search

jelhub / scimgateway

Using SCIM protocol as a gateway for user provisioning to other endpoints
MIT License
176 stars 57 forks source link

SCIM gateway as SCIM frontend for ADFS. #86

Closed security-knights closed 1 year ago

security-knights commented 1 year ago

Hello,

I have one question, can we provision ADFS/SAML users/groups to Symantec cloud WSS service through SCIM Gateway since ADFS doesn't support SCIM 2.0 protocol ?

image

Thanks. Vedran

jelhub commented 1 year ago

Hi,

You are probably looking for some Just-In-Time Provisioning (JIT) that should be triggered by Symantec after successful ADFS authentication.

Instead of ADFS, Symantec (or the logic) could retrieve user/groups directly from Active Directory using scimgateway plugin-ldap.

Regards, Jarle

security-knights commented 1 year ago

Hi Jarle, thank You.

I have dropped a look at the documentation from Symantec and it appears that only supported function by their logic goes in opposite direction, not by Symantec initiated triggering but instead: IdP-connected-SCIM -> notifying Symantec:

"Use the following end point URL for notifying Symantec for an IdP entity update via SCIM protocol: https://admin.tenant.symcloud.com/v1/identities/zzzz/scim"

So it appears that when change is detected on IdP, notification is expected to be sent towards Symantec, not vice versa.

Is this something that can be done in this way or am I missing something?

Thanks.

jelhub commented 1 year ago

The same vendor has SiteMinder SSO that also have similar prerequisites for federation, user must exist in the internal "corporate" user store for federation using external IdP to work.

For SiteMinder, the SiteMinder Java SDK was used to build the JIT logic needed for updating the internal user store based on the incoming authentication OIDC/SAML claims.

If WSS do not have any similar API's or not able to do any SCIM Gateway trigger call in the authentication process, you should probably make some scheduled sync job that reads from AD (plugin-ad) and updates WSS (plugin-scim)

The scheduler could be built into the plugin.

SCIM Gateway can run multiple plugins. One plugin could call another, or you could merge misc. plugins logic into one plugin.

jelhub commented 1 year ago

You will probably read of both AD and WSS, compare and then update WSS when users/groups are out of sync.

security-knights commented 1 year ago

Thank You, looking into that.