Hi Kevin, [SCIM-Client](https://github.com/GluuFederation/SCIM-Client) is our supported Java client for SCIM. Internally, [this](https://github.com/GluuFederation/SCIM-Client/blob/master/src/main/java/gluu/scim2/client/BaseScim2ClientImpl.java#L251) is an example of how to create a user via the SCIM 2.0 endpoint. It uses the Apache HttpClient to communicate via HTTP. I am sure Node.js also has a similar library. If you want to use SCIM-Client, you need to add it as a dependency, say via Maven: ``` <repositories> <repository> <id>gluu</id> <name>Gluu repository</name> <url>http://ox.gluu.org/maven</url> </repository> </repositories> ... <dependency> <groupId>gluu.scim.client</groupId> <artifactId>SCIM-Client</artifactId> <version>2.4.2.Final</version> </dependency> ```

Okay, let's deviate from the original request a bit. Now, I've done everything as specified in the documentation for SCIM-UMA, also patched oxTrush as specified in https://support.gluu.org/integrations/difficulty-to-understand-scim-uma-how-to-2589. And compiled the test code in java, but when I run the program, this is what I'm getting - > Exception in thread "main" > > gluu.scim.client.exception.ScimInitializationException: Could not get accessToken at gluu.scim.client.auth.UmaScimClientImpl.initUmaAuthentication(UmaScimClientImpl.java:95) at gluu.scim.client.auth.UmaScimClientImpl.init(UmaScimClientImpl.java:74) at gluu.scim.client.BaseScimClientImpl.personSearch(BaseScimClientImpl.java:783) at gluu.scim.client.auth.UmaScimClientImpl.personSearch(UmaScimClientImpl.java:386) at gluu.scim.client.ScimClient.personSearch(ScimClient.java:189) at com.test.TestUma.testScim1Uma(TestUma.java:22) at com.test.TestUma.main(TestUma.java:44) Caused by: gluu.scim.client.exception.ScimInitializationException: Failed to get UMA AAT token at gluu.scim.client.auth.UmaScimClientImpl.initUmaRpt(UmaScimClientImpl.java:154) at gluu.scim.client.auth.UmaScimClientImpl.initUmaAuthentication(UmaScimClientImpl.java:91) ... 6 more Any idea what the problem is?

Hi Kevin, Did you enable SCIM Support in oxTrust?

Hi Valentino, Yes!

Could you post the stacktrace in oxauth.log and oxtrust.log?

I cleared the oxauth.log and oxtrust.log and then ran the program. oxtrust.log is empty after that. oxauth log indicates wrong jwt i guess - but I dunno what I missed. Here's oxauth.log > 2016-04-07 12:43:36,309 INFO [org.xdi.oxauth.auth.AuthenticationFilter] JWT authentication failed: Invalid audience: [], tokenUrl: https://campex.com/oxauth/seam/resource/restv1/oxauth/token org.xdi.oxauth.model.exception.InvalidJwtException: Invalid audience: [], tokenUrl: https://campex.com/oxauth/seam/resource/restv1/oxauth/token at org.xdi.oxauth.model.token.ClientAssertion.load(ClientAssertion.java:118) at org.xdi.oxauth.model.token.ClientAssertion.<init>(ClientAssertion.java:39) at org.xdi.oxauth.auth.AuthenticationFilter.processJwtAuth(AuthenticationFilter.java:309) at org.xdi.oxauth.auth.AuthenticationFilter.access$100(AuthenticationFilter.java:59) at org.xdi.oxauth.auth.AuthenticationFilter$1.process(AuthenticationFilter.java:82) at org.jboss.seam.servlet.ContextualHttpServletRequest.run(ContextualHttpServletRequest.java:65) at org.xdi.oxauth.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:73) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745)

I'd like to point out that I've not done these: 1) Extract the JWKS from setup.properties.last and put it into ./output/scim-rp-openid-keys.jason file. - I did'nt do this because the file was already there, if it was not, I wouldn't know how the extract the JWKS anyways. 2) Update the umaClientID with the keyID from scim-rp-openid-keys.jason file; if it is not updated, the first key from the file is used.

