Unified Directory

Unified Directory is a new user identity store for the RSA Cloud Authentication Service that will enable full Cloud-only deployments in the future. RSA Unified Directory has the ability to create and store local users and their passwords using the open standard System for Cross-domain Identity Management (SCIM) API. Administrators can manage local users from the Cloud Administration Console. Users can manage themselves using the My Page self-service portal. Local user passwords are completely validated within the Cloud Authentication Service.

Note: Unified Directory is a limited availability release feature. If you are interested in RSA Unified Directory, contact your RSA Sales Representative.

User Provisioning Using SCIM API

You can use SCIM API to create a user (POST) in the Unified Directory and search for users (GET) in the directory. You can search for users by the SCIM attributes userName, emails, or id.

Note: Managing user groups is not supported through SCIM API.

Procedure

  1. In the Cloud Administration Console, click My Account > Company Settings and select the Company Information tab.

  2. In the Unified Directory section, click Enabled.

  3. Click Save Settings, and then click Publish Changes.

  4. In the Cloud Administration Console, click Users > Identity Sources.
    The Identity Sources list displays the enabled Unified Directory.

  5. Click Edit corresponding to Unified Directory.

  6. Copy the Base URI and use it in the configuration in SCIM client. This is the SCIM Base URI where all the SCIM resources are hosted.

  7. Copy the Client Secret key that can be used for SCIM API authentication.

    Note: You can click Generate to get a new client secret key. Click Save Settings and Publish Changes before you use the new secret key.

SCIM Attribute Mapping

SCIM Attribute Field on Users > Management
name.givenName

First Name
name.familyName Last Name
userName Username
emails[type eq "work"].value Email Address
active User Status
phoneNumbers[type eq "mobile"].value SMS Phone
phoneNumbers[type eq "mobile"].value Voice Phone

SCIM API for User Creation

Use the SCIM API for creating a user in the Unified Directory.

Authentication

Authorization: Bearer <Client Secret>

Use the copied Client Secret key as the Authorization key value.

Request Requirements

Method Request URL Response Content Type Response Body Response Codes
POST

<Base URI>/Users

application/scim+json

User details 201, 400, 401, 409, 500

Example Request Data

POST <Base URI>/Users

Authorization: Bearer 29da0602f6db1ed033aa91d644ce4d70bdf3ab58

Content-Type: application/scim+json

Example Request Body

The following examples display a user creation request.

User Creation - Minimal User Representation

{

"userName": "User One",

"emails": [

{

"type": "work",

"value": "user.one@example.com"

}

]

}

User Creation - User Representation

{

"userName": "User One",

"password": "Passw0rd$12345",

"externalId": "3058e0de-bb4b-4182-bbde-c2b3fa74a70a",

"active": true,

"displayName": "User One",

"emails": [

{

"type": "work",

"value": "user.one@example.com",

"primary": true

}

],

"name": {

"givenName": "User",

"familyName": "One",

},

"phoneNumbers": [

{

"type": "work",

"value": "+31 65 7777777"

},

{

"type": "mobile",

"value": "+31 65 8888888",

"primary": true

}

],

"schemas": [

"urn:ietf:params:scim:schemas:core:2.0:User",

],

}

Request Body Parameters

The following table describes the request parameters.

Request Parameter Required Description Type
userName Yes Unique identifier for the user, could be used as loginId by the users String
name No Components of user's name Complex
displayName No The name of the User, suitable for display String
active No Indicates Users status Boolean
password No Password String
emails Yes Unique identifier for the user (email of type "work" is used as primary identifier for the user. It can be used as login Id by the user.) List<email>
phoneNumbers No Phone numbers of a user (phoneNumber of type "mobile" is used for SMS/VOICE authentication) List<Phone number>
externalId No Identifier of a User, defined by the provisioning client String
emails
value Email address String
type Types of email: home, work, or other String
primary Indicates primary/preferred email Boolean
phoneNumber
value Phone number String
type Types of phone number: home, work, or other String
primary Indicates primary/preferred phone number Boolean
name
familyName Last name or family name of the user String
givenName First name of the user String

Response

The API returns the user details.

