Stages Documentation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
711:user_groups_permissions_scim [2025/01/29 16:02] – [Setting the Token secret] Nerlich, Axel711:user_groups_permissions_scim [2025/09/09 12:06] (current) Nerlich, Axel
Line 3: Line 3:
 SCIM, or System for Cross-domain Identity Management, is an open standard for the provisioning and deprovisioning of users and user groups to enterprise applications. It is able to significantly simplify the rollout of users and their permission group assignments in Stages. SCIM, or System for Cross-domain Identity Management, is an open standard for the provisioning and deprovisioning of users and user groups to enterprise applications. It is able to significantly simplify the rollout of users and their permission group assignments in Stages.
  
-Stages V7.11 implements the SCIM standard version 2.0 (see https://scim.cloud), which is supported by most modern identity providers like Okta Lifecycle Management or Microsoft Entra ID. They provide the capability to configure the connection to the Stages application.+Stages V7.11 implements the SCIM standard version 2.0 (see [[https://scim.cloud]]), which is supported by most modern identity providers like Okta Lifecycle Management or Microsoft Entra ID. They provide the capability to configure the connection to the Stages application.
  
 Before connecting with Stages, an API token has to be created. This will then be used by the identity provider to authenticate against the Stages application. Before connecting with Stages, an API token has to be created. This will then be used by the identity provider to authenticate against the Stages application.
  
 +To connect Stages to an identity provider via SCIM, the provider must be configured by a local system administrator. The corresponding configuration instructions can be found below.
  
 ===== Setting the Token secret ===== ===== Setting the Token secret =====
Line 23: Line 24:
  
 After that, a service restart is necessary. After that, a service restart is necessary.
- 
  
 ===== Creating an API Token ===== ===== Creating an API Token =====
Line 36: Line 36:
  
 Requests to the Stages REST endpoint must contain the value of a valid API token in the Authorization header in the following format: Bearer <token_value> Typically, the identity providers do this under the hood. All actions will be logged at the server in the scim.log and audit-json.log files with the respective API token label as a logging context identifier. Requests to the Stages REST endpoint must contain the value of a valid API token in the Authorization header in the following format: Bearer <token_value> Typically, the identity providers do this under the hood. All actions will be logged at the server in the scim.log and audit-json.log files with the respective API token label as a logging context identifier.
- 
  
 ===== Defining attribute mappings ===== ===== Defining attribute mappings =====
Line 61: Line 60:
 | ''user_perm_group.name'' | ''Group'' | ''displayName'' |     | | ''user_perm_group.name'' | ''Group'' | ''displayName'' |     |
 | ''user_group.user_id'' | ''Group'' | ''members.value'' |     | | ''user_group.user_id'' | ''Group'' | ''members.value'' |     |
 +
 +===== Mapping the license type =====
 +
 +The license type of a user can be set with the following SCIM core attributes for the User resource:
 +
 +  * ''active'' - If the boolean value is ''false'' the user's license type will be set to NONE, regardless of the userType value.
 +  * ''userType'' - String value in the format ''<license type ident>''%%__%%<license pool name>, both separated by two underscore characters.
 +
 +Possible Stages license type idents: NONE, ADMIN, ADMIN_ONLY, AUTH_PROCESS_READER, PERSONAL_EXTDEV, PERSONAL_ADEV, PERSONAL_QM, PERSONAL_PM, PERSONAL_DEV, FLOATING_DEV, FLOATING_PM, FLOATING_QM, FLOATING_ADEV
 +
 +For license types in the default license pool, the license pool name is omitted, but the double underscore separator is kept. Example value: %%PERSONAL_QM__%%
 +
  
 ===== Addressing the SCIM endpoint ===== ===== Addressing the SCIM endpoint =====