Could you double-check in your client code if umaAatClientId = RP client ID (scim_rp_client_id) and is using the correct scim-rp-openid-keys.json file? If everything seems in order, could you please post your client code as well. Thanks.

I'm using scim-rp-openid-keys.json from the output directory. scim_rp_client_id=@!2871.5F6D.80F4.1B1E!0001!491C.0AC2!0008!144C.BCEE scim_rs_client_id=@!2871.5F6D.80F4.1B1E!0001!491C.0AC2!0008!E68E.D587 Here's the client code: package com.test; > import gluu.scim.client.ScimClient; import gluu.scim.client.ScimResponse; import gluu.scim2.client.Scim2Client; > import java.io.File; import java.io.IOException; > import javax.ws.rs.core.MediaType; import javax.xml.bind.JAXBException; > import org.apache.commons.io.FileUtils; import org.codehaus.jackson.JsonGenerationException; import org.codehaus.jackson.map.JsonMappingException; > public class TestUma { private static void testScim1Uma(String domain, String umaMetaDataUrl, String umaAatClientId, String umaAatClientJwks, String umaAatClientKeyId) throws IOException, JsonGenerationException, JsonMappingException, JAXBException { final ScimClient scimClient = ScimClient.umaInstance(domain, umaMetaDataUrl, umaAatClientId, umaAatClientJwks, umaAatClientKeyId); ScimResponse response = scimClient.personSearch("uid", "admin", MediaType.APPLICATION_JSON); System.out.println("SCIM1 " + response.getResponseBodyString()); } private static void testScim2Uma(String domain, String umaMetaDataUrl, String umaAatClientId, String umaAatClientJwks, String umaAatClientKeyId) throws IOException, JsonGenerationException, JsonMappingException, JAXBException { final Scim2Client scim2Client = Scim2Client.umaInstance(domain, umaMetaDataUrl, umaAatClientId, umaAatClientJwks, umaAatClientKeyId); ScimResponse response = scim2Client.personSearch("uid", "admin", MediaType.APPLICATION_JSON); System.out.println("SCIM2: " + response.getResponseBodyString()); } public static void main(String[] args) throws IOException, JAXBException { //final String domain = "https://c67.gluu.info/identity/seam/resource/restv1"; final String domain = "https://gluu-server.com/identity/seam/resource/restv1"; //final String umaMetaDataUrl = "https://c67.gluu.info/.well-known/uma-configuration"; final String umaMetaDataUrl = "https://gluu-server.com//.well-known/uma-configuration"; //final String umaAatClientId = "@!A410.188A.95DD.EA5A!0001!3A1E.BAA5!0008!5870.A795"; final String umaAatClientId = "@!2871.5F6D.80F4.1B1E!0001!491C.0AC2!0008!144C.BCEE"; final String umaAatClientJwks = FileUtils.readFileToString(new File("//Users//kevin//Projects//gluu_server//infrastructure//scim-rp-openid-keys.json"));; final String umaAatClientKeyId = ""; testScim1Uma(domain, umaMetaDataUrl, umaAatClientId, umaAatClientJwks, umaAatClientKeyId); testScim2Uma(domain, umaMetaDataUrl, umaAatClientId, umaAatClientJwks, umaAatClientKeyId); } } Note: I'm ready to give you remote access to my system if you're willing to do that. Mail me @ kevin.madhu@gmail.com, I'll reply with the details(and after we crack the issue, we'll update it here).

Could you check your installation, and perhaps re-install the Gluu server if necessary, remembering to use the patched [oxAuth](http://ox.gluu.org/maven/org/xdi/oxauth-server/2.4.2.Final/oxauth-server-2.4.2.Final.war). I have been assuming all along also that you are using Release 2.4.2 (the latest). I can run the code without problems; please see attachment "TestScimClient*.png".

