2 Identity Server to be provisioned via SCIM.
1. Create User
2. Delete User
3. Update credential of the user by admin
4. Update the profile of a user by admin
5. Update the profile of a user by the user himself
6. Create Group
7. Delete Group
8. Add users to group by updating group (Update user list of role)
9. Rename Group
Following are the list of user management operations allowed by WSO2 Identity Server, but not currently supported to be provisioned via SCIM.
1. Update credential of the user by user himself.
2. Add users to group by updating user (Update role list of user) - same outcome can be achieved by the no. 8 operation above.
I hope now it is clear to you how we can leverage SCIM - open standard for Identity Provisioning to achieve a use case of Identity Synchronization across multiple nodes using the capabilities of WSO2 Identity Server.
Configuring provisioning through configuration file
Identity Server also supports configuring SCIM providers through configuration file, in addition to allowing to register providers through UI which was explained above.
In this case, it is the admin of a particular node who configure providers which is different to individual provisioning admins registering SCIM providers through UI.
The relevant configuration file is: [IS_Home]/repository/conf/provisioning-config.xml
If you are configuring through configuration file, you need to follow the above steps until step 2 is completed.
Then shut down all the three IS instances. Replace provisioning-config.xml file of each instance with the ones shown below and restart the IS instances.
store1 configuration file:
In this post we will look at how we can leverage SCIM - an open standard for identity provisioning, to achieve this requirement of Identity Synchronization.
As I have mentioned in my previous post, WSO2 Identity Server (IS) supports identity provisioning with SCIM, based on WSO2 Charon which is the implementation of the specification.
Identity Server can act as both SCIM Consumer and Service Provider.
To achieve the aforementioned requirement, we leverage both those capabilities of IS at once.
Let me describe a use case and then provides steps how to implement that with WSO2 Identity Server.
Use Case:
Lets say we have an organization which has multiple stores distributed across a region. Each store maintains a user store. And there is a central store as well. When one sub store updates its user accounts, that update should be propagated to central node and the central node sends that update to all the other sub stores.
If an update happens in the central node, that should also be propagated to all the sub stores.
Following diagram depicts this better: The directions that each node's updates propagate, are indicated by arrows with specific colour of each node.
Aside each node, I have listed a list of 'Provisioning Admins' along with their provider, if they have any.
Let me describe it. We send a provisioning request to a SCIM provider node from a consumer node. Therefore, we need to register providers at the nodes which plays the role of a consumer at a particular time.
And you need to have an account in the provider node, with proper permission to do provisioning. Because, as I mentioned in the previous post, SCIM Service Provider authenticates and authorizes your provisioning request and fulfils it only it is authenticated and authorized.
Lets implement the above scenario step by step so that you will have a better idea:
Step 1: Setting up three nodes..
Download Identity Server 4.0.0 and unzip it into three folders named: 'store1', 'central', 'store2'.
Since we are starting in the same machine, we need to change the port of set of each IS instance.
Go to [IS_Home]/repository/conf and open carbon.xml. In 'central' instance, make Ports->OffSet to 1 and in 'store2' instance, make Ports->OffSet to2.
Start the three instances.
Now our three instances are running in following ports.
store1: 9443
central: 9444
store2: 9445
Step 2: Registering Provisioning Administrators...
Lets now create user accounts in each node which has privileges to register SCIM providers and/or perform provisioning on behalf of each store, as listed in the above image.
Store1:
Got to management console of store1 IS instance by typing url: https://localhost:9443/carbon/ in a browser, login to management console as admin,admin and go to configure-> users and roles
Create 'centraladmin', 'store2admin' user accounts.
Also create a role called 'provisioning admin' and assign that role the above two users and the two permissions: 'login' and 'Identity Provisioning' as shown in the following diagram.
Now, centraladmin user has the permission to provision user account updates happen in central store, to store1. In this case, central store becomes a SCIM Consumer and store1 becomes a SCIM Service Provider.
And store2admin user has the permission to send provisioning requests to store 1, via central store in order to propagate updates happen in store 2.
Default admin account of store1, which has all the permission, provision the updates happen in store1, to central store.
In this way, please create the relevant provisioning admin user accounts in central store and store2 IS instances as well, as illustrated in the first diagram above and assign them to the provisioning admin role with the two permissions.
