By: Josh Weisman user 23 Feb 2016 at 9:49 a.m. CST

16 Responses
Josh Weisman gravatar
Hi there- I work for a company that provides library management software. We're evaluating Gluu as an option to recommend to our customers for identity management. I'm looking into how we can integrate Gluu with our software. Trying to get the SCIM interface working. Two issues: * When calling GET /v2/Users/Id for a particular user, I get ```18 counts of IllegalAnnotationExceptions```, starting with: ``` org.gluu.oxtrust.model.scim2.Address$Type does not have a no-arg default constructor ``` * When calling the SCIM API without a session, I get a 401 Unauthorized, but without the permission ticket that I can exchange for a token in the UMA server. All I get is the below: ``` { "error": "unauthorized_client" "error_description": "The client is not authorized to request an access token using this method." } ``` Is there a document that explains what I'm missing? Thanks, Josh

By Michael Schwartz Account Admin 23 Feb 2016 at 9:59 a.m. CST

Michael Schwartz gravatar
Can you help give us some context? Are you using Gluu's Java SCIM client library? What version of the Gluu Server are you using?

By Josh Weisman user 24 Feb 2016 at 12:16 a.m. CST

Josh Weisman gravatar
Gluu server 2.4.1 I'm trying to access the SCIM APIs directly via a REST client. Should I be using the Gluu SCIM client library?

By Valentino Pecaoco user 24 Feb 2016 at 12:25 a.m. CST

Valentino Pecaoco gravatar
Hi Josh, yes please use the Gluu SCIM-Client library. As a starting point you may wish to download the SCIM-Client code and browse the unit tests to get yourself familiar with using the library.

By Josh Weisman user 24 Feb 2016 at 6:55 a.m. CST

Josh Weisman gravatar
Thanks for your help while I struggle through this. I have cloned the SCIM-Client project and have tried to work though getting a client with a ```umaInstance```. I am running into all sorts of problems with the definition of the JWK and complaints about the names of the attributes. I created a new JWK using online tools and compared it to the one you have in the default "SCIM Requesting Party Client"- they are totally different. I got something working with the following key: ``` { "keys": [ { "alg": "RS256", "kid": "alma", "kty": "RSA", "privateKey": { "d": "SHrzKsNuceRxQi22VfkAiwAjpe1WKP6ouK2WMFq4wxyy3kKS2J8Wk7tcjqxjFxsLQDahkH3FSsNp_PwwUNHkNBMXx30hbrpkwARtgF6q9CTNG-a4aIm8KSG_uE-Ire6nkUh8gMkEp_mGRstp1fgIoxvocggmA3xn18hAK6OxYKcTZRTeyOqAAt5TMFgrGCRx_FYCzfHM3rerpI2m-DUEzOsLLv4UFJr3r_5LYGI4Qf-5_q3VNk0vsdC4kKAl_sr2jdpPM0z4o_YUfiITuCohqj_UjIwyMH6UYNX_BtRFVuM0h6U-lQw42tbhDcp7W1Vcxxc6cdRfze6sjqWw9Sq-PQ", "e": "AQAB", "n": "nSN0lgT5DvRqhkD-OjVKE119yTdGn4pEENJI7o3CJK6KHZFkL62cHDvtSNSLj0hrNRKAkG-zPowYbVUP4yhLUfq7MmNPyEZJI5qXgvg-094aG0A0KS0NBhI_r18ryX1omKPeCM2qdSyfp4iQHWtLgg7rBcWvW6kBAmW-D9XVpH9aTdM5sL17SDESL6gihpZaE_vM-9F1WBMxn1RI-ekG5pvnZL12F2jhgmiSfCtaED3XQToYgCTTEC-en_9JgjPKUD9tFezbJXnFP_wmx4E321cUo4Voqp8mzLgbQMI-npCHTX67b71phU_j8gRpSsXFQwg-ftUUjEoE_XT_7Thl5Q" } } ] } ``` On the server I defined my client with the key as follows: ``` { "keys": [ { "alg": "RS256", "d": "SHrzKsNuceRxQi22VfkAiwAjpe1WKP6ouK2WMFq4wxyy3kKS2J8Wk7tcjqxjFxsLQDahkH3FSsNp_PwwUNHkNBMXx30hbrpkwARtgF6q9CTNG-a4aIm8KSG_uE-Ire6nkUh8gMkEp_mGRstp1fgIoxvocggmA3xn18hAK6OxYKcTZRTeyOqAAt5TMFgrGCRx_FYCzfHM3rerpI2m-DUEzOsLLv4UFJr3r_5LYGI4Qf-5_q3VNk0vsdC4kKAl_sr2jdpPM0z4o_YUfiITuCohqj_UjIwyMH6UYNX_BtRFVuM0h6U-lQw42tbhDcp7W1Vcxxc6cdRfze6sjqWw9Sq-PQ", "e": "AQAB", "n": "nSN0lgT5DvRqhkD-OjVKE119yTdGn4pEENJI7o3CJK6KHZFkL62cHDvtSNSLj0hrNRKAkG-zPowYbVUP4yhLUfq7MmNPyEZJI5qXgvg-094aG0A0KS0NBhI_r18ryX1omKPeCM2qdSyfp4iQHWtLgg7rBcWvW6kBAmW-D9XVpH9aTdM5sL17SDESL6gihpZaE_vM-9F1WBMxn1RI-ekG5pvnZL12F2jhgmiSfCtaED3XQToYgCTTEC-en_9JgjPKUD9tFezbJXnFP_wmx4E321cUo4Voqp8mzLgbQMI-npCHTX67b71phU_j8gRpSsXFQwg-ftUUjEoE_XT_7Thl5Q", "kty": "RSA", "use": "sig", "kid": "alma", "keyId": "alma" } ] } ``` I tried playing with the parameters a bunch- the server needs a "keyId" for example but wants the "e" at the root. I've put the log in this paste bin: http://pastebin.com/ib1Uekfv Your help is appreciated. Thanks.

