Hi, Chris. > I have SCIM-Client installed on my local machine and it works correctly in both test mode and UMA mode. Could you elaborate? What steps did you use to configure it? If you followed one of our docs, please provide a link to it. >Which key do I extract? The OpenID Core document (http://openid.net/specs/openid-connect-core-1_0.html) says to sign it with the public key, but in trying to read the code it looks like the private key is being used (https://github.com/GluuFederation/oxAuth/blob/master/Model/src/main/java/org/xdi/oxauth/model/crypto/OxAuthCryptoProvider.java#L171) so I'm a bit confused (and probably not reading the right bit of code). Usual rule of a thumb is to encrypt something you need to use a public key, and to sign something you use a private key. If you sign something this way, you need to publish a corresponding public key and make it known to the party which will be verifying the signature. When you're editing a client's properties in Gluu's web UI you can see fields "JWKS URI" and "JWKS" which serve this purpose. >How do I retrieve the key from scim-rp.jks? >How do I decode the key from scim-rp.jks in order to use it to sign the JWT? I assume you mean the `/etc/certs/scim-rs.jks` file which is found in Gluu Server's container? This won't be of much use in your case, if you sign something sent to another party (**to** Gluu Server in this case), you need to use your own set of private keys, then let the other party know the public part of it, formatted as JWKS.

This is the procedure I user to set up SCIM-Client: https://gluu.org/docs/ce/3.1.3/user-management/scim2/#testing-with-the-scim-client-uma following advice in an earlier ticket: https://support.gluu.org/access-management/5461/problems-upgrading-uma1-to-uma2/ At this point I'm trying to essentially replicate the SCIM-Client authentication in PHP so I'm using the same client id (taken from SCIM Requesting Party Client). I assume that scim-rp.jks contains the credentials for that client and that's what I need to sign the JWT. Or is that not right?

The problem we are having appears to be that we're just not getting the right credentials to use to obtain an RPT token from the token endpoint. As we don't appear to be making any progress on solving this problem, is there some way of simply using test mode (which works just fine) and locking things down so only the one client, which will always be on the same physical host, can access the SCIM API?