Step3: Registering Providers
Identity Server allows consumer nodes to register SCIM providers in two ways:
1. Registering global providers - any user management operation performed in a particular tenant space will be provisioned to the global providers.
2. Registering providers specific to particular user account - any user management operation comes through SCIM Service Provider endpoints of a particular node will be further provisioned to the providers registered under the account from which SCIM requests was authenticated and authorized.
Lets look at how to register SCIM Providers at the central store in our scenario so that both above mechanisms will be clear to you.
1. Registering global SCIM providers at the central store.
According to our requirement, any user management operation performed by users in the admin role of central store should be provisioned to store1 and store2.
- Login as default admin user in central node (https://localhost:9444/carbon/admin/login.jsp)
- Access Main->Manage->SCIM
- Register New SCIM Provider.
We need to register both store1 and store 2 as global providers.
Following image shows the configuration of store1 SCIM provider.
Here we need to define a provier id, and provide user name and password to authenticated and authorized to SCIM provider node(in this case it is centraladmin account which we registered in both store1 ans store2 in the previous step) and the URLs of the SCIM User & Group endpoints.
You need to register store2 also as a global provider with relevant configuration.
2. Registering SCIM providers specific to user accounts, at the central store.
According to our requirement, any provisioning request coming to central store from store1 should be provisioned to all the other sub stores except to store1.
Therefore, user account of the store1admin in the central store should be able to define to which providers my scim provisioning request should be further provisioned to, from the central node.
- Login to central node as store1admin.
- Access Main -> My Identity -> My SCIM Providers
- Now as the store1admin, you can register store2 as the SCIM Provider by providing relevant configuration as shown below.
- And then login to central node as the store2admin account and register SCIM provider pointing to store1 endpoints.
Now we are done configuring central node for our provisioning scenario.
Then login to store1 and store2 IS instances as default admin and register central node as the global provider in both store1 and store2 as shown below.
Store1:
Store2:
Please refer the very first image in this post to make sure that you have created all the relevant provisioning admin user accounts in each IS node, given them proper permission and registered the corresponding SCIM providers as listed in that diagram for each node.
Step 4: Test Identity Synchronization
Now login to store1 as default admin and create a user account. Observe the logs at the backend console of each node. You will observe info logs mentioning that the user created at store1 is also created at central store and store2.
You can login to management console of central store and store2 and verify that the user created in store1 is listed in other two nodes as well.
You can perform other user and role management operations as well in each node and verify whether it is synchronized with other nodes as expected in our use case.
Following are the list of user management operations currently supported in WSO2 Identity Server to be provisioned via SCIM.
1. Create User
2. Delete User
3. Update credential of the user by admin
4. Update the profile of a user by admin
5. Update the profile of a user by the user himself
6. Create Group
7. Delete Group
8. Add users to group by updating group (Update user list of role)
9. Rename Group
Following are the list of user management operations allowed by WSO2 Identity Server, but not currently supported to be provisioned via SCIM.
1. Update credential of the user by user himself.
2. Add users to group by updating user (Update role list of user) - same outcome can be achieved by the no. 8 operation above.
I hope now it is clear to you how we can leverage SCIM - open standard for Identity Provisioning to achieve a use case of Identity Synchronization across multiple nodes using the capabilities of WSO2 Identity Server.
Configuring provisioning through configuration file
Identity Server also supports configuring SCIM providers through configuration file, in addition to allowing to register providers through UI which was explained above.
In this case, it is the admin of a particular node who configure providers which is different to individual provisioning admins registering SCIM providers through UI.
The relevant configuration file is: [IS_Home]/repository/conf/provisioning-config.xml
If you are configuring through configuration file, you need to follow the above steps until step 2 is completed.
Then shut down all the three IS instances. Replace provisioning-config.xml file of each instance with the ones shown below and restart the IS instances.
store1 configuration file:
central store configuration file:store1admin store1admin https://localhost:9444/wso2/scim/Users https://localhost:9444/wso2/scim/Groups
store2 configuration file:centraladmin centraladmin https://localhost:9443/wso2/scim/Users https://localhost:9443/wso2/scim/Groups centraladmin centraladmin https://localhost:9445/wso2/scim/Users https://localhost:9445/wso2/scim/Groups
store2admin store2admin https://localhost:9444/wso2/scim/Users https://localhost:9444/wso2/scim/Groups
Great post, thanks.
ReplyDelete