By Michael Schwartz Account Admin 24 Feb 2016 at 9:23 a.m. CST

Michael Schwartz gravatar
Josh, When you install community edition setup, it automatically creates keys and a Client for SCIM. Are you using this pre-configured client?

By Josh Weisman user 24 Feb 2016 at 9:27 a.m. CST

Josh Weisman gravatar
Using the pre-configured client + JWK set I can't even get to the server. Looks like there's some naming problem? ``` 2016-02-24 17:25:43 ERROR JwtUtil:817 - JSONObject["alg"] not found. org.codehaus.jettison.json.JSONException: JSONObject["alg"] not found. at org.codehaus.jettison.json.JSONObject.get(JSONObject.java:374) at org.codehaus.jettison.json.JSONObject.getString(JSONObject.java:501) at org.xdi.oxauth.model.util.JwtUtil.getPrivateKey(JwtUtil.java:788) at gluu.scim2.client.auth.UmaScim2ClientImpl.initUmaRpt(UmaScim2ClientImpl.java:129) at gluu.scim2.client.auth.UmaScim2ClientImpl.initUmaAuthentication(UmaScim2ClientImpl.java:89) at gluu.scim2.client.auth.UmaScim2ClientImpl.init(UmaScim2ClientImpl.java:72) at gluu.scim2.client.BaseScim2ClientImpl.retrievePerson(BaseScim2ClientImpl.java:156) at gluu.scim2.client.auth.UmaScim2ClientImpl.retrievePerson(UmaScim2ClientImpl.java:236) at gluu.scim2.client.Scim2Client.retrievePerson(Scim2Client.java:52) at ScrimTestClient.Client.main(Client.java:54) ``` Here's the key as configured in the default "SCIM Requesting Party Client" ``` {"keys": [ { "keyType": "RSA", "use": "SIGNATURE", "algorithm": "RS256", "keyId": "5a5abdc9-9bc8-4af7-9048-ca0ba35599eb", "expirationTime": null, "curve": null, "privateKey": { "modulus": "AKrQGy5xVQhnzioBRSJaeeTEDm7t0DtX1YwHkYNSVXGu53KdWGXlg_ZBLMUXIXXH-cMJRMG7zhFq4LgVWTMcILfA4WnQ1aT2IaYHrfnsV-hFV464HCExH2zhTT-MZBcFOIXAC3cNG_rBHFf0bBr8PpSwFgfj2oFJDTKDmGManVorVvYJZ1bzy-l_vHKUxB7lCBxdNctDNux1X_4TWCP1YpBYLvDsCRZ4Spp8wLzu55cx0QkzUVNyJPenVDA0tFVDN50E8yG1iKy9z0AjGDa_D4B5PX3ixPkLQvCfSPGfpfRO4f4lKGTFEcxeI5g9KF_uy2bkNMC6z1bjWbqu1LU7T3c", "privateExponent": "E9mbTwpcl1141-jN3_AjujIOe1WnnT3X0y4N-vTWeR-aRfeDDlRdwYBRc5X8jXNv0vqAwwLQL7X752iTtRzPsIr5pxJdwY3Y2zKJRUHx9UwZoLxEiJbsz_pev8PQ3dv9dY2bx3n-hmVqpc4BwiEOJLlR1hjki6Gxpu0kCGBPaOrvvd1kVN-eRBdf6uRnb7_k71_TCbtopQd5ldzciXrnL3h7gu1qcv2tPK3M1zt-rKPUDZT7r23mON67NKNPzuekYfx9FtibeK_apiE02eOHerPYBcMf-aEGiYjLInjYZu1VBqUPYpw4nPY6MaH957JlO0WpNyWopA2u4lOQC7bCAQ", "d": null }, "publicKey": { "modulus": "AKrQGy5xVQhnzioBRSJaeeTEDm7t0DtX1YwHkYNSVXGu53KdWGXlg_ZBLMUXIXXH-cMJRMG7zhFq4LgVWTMcILfA4WnQ1aT2IaYHrfnsV-hFV464HCExH2zhTT-MZBcFOIXAC3cNG_rBHFf0bBr8PpSwFgfj2oFJDTKDmGManVorVvYJZ1bzy-l_vHKUxB7lCBxdNctDNux1X_4TWCP1YpBYLvDsCRZ4Spp8wLzu55cx0QkzUVNyJPenVDA0tFVDN50E8yG1iKy9z0AjGDa_D4B5PX3ixPkLQvCfSPGfpfRO4f4lKGTFEcxeI5g9KF_uy2bkNMC6z1bjWbqu1LU7T3c", "exponent": "AQAB", "x": null, "y": null }, "certificateChain": ["MIIDMTCCAhkCgYEAw2d2rqrgumegvAw3Py0hEidE3EKTCOC2F0FMCf4DKBbDrb1fe55Vux4ilbsnttcXi53ygZzyXrt5boHsmw0U8RpVNlefIa7Aq7Py0VLSBlUtdoL8+UgvM4ck2bZYLwQzVZ2/45IdKAYFFS6qF+ThQehz2OCnyGeQWd/55dzFua8wDQYJKoZIhvcNAQELBQAwHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZTAeFw0xNjAyMjIxMTI4NDhaFw0xNzAyMjIxMTI4NDhaMB4xHDAaBgNVBAMTE1Rlc3QgQ0EgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCq0BsucVUIZ84qAUUiWnnkxA5u7dA7V9WMB5GDUlVxrudynVhl5YP2QSzFFyF1x/nDCUTBu84RauC4FVkzHCC3wOFp0NWk9iGmB6357FfoRVeOuBwhMR9s4U0/jGQXBTiFwAt3DRv6wRxX9Gwa/D6UsBYH49qBSQ0yg5hjGp1aK1b2CWdW88vpf7xylMQe5QgcXTXLQzbsdV/+E1gj9WKQWC7w7AkWeEqafMC87ueXMdEJM1FTciT3p1QwNLRVQzedBPMhtYisvc9AIxg2vw+AeT194sT5C0Lwn0jxn6X0TuH+JShkxRHMXiOYPShf7stm5DTAus9W41m6rtS1O093AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGD1u3uUeuj/6VtlndaqUa9m7G9NPdC98p5Ka4f+rrPZkuVuviVGFUOf5pOqVFDbVAbruhUZXnjOXi1hwCxm4g/hQrRLdlGBessc9RCxSeu1BUAvYvZO30QQYsM9CHh16WIkfNvSbBeX25qKGJuO/8UjgyLBoCMyevuYyMf701cCta7i/EdIu0SD78LrsTCezrylL4Wpo0LM44TYnr9Z1xax+0l7oyvfSZIRQ9NiZ+pG4h6luTxx7qgX7h2Ycni6tLmTci7gWckkVxMi83fda35nQJu00sj284LpLE3y/7PDR9cdGWf28p9oKzQXPnNVZRWfipaqELE1zBvvqL/YfMk="] }, { "keyType": "RSA", "use": "SIGNATURE", "algorithm": "RS384", "keyId": "d0740c88-eb8f-41a4-a5f1-72e08655b99a", "expirationTime": null, "curve": null, "privateKey": { "modulus": "AIftDG26CEhxfU5h2uGkoIMxMel1lCK4V9eT__cv4oM7ee4gl1YlvUSZhtLI_m2ybEw70s-A6-8ff9ivDLRkriOqeZHplK7H3eik1VPvb1fpihAlOM5JsoioaSaX36wVpLl8EUF-mBdWIsxO5ZDtmH-5RImBys61liSMDhW7ESKxxxen_ReJDqhrnHKcpqHQ70SkgCTjudLby9n8hAmX0qoKp9z1NVkD9Jb-z3eMaTvlzbKgrGD2_2FNSR2s-Jq5IuSZIor_jvrlF1U5mpjqlCeG-C0A91_sC3C6ED8zR1ok3u8hr-WiFxA3TC7oZ9GMszdEUfOIRYbMIy-HblPBxRs", "privateExponent": "Qip0KF2sdoc4NhWQVNKsh_BEmZ5ws84EhJ44tX0LyFIFcpNO19KbJW-On8DTiVaXPSzJ29SoBMjSlQnxJ0bzNc1gTFTl2YbVUNAcQDWHf8XhPSbBVjmtvLQuK2k2qjAG9XudcsJLCuEVI1ssiLX_y_zFjiIuNR1Trwq2OIHNP5OQ-HY7KKDeR8pxWpZti64w_vUoRFt3jhcLGZeJDBLYOefmDuqBo8IhhnNTCmT_Ur4LzckZ04-2C7PFEy6gsQxmjocg7WwlLYDrvgrtSIp14uFBtQgmKdfaxLqxO-UnZXz_Od7j2rpa4C-DK-AdK2b8hKaboAy0PmB8XE8UklWBcQ", "d": null }, "publicKey": { "modulus": "AIftDG26CEhxfU5h2uGkoIMxMel1lCK4V9eT__cv4oM7ee4gl1YlvUSZhtLI_m2ybEw70s-A6-8ff9ivDLRkriOqeZHplK7H3eik1VPvb1fpihAlOM5JsoioaSaX36wVpLl8EUF-mBdWIsxO5ZDtmH-5RImBys61liSMDhW7ESKxxxen_ReJDqhrnHKcpqHQ70SkgCTjudLby9n8hAmX0qoKp9z1NVkD9Jb-z3eMaTvlzbKgrGD2_2FNSR2s-Jq5IuSZIor_jvrlF1U5mpjqlCeG-C0A91_sC3C6ED8zR1ok3u8hr-WiFxA3TC7oZ9GMszdEUfOIRYbMIy-HblPBxRs", "exponent": "AQAB", "x": null, "y": null }, "certificateChain": ["MIIDMTCCAhkCgYEA7L23MWn7WGGLmCaOcLS70Z7q+aONWu1Fixgq1DRbr/dU73coFgWAoJTEzLgV+Et+/oKzrnOUcHYbmCetXVJPm1f5SbhEM8QgpLk+cKKgI6o5vjP5HZhqGTNYXJMmC3boLLIvyYlokWv8azf4gHDIuz88rzhQSJz7XE75XXtQSHAwDQYJKoZIhvcNAQEMBQAwHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZTAeFw0xNjAyMjIxMTI4NDhaFw0xNzAyMjIxMTI4NDhaMB4xHDAaBgNVBAMTE1Rlc3QgQ0EgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCH7QxtughIcX1OYdrhpKCDMTHpdZQiuFfXk//3L+KDO3nuIJdWJb1EmYbSyP5tsmxMO9LPgOvvH3/Yrwy0ZK4jqnmR6ZSux93opNVT729X6YoQJTjOSbKIqGkml9+sFaS5fBFBfpgXViLMTuWQ7Zh/uUSJgcrOtZYkjA4VuxEisccXp/0XiQ6oa5xynKah0O9EpIAk47nS28vZ/IQJl9KqCqfc9TVZA/SW/s93jGk75c2yoKxg9v9hTUkdrPiauSLkmSKK/4765RdVOZqY6pQnhvgtAPdf7AtwuhA/M0daJN7vIa/lohcQN0wu6GfRjLM3RFHziEWGzCMvh25TwcUbAgMBAAEwDQYJKoZIhvcNAQEMBQADggEBABZJfVZDDph6lP+xmf3Sgumnq4J22vLkTMvSeBafgpA5ScfVR9Ham5QnrfMJAs6NlTl2PLige8Zmq0W3gxrxZnYLhlqP7K5OW8gI57P8HV5ISpulBLvgSkKGfrFEVKxKhnCLjriA1/bWz03b6ujPBHufLsCAi4+fah9OhPgHZxigpuL0kL4/78W0kzZTEQ08Q/nLVPv31A6sb/ybfRjlbSSo/7Z2oquqSlMlmXU7lGtBwC/JtkprbkEglBwxZdYJCc65PWWE/yjKmIZ7DRihETTItCYaF7AoPpQ7nB+/LSrJI+TccTjBftp+5704a4BfpBVGKywrQ5EaO11+aqoTOHM="] }, { "keyType": "RSA", "use": "SIGNATURE", "algorithm": "RS512", "keyId": "9487133e-a6d8-48ae-a840-7e7c28e31994", "expirationTime": null, "curve": null, "privateKey": { "modulus": "AMreZ8mqIbPAQrX7qoOftSK7agdNuGgMcxNClChej2Z9YW4mPFuboyCgAohZRytqeOb1vwXbo_A4ZNm6k4hO9S4BYEjw99JWYJye_6BfcC9jsx6Cc6hXuNXy4X__yXC3ULz89NdIDUEkShyNQft7A_cHlUHfZ-KyLjm2EStKYn0SZcVS4N3Kmj9WWXHSkxXqUC_v5JU9ZZ7FMzcUjaim5cDe9mjj73zcA2fbMeQ4YHjeCIXEpW1aE9Tb6gUa2UhQJHvXHoo1FSC8vRxJF4phR5PBjcAHjLruZ1aCrX_Ii_JOy2KYwait4LeRZNqvgllJjIXIFw11ilgtGtUhsLYTBac", "privateExponent": "AJTE3F-q_-QNjd5enADCUdcSkQKiICVNW-Y34OZp0cdbEuPv7jtPuyTlsnXC4soX3mmgtWDaXTKAaJSymhZPsMT4BV_4NgRti5PPla5Jzr8x4dzx1VcSXV2oK23uag7an7630eU91Vp7_k1J2aVN5O53BSG1bz1zZSq1NYoFlowYbg34NyRvUMfoD2Z76ofVHcPeErvachZ-9GEBh9GvjPo0tzh6RH1ocf28b2YlBKOGhWMwbGzsS8Yz6TO1ec6c1bndXVc3YlgX4TY0oPhqtPgg-XQeT0i3Y40scWtyPZAk7AcdfJSgo8JIAzkPlXqX3U4zY9eOMM14U0eqiNrj82E", "d": null }, "publicKey": { "modulus": "AMreZ8mqIbPAQrX7qoOftSK7agdNuGgMcxNClChej2Z9YW4mPFuboyCgAohZRytqeOb1vwXbo_A4ZNm6k4hO9S4BYEjw99JWYJye_6BfcC9jsx6Cc6hXuNXy4X__yXC3ULz89NdIDUEkShyNQft7A_cHlUHfZ-KyLjm2EStKYn0SZcVS4N3Kmj9WWXHSkxXqUC_v5JU9ZZ7FMzcUjaim5cDe9mjj73zcA2fbMeQ4YHjeCIXEpW1aE9Tb6gUa2UhQJHvXHoo1FSC8vRxJF4phR5PBjcAHjLruZ1aCrX_Ii_JOy2KYwait4LeRZNqvgllJjIXIFw11ilgtGtUhsLYTBac", "exponent": "AQAB", "x": null, "y": null }, "certificateChain": ["MIIDMTCCAhkCgYEAmqmdF5eOLZhrEurNOWBCOv++dJ/WJN/nqqiW0kN6NqzKUhakWKf9Lyyu3ZCo1U7kpH+SOK35nz9sLJbR99rl40NzyGwZHfADanfc5mlLDr/sKkSqzwyji9On4e02mtbaOfSc6l+plcFeEzbmIwdYdBy2NKNrZ4hweGeYDV9OBJEwDQYJKoZIhvcNAQENBQAwHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZTAeFw0xNjAyMjIxMTI4NDlaFw0xNzAyMjIxMTI4NDlaMB4xHDAaBgNVBAMTE1Rlc3QgQ0EgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDK3mfJqiGzwEK1+6qDn7Uiu2oHTbhoDHMTQpQoXo9mfWFuJjxbm6MgoAKIWUcranjm9b8F26PwOGTZupOITvUuAWBI8PfSVmCcnv+gX3AvY7MegnOoV7jV8uF//8lwt1C8/PTXSA1BJEocjUH7ewP3B5VB32fisi45thErSmJ9EmXFUuDdypo/Vllx0pMV6lAv7+SVPWWexTM3FI2opuXA3vZo4+983ANn2zHkOGB43giFxKVtWhPU2+oFGtlIUCR71x6KNRUgvL0cSReKYUeTwY3AB4y67mdWgq1/yIvyTstimMGoreC3kWTar4JZSYyFyBcNdYpYLRrVIbC2EwWnAgMBAAEwDQYJKoZIhvcNAQENBQADggEBAAT1xHgvW679GC+Tz7//JOhXGLFS376mq/cojpJoHyY/frMa/1tLY1jJBjnQLRE4TvAFCVv9436iEEE8T9yT0DzddSg9o4pW+1u3KEczOVzJO97g25KX5ffOxm856/Wp5CJI3ms0IuPMfX0OfLsj+K49Nsygs8i0BlaeqppE7xvuZ8CbIFpiB6D7TXVR44pWp4TJmtOGTpahJONqIysaBnpQxu5wSMKWmySgPCkZJTeP2NKHAwM4v8zy+SYk5vxaSizimwjqqyGb/kqjn2gqYnzMgQZVrQhcRwssTB8GjCW5UtK+ldulQKMNaD2lg97RJ4Kgj0h4wRvgUKuDG1nZXhQ="] }, { "keyType": "EC", "use": "SIGNATURE", "algorithm": "ES256", "keyId": "04b58564-b004-4fc1-90da-f5226fef7baa", "expirationTime": null, "curve": "P-256", "privateKey": { "modulus": null, "privateExponent": null, "d": "C6wkOzymrNCLC-755mSHSh6CaThYthWwz15SPIs5rsc" }, "publicKey": { "modulus": null, "exponent": null, "x": "AOZty854PAA3FZo6zwfeH6F_t-UBz6swv71CsD4I4VkA", "y": "LsOw-44WhbkxwIjtriLxiaF6JhDwvttWt0UoFFe_o1A" }, "certificateChain": ["MIIBpDCCAUoCgYB4U3i5F55xxck8Qw5aCDi0jzzKDV89EePQRGpiWItw4FsG9B0OhNw9vsbgQs+dO6HiyYUar+9HCVa8VvNopX2AjSY2CI9h656UHsFq/YhcDBt9+EmhcOAzu5tFgBQvou/ZZUeaonWZ86ka4/ap4Ok3D9bjt3y12mdxn85qMJT66zAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNUZXN0IENBIENlcnRpZmljYXRlMB4XDTE2MDIyMjExMjg0OVoXDTE3MDIyMjExMjg0OVowHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOZty854PAA3FZo6zwfeH6F/t+UBz6swv71CsD4I4VkALsOw+44WhbkxwIjtriLxiaF6JhDwvttWt0UoFFe/o1AwCgYIKoZIzj0EAwIDSAAwRQIgXhZEw6KuEkHfcDxh463xnOV5wlWmgeg6Ve9mQ4WgD0wCIQCfyoTMR0f//NhZaxjhmtxuFpW9M05GsylAnVXsz5tUVQ=="] }, { "keyType": "EC", "use": "SIGNATURE", "algorithm": "ES384", "keyId": "eec12337-4deb-437d-809f-9fd55181b8e8", "expirationTime": null, "curve": "P-384", "privateKey": { "modulus": null, "privateExponent": null, "d": "AVNzv4BI1WtkR-BoKR_IP-UsMy6iw-8glI0jym7-IOspuiREwH0wSB_3v0X0HnAa" }, "publicKey": { "modulus": null, "exponent": null, "x": "ANSrH3ngsf4cIeCc-6nug6ms5_CTIP0pXmiSyH6l9y3Hd2OcZyfU5qpos-UkUbg2xQ", "y": "Qt2f9U9_QxcUPYA0VPLkC8kdLfe8o2Dzuiv12yWCe19TwDGCRNlJKCp92ovLOrHk" }, "certificateChain": ["MIIB4TCCAWcCgYApeQ7GDX88aZU2Kfy88QmMLOAZ89xavs17x3DMRvkOpbY//saSrdnvPmOJgFG7b1xIRbpfVDpXcAvHtD1CP3vwH9rpvBWIzhb2dd8xL+DsW5X8hsoqSULJ+cq3WpGQnujHS5SBHihjoTynlUI4JW9jdylymcMNcuCWQDgVfttNUjAKBggqhkjOPQQDAjAeMRwwGgYDVQQDExNUZXN0IENBIENlcnRpZmljYXRlMB4XDTE2MDIyMjExMjg0OVoXDTE3MDIyMjExMjg0OVowHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABNSrH3ngsf4cIeCc+6nug6ms5/CTIP0pXmiSyH6l9y3Hd2OcZyfU5qpos+UkUbg2xULdn/VPf0MXFD2ANFTy5AvJHS33vKNg87or9dslgntfU8AxgkTZSSgqfdqLyzqx5DAKBggqhkjOPQQDAgNoADBlAjAkV3ggo4GkZuhB9YR0lmKdxTJkn+Qg7PPG5j564/3+AiSvGyoA4X2yIDaAkrMJZaQCMQD+f1HbpLputIaXYVVZQtgH3+kSy/ROc6WDmH8u3iqFcLtQvvlrUPI5+qKTh4Y6GCE="] }, { "keyType": "EC", "use": "SIGNATURE", "algorithm": "ES512", "keyId": "c197cd26-d9b0-44c4-9b68-124678c2a32c", "expirationTime": null, "curve": "P-521", "privateKey": { "modulus": null, "privateExponent": null, "d": "AIfB6zEFluartK07IzUceAowReIhMQJ9x8tyI1DW9HUToNqB1UhJlHvAWYo9Fwu2LgyDdpBINwqRZfY1LRU_n9Ek" }, "publicKey": { "modulus": null, "exponent": null, "x": "AVUFxwt7QZxLRi7_mP2Xwr1AlVHS-T92wp-vMXNPhfQ6txUGz6SAxFkRLrZ4dZpxr1K13lwHMsnko5n8Ne07H_RL", "y": "AZ2wJUcRTiAYVtOBlFWefr_9KFP7B8PmiwBEDKpt8py3Dp1YcPpTyQvUsqTOZWAOFN1wRM81QBIQAoHXICKpwC-w" }, "certificateChain": ["MIICLTCCAY4CgYEArJi7iUiW5dlGPeVP0F2JSbuejidMs/tYWt2PhvyFRz3O7oDLiVov04V2PcZFr6Hh14Q40dtsPGqoW/nZqi7ZFaOogrEeRoaJP3hbPcXOxsYqSgUw9IT/qNV2YncwZzmnKU+5H8UKYLO5WiWfJQacCe6lQ/MHeGy28oCYKmSQomEwCgYIKoZIzj0EAwIwHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZTAeFw0xNjAyMjIxMTI4NDlaFw0xNzAyMjIxMTI4NDlaMB4xHDAaBgNVBAMTE1Rlc3QgQ0EgQ2VydGlmaWNhdGUwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAFVBccLe0GcS0Yu/5j9l8K9QJVR0vk/dsKfrzFzT4X0OrcVBs+kgMRZES62eHWaca9Std5cBzLJ5KOZ/DXtOx/0SwGdsCVHEU4gGFbTgZRVnn6//ShT+wfD5osARAyqbfKctw6dWHD6U8kL1LKkzmVgDhTdcETPNUASEAKB1yAiqcAvsDAKBggqhkjOPQQDAgOBjAAwgYgCQgFg7rnN6LP2uwOpyCnlOx9tBHOfWi97FfHwAFFLacrAA3N764LWK1ZvczMQxBsCudGvPALE+LlJ/cO1qqGxqF6DTQJCAXXGxN0foYXBvmxcaMEcJjz2QtkJW9SNfiYoeBXZbcF1GUoiP2Pfz7w7jy7HZT7ESFdkLRBgU5Bn1MC/3suAPh9j"] }]} ```