Example Response Body

User Creation - Minimal User Representation

{

"schemas": [

"urn:ietf:params:scim:schemas:core:2.0:User"

],

"id": "400e299e-3b99-4cb7-9f17-c315290ffeb9",

"meta": {

"resourceType": "User",

"created": "2022-12-17T09:03:39-05:00",

"lastModified": "2022-12-17T09:03:39-05:00",

"location": "<Base URI>/Users/400e299e-3b99-4cb7-9f17-c315290ffeb9"

},

"userName": "User One",

"active": true,

"emails": [

{

"type": "work",

"value": "user.one@example.com"

}

]

}

User Creation - User Representation

{

"schemas": [

"urn:ietf:params:scim:schemas:core:2.0:User"

],

"id": "d4dd1651-fd28-b8b3-b485-8912862b0033",

"externalId": "3058e0de-bb4b-4182-bbde-c2b3fa74a70a",

"meta": {

"resourceType": "User",

"created": "2022-12-07T10:46:20.687Z",

"lastModified": "2022-12-07T10:46:20.687Z",

"location": "<Base URI>/Users/d4dd1651-fd28-b8b3-b485-8912862b0033"

},

"userName": "User One",

"name": {

"familyName": "One",

"givenName": "User"

},

"displayName": "User One",

"active": true,

"emails": [

{

"value": "user.one@example.com",

"type": "work"

}

],

"phoneNumbers": [

{

"value": "+31 65 8888888",

"type": "mobile"

},

{

"value": "+31 65 7777777",

"type": "work"

}

]

}

Response Property Descriptions

The following table describes properties used in the response.

Request Parameter Description Type
id UUID of a user String
userName Unique identifier for the user, could be used as loginId by the users String
name Components of user's name Complex
displayName The name of the User, suitable for display String
active Indicates Users status Boolean
password Password String
emails Unique identifier for the user (email of type "work" is used as primary identifier for the user. It can be used as login Id by the user.) List<email>
phoneNumbers Phone numbers of a user (phoneNumber of type "mobile" is used for SMS/VOICE authentication) List<Phone number>
externalId Identifier of a User, defined by the disapproving client String
emails
value Email address String
type Types of email: home, work, or other String
primary Indicates primary/preferred email Boolean
phoneNumber
value Phone number String
type Types of phone number: home, work, or other String
primary Indicates primary/preferred phone number Boolean
name
familyName Last name or family name of the user String
givenName First name of the user String

Response Codes

The following table shows response codes for this API.

Code Description
201 Created
400

Bad Request

Error message exmaples:

  • Could not provision user as userName exceeded max size.

  • Attribute userName is required and must have a value.

  • Could not provision user as password policy violated.

  • Could not provision user as invalid email id is specified.

  • Attribute email is required and must have a value.

  • Could not provision user as user is inactive in request.

  • User Provisioning failed with: {ERROR_DESC}

  • User Provisioning failed.

{

Value for attribute schemas must contain schema URI urn:ietf:params:scim:schemas:core:2.0:User because it is the core schema for this resource type, Schema URI urn:ietf:params:scim:schemas:core:2.0:Userss is not a valid value for attribute schemas[0] because it is undefined as a core or schema extension for this resource type.

}

  • User Provisioning failed.

{

Schema URI urn:ietf:params:scim:schemas:extension:enterpriser:2.0:User is not a valid value for attribute schemas[1] because it is undefined as a core or schema extension for this resource type.

}

  • User Provisioning failed.

{

Value test is not valid for attribute emails[0].type because it is not one of the canonical types: other, work, home.

}

  • User Provisioning failed.

{

Value help is not valid for attribute phoneNumbers[0].type because it is not one of the canonical types: other, pager, work, mobile, fax, home.

}

  • User Provisioning failed.

{

Extended attributes namespace urn:ietf:params:scim:schemas:extension:enterprise:2.0:User must be included in the schemas attribute.

}
409

  • Could not provision user as userName already exists.

