By: Darrell Breeden user 27 Apr 2017 at 10:50 a.m. CDT

4 Responses
Darrell Breeden gravatar
Hello there, Based on your SCIM documentation, it looks like accessing the SCIM endpoints should be done basic authentication: curl -u user:pass .... But whenever we attempt this we always get 403 forbidden. There's a lot of documentation pointing back and forth between UMA and SCIM, but all we really need to do is get basic functionality from the underlying SCIM components. What are we missing in regards to authentication SCIM requests programatically against the SCIM endpoints?

By Aliaksandr Samuseu staff 27 Apr 2017 at 11:30 a.m. CDT

Aliaksandr Samuseu gravatar
Hi, Darell. SCIM endpoints are protected by UMA. You can refer to [UMA specs](https://docs.kantarainitiative.org/uma/rec-uma-core.html) for general picture, and to our own UMA pages [here](https://gluu.org/docs/ce/latest/api-guide/uma-api/) and [here](https://gluu.org/docs/ce/latest/admin-guide/uma/). [This video](https://www.youtube.com/watch?v=zVdUFcEAwPU) may also be helpful, though please note it's a bit outdated. For your task it may be easier to just utilize a shortcut known as [test mode](https://gluu.org/docs/ce/3.0.1/admin-guide/scim-uma/#scim-20-test-mode-v244) If you'll decide to use our [oxd-server](https://oxd.gluu.org/) application, you'll be able to offload UMA interactions to it through [APIs](https://gluu.org/docs/oxd/protocol/#uma-authorization) it provides.

By Michael Schwartz Account Admin 27 Apr 2017 at 12:10 p.m. CDT

Michael Schwartz gravatar
Calling SCIM via CURL is a very bad idea, and something we won't support on this forum. Use oxd or the [SCIM-Client](https://github.com/GluuFederation/SCIM-client)

By Darrell Breeden user 27 Apr 2017 at 2:41 p.m. CDT

Darrell Breeden gravatar
CURL was only intended to consume SCIM for testing, but would eventually be consumed by an HTTP Client in language. If this is doable via oxd, can you provide some examples or a location where it's doable? I can't see OXD providing anything in the libraries beyond basic user information, where we would need group membership. The OAuth Protocol itself doesn't really fit our use case since we're looking at a single multi-tennant application, and need to authorize a user for various companies within that application. We had previously used Stormpath to accomplish this with Groups, but Stormpath has since been consumed by Okta. We would basically like to use OIDConnect for the authentication portion and LDAP / Security groups to manage authorization, and SCIM is what attracted us to gluu. If we can find a way to make it work with OXD, I'm more than happy to buy a license.

By Michael Schwartz Account Admin 27 Apr 2017 at 2:51 p.m. CDT

Michael Schwartz gravatar
If you are just testing, you can set the SCIM interface to "test-mode" in the oxTrust JSON properties, and set a static OAuth token. In that case, you could probably add the authorization header in CURL and send you test operations.