Monday, March 5, 2012

Implementing SCIM with WSO2 Charon - Part III

In this post, lets look at how to implement few use cases of SCIM with WSO2 Charon.
You may need to refer to my previous posts on SCIM and Charon to get an overview of them.

Being the third post on Charon, lets continue looking at it in the top down approach.

Part II described the composition of Charon-Impl. which is the SCIM service provider reference implementation shipped with Charon. It is a Apache Wink based webapp that utilizes Charon-Core and Charon-Utils to expose a SCIM REST API for identity provisioning operations.

This post will demonstrate the following capabilities of Charon according to SCIM spec.

1). Create user
2). Create group
3). List Users

Setting up SCIM Service Provider with Charon-Impl:

Download CharonDemoApp from M1 Distribution and deploy it in an application server like Apache Tomcat and start the server.
As shown in the diagram of the part-II post, User Resource and Group Resource are now exposed based on Apache Wink JAX-RS implementation, via following URLS.
  • User Resource: http://localhost:8080/charonDemoApp/scim/Users
  • Group Resource: http://localhost:8080/charonDemoApp/scim/Groups
    Sample use cases:

    1. Creating a user.. 
    This demonstrates how a SCIM consumer creates (provision) a User in SCIM service provider via a REST call in which User attributes are carried as a JSON encoded string.

    Client code :  SCIM client uses the previously registered credentials to authenticate the request.
    package org.wso2.charon.samples.user.sample01;
    import org.apache.wink.client.ClientConfig;
    import org.apache.wink.client.ClientWebException;
    import org.apache.wink.client.Resource;
    import org.apache.wink.client.RestClient;
    import org.apache.wink.client.handlers.ClientHandler;
    import org.wso2.charon.core.client.SCIMClient;
    import org.wso2.charon.core.exceptions.CharonException;
    import org.wso2.charon.core.objects.User;
    import org.wso2.charon.core.schema.SCIMConstants;
    import org.wso2.charon.samples.utils.CharonResponseHandler;
    import org.wso2.charon.samples.utils.SampleConstants;
    import org.wso2.charon.utils.authentication.BasicAuthHandler;
    import org.wso2.charon.utils.authentication.BasicAuthInfo;
    public class CreateUserSample {
        //user details
        public static final String USER_NAME = "hasinig";
        public static final String EXTERNAL_ID = "";
        public static final String[] EMAILS = {"", ""};
        public static final String DISPLAY_NAME = "Hasini Gunasinghe";
        public static final String PASSWORD = "dummyPW";
        public static final String LANGUAGE = "Sinhala";
        public static final String PHONE_NUMBER = "9077657623";
        public static void main(String[] args) {
            try {
                //create SCIM client
                SCIMClient scimClient = new SCIMClient();
                //create a user according to SCIM User Schema
                User scimUser = scimClient.createUser();
                scimUser.setPhoneNumber(PHONE_NUMBER, null, false);
                //encode the user in JSON format
                String encodedUser = scimClient.encodeSCIMObject(scimUser, SCIMConstants.JSON);
                //create a apache wink ClientHandler to intercept and identify response messages
                CharonResponseHandler responseHandler = new CharonResponseHandler();
                //set the handler in wink client config
                ClientConfig clientConfig = new ClientConfig();
                clientConfig.handlers(new ClientHandler[]{responseHandler});
                //create a wink rest client with the above config
                RestClient restClient = new RestClient(clientConfig);
                //create resource endpoint to access User resource
                Resource userResource = restClient.resource(SampleConstants.USER_ENDPOINT);
                BasicAuthInfo basicAuthInfo = new BasicAuthInfo();
                BasicAuthHandler basicAuthHandler = new BasicAuthHandler();
                BasicAuthInfo encodedBasicAuthInfo = (BasicAuthInfo) basicAuthHandler.getAuthenticationToken(basicAuthInfo);
                //TODO:enable, disable SSL. For the demo purpose, we make the calls over http
                //send previously registered SCIM consumer credentials in http headers.
                String response = userResource.
                        header(SCIMConstants.AUTHORIZATION_HEADER, encodedBasicAuthInfo.getAuthorizationHeader()).
                        post(String.class, encodedUser);
                //decode the response
            } catch (CharonException e) {
                e.printStackTrace();  //To change body of catch statement use File | Settings | File Templates.
            } catch (ClientWebException e) {
    Request-Response: Please click on the below image to see it in full size. After successful creation of the user;
    - service provider responds with 201-Created response code and
    - includes newly created user in response body.
    - Representation in response contains an additional attributes 'id', 'created date', 'last modified date' etc which is assigned by the SP and
    - the "Location" header contains the unique URI of the created user resource.

    2. Create Group..(From SCIM spec)
    Following request/reponse is captured when creating a group with two exisiing users in the system.

    Request-Response: Please click on the below image to see it in full size.
    Server responds with 200 OK including group resource in the body encoded in JSON.

    3. List Users
    Following request/response illustrates a SCIM consumer call to list all the users.
    Server responds with two user entries existing in its user store.

    1. Libraries for sample client code:
    You can find the required libraries to run the WSO2 Charon samples from here.
    2. Sample source code can be found in the M1 distribution linked above.
    3. As illustrated by above sample use case, SCIM consumer will be able to perform identity provisioning operations with any SCIM service provider in a unified way by just changing the resource URLs - which avoids the need of developping multiple connectors to integrate with different cloud providers.

    1 comment:

    1. Thanks for the beautiful explanation.This is one of the most well mannered post I have ever seen and after reading it most of the questions in my mind got the answer.
      digital certificates


    Note: Only a member of this blog may post a comment.