  • Could not provision user as specified email id is already in use.
500 Unable to set password for user.

SCIM API for User Search

Use the SCIM API to find a user.

Authentication

Authorization: Bearer <Client Secret>

Use the copied Client Secret key as the Authorization key value.

Request Requirements

Method Request URL Response Content Type Response Body Response Codes
GET

<Base URI>/Users

<Base URI>/Users/id

application/scim+json

User details 200, 400, 401, 404

Example Request Data

GET <Base URI>/Users?filter: username+eq+"<userName/id/email>"

Authorization: Bearer 29da0602f6db1ed033aa91d644ce4d70bdf3ab58

Content-Type: application/scim+json

Response

The API returns the user details.

Example Response Body

{

"schemas": [

"urn:ietf:params:scim:schemas:core:2.0:User"

],

"id": "d4dd1651-fd28-b8b3-b485-8912862b0033",

"externalId": "3058e0de-bb4b-4182-bbde-c2b3fa74a70a",

"meta": {

"resourceType": "User",

"created": "2022-12-07T10:46:20.687Z",

"lastModified": "2022-12-07T10:46:20.687Z",

"location": "<Base URI>/Users/d4dd1651-fd28-b8b3-b485-8912862b0033"

},

"userName": "User One",

"name": {

"familyName": "One",

"givenName": "User"

},

"displayName": "User One",

"active": true,

"emails": [

{

"value": "user.one@example.com",

"type": "work"

}

],

"phoneNumbers": [

{

"value": "+31 65 8888888",

"type": "mobile"

},

{

"value": "+31 65 7777777",

"type": "work"

}

]

}

Response Property Descriptions

The following table describes properties used in the response.

Request Parameter Description Type
id UUID of a user String
userName Unique identifier for the user, could be used as loginId by the users String
name Components of user's name Complex
displayName The name of the User, suitable for display String
active Indicates Users status Boolean
password Password String
emails Unique identifier for the user (email of type "work" is used as primary identifier for the user. It can be used as login Id by the user.) List<email>
phoneNumbers Phone numbers of a user (phoneNumber of type "mobile" is used for SMS/VOICE authentication) List<Phone number>
externalId Identifier of a User, defined by the provisioning client String
emails
value Email address String
type Types of email: home, work, or other String
primary Indicates primary/preferred email Boolean
phoneNumber
value Phone number String
type Types of phone number: home, work, or other String
primary Indicates primary/preferred phone number Boolean
name
familyName Last name or family name of the user String
givenName First name of the user String

Response Codes

The following table shows response codes for this API.

Code Description
200 OK
400

Bad Request

Error message examples:

  • Unsupported Search Filter.

  • Invalid Search Filter.

  • Missing Search Filter; bulk GET not yet supported.

  • User id is invalid.
404

Not Found

Error message example:

  • User not found with id :{{UUID}}
501 Not Implemented

Integrating SCIM with Azure AD

Azure AD can be configured to automatically provision assigned users to applications that implement a specific profile of the SCIM 2.0 protocol.

Procedure

  1. Create non-gallery app in Azure AD.

  2. Configure SCIM connection details in Azure from Unified Directory using Base URI and Client Secret.

  3. Configure user attribute mapping. Cloud mandates two SCIM attributes to be present in SCIM User provisioning request - userName and email [type eq 'work'].value. Use this default mapping.

  4. Ensure that the users are assigned to non-gallery app created for provisioning.

  5. Start provisioning.

Attribute mappings define how attributes are synchronized between Azure Active Directory and customappsso. The following table displays the attributes that are configured for Azure AD integration.

Azure Active Directory Attribute customappsso Attribute
userPrincipalName userName
Switch([IsSoftDeleted], "False", "True", "True", "False")

active
displayName

displayName
mail emails[type eq "work"].value
givenName name.givenName
surname name.familyName
mobile phoneNumbers[type eq "mobile"].value
mailNickname externalId

For details on Azure AD integration, refer to Integrate your SCIM endpoint with the Azure AD Provisioning Service.