I'm using 2.4.2 with a patched oxAuth, and I've tried reinstalling a couple of times. This is something else. :)

Can you share your environment specs and are they within the [requirements](https://gluu.org/docs/deployment/)?

I'm using a vm in virtualbox on mac, with 4GB RAM, 2 cores. OS is ubuntu trusty 64 bit. I'm having some problems in the File Descriptor section: 1) Added the lines * soft nofile 65536 * hard nofile 262144 to /etc/security/limits.conf 2) In the second step specified, session required pam_limits.so The line given above is present in /etc/pam.d/login. But the line specified in the doc is session required /lib/security/pam_limits.so But, lib/security/pam_limits.so file is not present in the vm when I checked it, the only file in lib/security directory is pam_vm.so. I searched for the file pam_limits.so and found it in another directory. So I tried by adding the line session required /lib/x86_64-linux-gnu/security/pam_limits.so And also without adding anything because I found the line specified at the beginning of this step. 3) The value in /proc/sys/fs/file-max was 401333. Tried the command specified, which is echo 65535 > /proc/sys/fs/file-max But, this value changed everytime I restarted the vm. So I also tried another command which worked, sysctl -w fs.file-max=65535 4) The output of the command "ulimit -n unlimited" was always bash: ulimit: open files: cannot modify limit: Operation not permitted But ulimit -n returned 65535. -------------------------------------------- This is everything I tried - dunno what all worked, what all did not and couldn't find any procedure by which I could check if they worked. Thanks

Can you try using VMware Player instead of VirtualBox, although not expressed it is our preferred VM. The latest versions can already create guest OS's. Then update Ubuntu Trusty to the latest packages. As for the open files limit, adding ```soft nofile 65536``` and ```hard nofile 262144``` should already be enough. You can verify these limits via the ff. commands: ```ulimit -Sn``` ```ulimit -Hn```

VMware Player is not available on mac. Is that really necessary? And could you please comment on each of the steps if what I did is okay, and what is expected if not? (These configuration files are pretty new to me - limits.conf, pam.d/login etc)

VMWare Player is just preferred, but not necessary. If you need just to make SCIM+UMA work, you can skip the PAM config for now. [Understanding PAM limits](http://blog.raastech.com/2011/12/understanding-pam-limits-pamlimitsso.html) Can you try clearing your logs then just capture the logs up to when you encounter the error when running SCIM-Client: 1. Shutdown Tomcat, `/opt/tomcat/bin/shutdown.sh`. 2. Delete all logs in `/opt/tomcat/logs`. 3. Restart Gluu Server. 4. Run your SCIM code. 5. Check `oxauth.log` and `oxtrust.log`.

Is it okay to use oxAuth 2.4.3 with gluu-server 2.4.2?

I think no.

gluu-server 2.4.3 is not out right? [oxAuth log](http://pastebin.com/isHuCtVd) [oxTrust log](http://pastebin.com/bFZXfrUc) What is actually the invalid audience error? Do you want a copy of scim-rp-openid-keys.json file?

Kevin, 2.4.3 is in QA. Should be released by next week. Thanks, Will

Thanks for the help everyone :) I'm sorry, cause the code worked when I tried by adding the repository for dependencies - previously I was building a copy of scim client library locally and pointed the client to use that, dunno why it did not work. Is there any way I can really get to know the mechanincs of what all requests are made, their formats for acquiring the aat token including how the scim-rp-openid-keys.json is parsed without digging deep into the java code?

> the code worked when I tried by adding the repository for dependencies That's nice to hear Kevin. > Is there any way I can really get to know the mechanincs of what all requests are made, their formats for acquiring the aat token including how the scim-rp-openid-keys.json is parsed without digging deep into the java code? I think the most practical way is to dig deep into the code :-) On the other hand, serializing/de-serializing JSON could be accomplished by using a library, say Google's GSON.

Kevin, I'm going to close this out. Feel free to open a new ticket if you have additional questions. Thanks, Will