By Valentino Pecaoco user 24 Feb 2016 at 9:33 a.m. CST

Valentino Pecaoco gravatar
Hi Josh, please enable "SCIM Support" in oxTrust GUI if not yet enabled. https://ox.gluu.org/doku.php?id=ce_24_scim_uma This setting is under "Configuration --> Organization Configuration".

By Josh Weisman user 24 Feb 2016 at 9:43 a.m. CST

Josh Weisman gravatar
It's enabled. I think the error I'm getting using the pre-configured OpenID Connect client is on the SCIM-client-side... It doesn't even get to the server with that key set.... Thanks.

By Michael Schwartz Account Admin 24 Feb 2016 at 10:08 a.m. CST

Michael Schwartz gravatar
Ok, I'm out of the obvious suggestions. Maybe Val can help you from here.

By Valentino Pecaoco user 24 Feb 2016 at 10:57 a.m. CST

Valentino Pecaoco gravatar
Hi Josh, Login to your Gluu server installation (chroot) and get the generated SCIM Requesting Party JWKS file from this location: /install/community-edition-setup/output/scim-rp-openid-keys.json Your RP client id ("SCIM Requesting Party Client") is in the file /install/community-edition-setup/output/scim.ldif e.g., inum: @!23D9.E7E2.BD49.79C6!0001!09E8.9949!0008!F783.26B7 Or you can also get this from OpenDJ/LDAP under o=clients,o=<YourTopmostInum>,o=gluu

By Josh Weisman user 25 Feb 2016 at 10:31 p.m. CST

Josh Weisman gravatar
Hi Valentino. Thanks for your feedback. I tried the JWKS from the file (it was the same as the one listed in the JWKS field of the "SCIM Requesting Party Client" OpenID Connect client in the UI). I get this error message: ``` 2016-02-26 06:28:45 ERROR JwtUtil:771 - JSONObject["kid"] not found. org.codehaus.jettison.json.JSONException: JSONObject["kid"] not found. ``` Indeed there is no "kid" field in the supplied JSON. Any ideas? Thanks.

By Valentino Pecaoco user 26 Feb 2016 at 9:34 a.m. CST

Valentino Pecaoco gravatar
Hi Josh, this is fixed in v2.4.2, ETA next week.

By Valentino Pecaoco user 03 Mar 2016 at 6:59 a.m. CST

Valentino Pecaoco gravatar
Hi Josh, Gluu CE 2.4.2 has just been released along with SCIM-Client 2.4.2.Final.

By Josh Weisman user 03 Mar 2016 at 10:05 p.m. CST

Josh Weisman gravatar
Thanks for letting me know. I'll try it out and get back to you.

By Josh Weisman user 10 Mar 2016 at 9:23 a.m. CST

Josh Weisman gravatar
I downloaded and installed the latest version of the Gluu server and the SCIM client. I got further than I did last time. Using the out-of-the-box SCIM requesting party client I tried to use the SCIM client: ``` String umaAatClientId = "@!AE93.DDCA.803F.2FAE!0001!6621.3029!0008!7C7B.DDB4 "; String umaAatClientJwks = "{\"keys\"...}"; String umaAatClientKeyId = "760104b9-c131-449f-b497-0d90b46d6b48"; ``` I got an unauthorized message from the server. The DEBUG log is at http://pastebin.com/FpqByUF9. In the interest of expediency, I created a support user at https://gluu.exldevnetwork.net (pw 4S1kCpuQgfsMdT). If you're able to make it work I would appreciate the guidance. Thanks for your help so far. I'd really like to be able to recommend this solution to our customers so I'd love to get this working.

By Valentino Pecaoco user 11 Mar 2016 at 12:23 a.m. CST

Valentino Pecaoco gravatar
Can you also post the error in the oxauth.log? Anyway, we have an interim patched oxAuth *.war you can use: [http://ox.gluu.org/maven/org/xdi/oxauth-server/2.4.2.Final/oxauth-server-2.4.2.Final.war](http://ox.gluu.org/maven/org/xdi/oxauth-server/2.4.2.Final/oxauth-server-2.4.2.Final.war) Login to your Gluu chroot environment, stop Tomcat with /opt/tomcat/bin/shutdown.sh, delete all oxauth* files in /opt/tomcat/webapps, put the new oxauth.war above (don't forget to rename), then restart the Gluu server. You may encounter an LDAP persistence error during UMA ticket invalidation, but this does not affect SCIM. Thanks also for your interest in Gluu!