Questions about wso2is version 5.4 and scim2 groups

Question

I am using wso2is in version 5.4 with ldap readonly user store. I have scim2 enabled and I am able to list users via the /scim2/Users Interface as expected. When I try to list the groups by calling the /scim2/groups Interface, only 2 groups are returned: the PRIMARY/admin group - I guess this is an internal group and another group, which is obtained from ldap. If I list the roles (groups) from the admin console, much more roles are listed, which are imported from LDAP, oddly enough the role corresponding to the group listed by the Groups Command is not visible. When I call the /Users command, on the console messages are logged:

[2018-02-06 12:49:02,798] DEBUG {org.wso2.carbon.identity.scim2.common.group.SCIMGroupHandler} -  The group MID.Portal.Consulting is not a SCIM group. Skipping..

What does this message mean?

Another question: The wso2 documentation states "From 5.4.0 onwards, SCIM 2.0 is supported OOTB with WSO2 IS." Have the EventListener-Entries in the identity.xml File

<EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener"
                   name="org.wso2.carbon.identity.scim.common.listener.SCIMUserOperationListener"
                   orderId="90" enable="false"/>
    <!-- Enable the following SCIM2 event listener and disable the above SCIM event listener if SCIM2 is used. -->
    <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener"
                   name="org.wso2.carbon.identity.scim2.common.listener.SCIMUserOperationListener"
                   orderId="93" enable="true"/>

any significance?

Maduranga Siriwardena · Accepted Answer · 2018-02-13T15:03:51.057

0

Identity Server has 2 seperate implementations for SCIM 1.1 and 2.0. Prior to IS 5.4.0, only the SCIM 1.1 implementation is packed OOTB with the product. SCIM 2.0 implementation is available in connector store to download and install to Identity Server. From IS 5.4.0 onward, both 1.1 and 2.0 implementations are OOTB available in the product.

The issue with not showing the groups in your read-only userstore, is actually a limitation in the Identity Server. Only the group name and the members are read from userstore. Group Id and all the other metadata related to the group are maintained inside the Identity Server database. Id for the group is generated only when the group is created from the Identity Server. So SCIM group operations will not work properly with read-only userstores because of this limitation.

Edit: As your user store is readonly, there wouldn't be much of a difference in changing the EventListener. But its better to do the proper config. If there userstore is read-write, you have to definitely do this config.

edited Feb 13 '18 at 15:03

answered Feb 09 '18 at 05:30

Maduranga Siriwardena

1,341
1
13
27

Thanks for this explanation. When I insert the groups manually in the DB it works like expacted. But in fact this is a bug in wso2, isn't it? Therefore I would file a bug/change request. – csbrogi Feb 12 '18 at 09:10
Its more like a improvement. But, yes, you can report a issue in https://github.com/wso2/product-is/issues – Maduranga Siriwardena Feb 12 '18 at 14:32
If you feel like I have answered the question properly, follow https://stackoverflow.com/help/someone-answers :) – Maduranga Siriwardena Feb 12 '18 at 14:34
I filed an Issue. If you give me a hint about the second part of my question (eventlistener config), I 'll mark it as answered :-) – csbrogi Feb 13 '18 at 08:55
Edited the answer with info related to EventListener related config. Sorry I missed it previously. – Maduranga Siriwardena Feb 13 '18 at 15:05

Questions about wso2is version 5.4 and scim2 groups

1 Answers1

Linked