By: Mateusz Bilski user 29 Jan 2015 at 8:17 a.m. CST

9 Responses
Mateusz Bilski gravatar
Hello, I am trying to use SCIM to create, update and get users. I am following the doc. I used ScimClient.oAuthInstance() method to obtain ScimClient and provided the default admin credentials and "oxTrust Admin GUI" client Id&Secret. The oauth authentication process works fine. However every SCIM api returns 404. `11152 [main] DEBUG org.apache.commons.httpclient.HttpConnection - Open connection to` `11163 [main] DEBUG httpclient.wire.header - >> "GET /oxTrust/seam/resource/restv1/Users/@!0C2D.5A84.34C0.DBC4!0001!DAEB.6766!0008!CE95.C110 HTTP/1.1[\r][\n]"` `11163 [main] DEBUG org.apache.commons.httpclient.HttpMethodBase - Adding Host request header` `11172 [main] DEBUG httpclient.wire.header - >> "Authorization: Bearer f9799491-d1af-445f-afe5-35a7c5e97ea8[\r][\n]"` `11172 [main] DEBUG httpclient.wire.header - >> "BearerTokenType: oxauth[\r][\n]"` `11173 [main] DEBUG httpclient.wire.header - >> "Accept: application/json[\r][\n]"` `11173 [main] DEBUG httpclient.wire.header - >> "User-Agent: Jakarta Commons-HttpClient/3.1[\r][\n]"` `11173 [main] DEBUG httpclient.wire.header - >> "Host:[\r][\n]"` `11173 [main] DEBUG httpclient.wire.header - >> "[\r][\n]"` `11187 [main] DEBUG httpclient.wire.header - << "HTTP/1.1 404 Not Found[\r][\n]"` `11187 [main] DEBUG httpclient.wire.header - << "HTTP/1.1 404 Not Found[\r][\n]"` `11188 [main] DEBUG httpclient.wire.header - << "Date: Thu, 29 Jan 2015 13:30:34 GMT[\r][\n]"` `11188 [main] DEBUG httpclient.wire.header - << "Server: Apache/2.4.7 (Ubuntu)[\r][\n]"` `11189 [main] DEBUG httpclient.wire.header - << "Content-Length: 0[\r][\n]"` `11189 [main] DEBUG httpclient.wire.header - << "[\r][\n]"` Am I missing something? The doc says "You need to have a the right credentials and roles in order for you to access the endpoint example, which is for oxTrust means that you are a member of the Owner or Manager group specified in the organization entry". Does the default admin user need some additional group/role? I also found SCIM auth doc using UMA . Is it the recommended approach? (btw the first step is to create a client with scope "", which is missing by default.) I used gluu-server-1.7-0-beta2.amd64.deb and SCIM-Client-1.4.1.Final.

By Michael Schwartz Account Admin 29 Jan 2015 at 12:16 p.m. CST

Michael Schwartz gravatar
Make sure SCIM is enabled in oxTrust under Configuration / Organization Configuration UMA API's are very powerful, and need to be protected. SCIM is protected by UMA. Its a little confusing because oxTrust is the UMA resource server, oxAuth is the UMA authorization server, adn your application (requesting the SCIM API) is the UMA client. So you will need two client registrations on oxAuth (one for oxTrust RS, and one for your client). There is an article about it here: Also, there is more docs (some repeated info) here: The UMA website is: If you still think something is wrong, please post again to this issue. These docs are not perfect! If you find any errors, or can make any improvements, the docs are in github:

By Ireneusz Kawalec user 02 Feb 2015 at 4:32 p.m. CST

Ireneusz Kawalec gravatar
Hello, I have a follow-up question regarding this article: I'm trying to achieve the same thing as Mateusz Bilski described. 1. How to register oxAuth client with scope “”? By default while creating oxAuth client (OAuth2->Clients->Add-Client) only following scopes are available: email, openid, phone, profile, user_name. I tried to create UMA scope (OAuth2->UMA->Scopes->Add scope description), type: external, url:, however after creating this new scope, it is not available in oxAuth client scopes. 2. In OAuth2->UMA I don't see Policies, only resources and scopes tabs are available: How can I define base policy script (I'm referring to points 13-15 in the article)? I'm using the newest version of gluu-server-2.0-0.el6.x86_64 installed on CentOS 6.5.

By Ireneusz Kawalec user 03 Feb 2015 at 12:39 p.m. CST

Ireneusz Kawalec gravatar
Hello, I have some updates related to my last post. Firstly, I switched to gluu-server-1.7-0. I was able to register Resource Server Client oxAuth client with “” scope and then register Requesting Party Client oxAuth client with “”. Before creating oxAuth clients I created two Oauth scopes with mentioned urls as display names. Is this a recommend way of creating UMA related scopes? Since I switched to version 1.7 Policies tab is visible and I was able to define UMA policy (I followed all the steps from the article: The issue I'm facing right now is that I'm getting 404 while trying to retrieve sample user (I'm using Scim client and sample code from article to achieve that). Is 'access_scim' scope sufficient to give access to SCIM APIs? I'm attaching: [ldap ldif file](, logs from [tomcat]( and [scim client test](

By Michael Schwartz Account Admin 03 Feb 2015 at 12:44 p.m. CST

Michael Schwartz gravatar
Hmmm... latest binaries are here:[]=binaries Latest Centos install instructions are here: I'll assign this issue to an engineer too.

By Yuriy Movchan staff 04 Feb 2015 at 11:40 a.m. CST

Yuriy Movchan gravatar
I find compatibility issue between oxAuth and SCIM-Client as result I build oxTrust 2.1 and SCIM-Client 2.1. Please try to do next: 1) Install CE 2.0 2) Update /opt/tomcat/identity.war from 3) Restart tomcat 4) Use SCIM Client 2.1.0 in order to use SCIM: 5) Use next instructions to configure oxTrust:

By Ireneusz Kawalec user 05 Feb 2015 at 5:30 a.m. CST

Ireneusz Kawalec gravatar
Hello Yuriy, I confirm that fix you introduced, resolves an issue with access to SCIM APIs. I have two questions: 1. Are you planning to release gluu-server-2.1.0 deb/rpm? 2. I have one security concern. Instead of using admin credentials I initialised SCIM client using test user credentials (it's a sample user with basic attributes and this user doesn't belong to manager's group). I was able to invoke SCIM APIs. Is this the way how it supposed to work? So basically if a user and oauth client exists and SCIM is enabled in Organisational Configuration page then it's possible to perform any operation like: create, update, delete, get user.

By Yuriy Movchan staff 05 Feb 2015 at 7:47 a.m. CST

Yuriy Movchan gravatar
Hi Ireneusz, There is second way to access SCIM endpoint. It's possible to use UMA to protect SCIM. This allows us to write policies where we can implement extra security checks. I will review today and give you instructions how to write policy. Also I opened issue:

By Yuriy Movchan staff 05 Feb 2015 at 7:49 a.m. CST

Yuriy Movchan gravatar
Hi Mike, Can you answer on Ireneusz's question: Are you planning to release gluu-server-2.1.0 deb/rpm? Should we include this fix into 2.1: ?

By Yuriy Movchan staff 05 Feb 2015 at 2:31 p.m. CST

Yuriy Movchan gravatar
Hi Ireneusz, I've checked documentation for SCIM UMA: In this case oxTrust uses UMA to protect SCIM endpoints. We are planning to release 2.1 after fixes few issues. Regards, Yura