README.html

<!DOCTYPE html>
<html>
<head>
<title>README</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<style type="text/css">

/* RESET
=============================================================================*/

html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, img, ins, kbd, q, s, samp, small, strike, strong, sub, sup, tt, var, b, u, i, center, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, thead, tr, th, td, article, aside, canvas, details, embed, figure, figcaption, footer, header, hgroup, menu, nav, output, ruby, section, summary, time, mark, audio, video {
  margin: 0;
  padding: 0;
  border: 0;
}

/* BODY
=============================================================================*/

body {
  font-family: Helvetica, arial, freesans, clean, sans-serif;
  font-size: 14px;
  line-height: 1.6;
  color: #333;
  background-color: #fff;
  padding: 20px;
  max-width: 960px;
  margin: 0 auto;
}

body>*:first-child {
  margin-top: 0 !important;
}

body>*:last-child {
  margin-bottom: 0 !important;
}

/* BLOCKS
=============================================================================*/

p, blockquote, ul, ol, dl, table, pre {
  margin: 15px 0;
}

/* HEADERS
=============================================================================*/

h1, h2, h3, h4, h5, h6 {
  margin: 20px 0 10px;
  padding: 0;
  font-weight: bold;
  -webkit-font-smoothing: antialiased;
}

h1 tt, h1 code, h2 tt, h2 code, h3 tt, h3 code, h4 tt, h4 code, h5 tt, h5 code, h6 tt, h6 code {
  font-size: inherit;
}

h1 {
  font-size: 28px;
  color: #000;
}

h2 {
  font-size: 24px;
  border-bottom: 1px solid #ccc;
  color: #000;
}

h3 {
  font-size: 18px;
}

h4 {
  font-size: 16px;
}

h5 {
  font-size: 14px;
}

h6 {
  color: #777;
  font-size: 14px;
}

body>h2:first-child, body>h1:first-child, body>h1:first-child+h2, body>h3:first-child, body>h4:first-child, body>h5:first-child, body>h6:first-child {
  margin-top: 0;
  padding-top: 0;
}

a:first-child h1, a:first-child h2, a:first-child h3, a:first-child h4, a:first-child h5, a:first-child h6 {
  margin-top: 0;
  padding-top: 0;
}

h1+p, h2+p, h3+p, h4+p, h5+p, h6+p {
  margin-top: 10px;
}

/* LINKS
=============================================================================*/

a {
  color: #4183C4;
  text-decoration: none;
}

a:hover {
  text-decoration: underline;
}

/* LISTS
=============================================================================*/

ul, ol {
  padding-left: 30px;
}

ul li > :first-child, 
ol li > :first-child, 
ul li ul:first-of-type, 
ol li ol:first-of-type, 
ul li ol:first-of-type, 
ol li ul:first-of-type {
  margin-top: 0px;
}

ul ul, ul ol, ol ol, ol ul {
  margin-bottom: 0;
}

dl {
  padding: 0;
}

dl dt {
  font-size: 14px;
  font-weight: bold;
  font-style: italic;
  padding: 0;
  margin: 15px 0 5px;
}

dl dt:first-child {
  padding: 0;
}

dl dt>:first-child {
  margin-top: 0px;
}

dl dt>:last-child {
  margin-bottom: 0px;
}

dl dd {
  margin: 0 0 15px;
  padding: 0 15px;
}

dl dd>:first-child {
  margin-top: 0px;
}

dl dd>:last-child {
  margin-bottom: 0px;
}

/* CODE
=============================================================================*/

pre, code, tt {
  font-size: 12px;
  font-family: Consolas, "Liberation Mono", Courier, monospace;
}

code, tt {
  margin: 0 0px;
  padding: 0px 0px;
  white-space: nowrap;
  border: 1px solid #eaeaea;
  background-color: #f8f8f8;
  border-radius: 3px;
}

pre>code {
  margin: 0;
  padding: 0;
  white-space: pre;
  border: none;
  background: transparent;
}

pre {
  background-color: #f8f8f8;
  border: 1px solid #ccc;
  font-size: 13px;
  line-height: 19px;
  overflow: auto;
  padding: 6px 10px;
  border-radius: 3px;
}

pre code, pre tt {
  background-color: transparent;
  border: none;
}

kbd {
    -moz-border-bottom-colors: none;
    -moz-border-left-colors: none;
    -moz-border-right-colors: none;
    -moz-border-top-colors: none;
    background-color: #DDDDDD;
    background-image: linear-gradient(#F1F1F1, #DDDDDD);
    background-repeat: repeat-x;
    border-color: #DDDDDD #CCCCCC #CCCCCC #DDDDDD;
    border-image: none;
    border-radius: 2px 2px 2px 2px;
    border-style: solid;
    border-width: 1px;
    font-family: "Helvetica Neue",Helvetica,Arial,sans-serif;
    line-height: 10px;
    padding: 1px 4px;
}

/* QUOTES
=============================================================================*/

blockquote {
  border-left: 4px solid #DDD;
  padding: 0 15px;
  color: #777;
}

blockquote>:first-child {
  margin-top: 0px;
}

blockquote>:last-child {
  margin-bottom: 0px;
}

/* HORIZONTAL RULES
=============================================================================*/

hr {
  clear: both;
  margin: 15px 0;
  height: 0px;
  overflow: hidden;
  border: none;
  background: transparent;
  border-bottom: 4px solid #ddd;
  padding: 0;
}

/* TABLES
=============================================================================*/

table th {
  font-weight: bold;
}

table th, table td {
  border: 1px solid #ccc;
  padding: 6px 13px;
}

table tr {
  border-top: 1px solid #ccc;
  background-color: #fff;
}

table tr:nth-child(2n) {
  background-color: #f8f8f8;
}

/* IMAGES
=============================================================================*/

img {
  max-width: 100%
}
</style>
</head>
<body>
<h1>SCIM Gateway</h1>
<p><a href="https://travis-ci.org/jelhub/scimgateway"><img src="https://travis-ci.org/jelhub/scimgateway.svg" alt="Build Status" /></a> <a href="https://www.npmjs.com/package/scimgateway"><img src="https://img.shields.io/npm/v/scimgateway.svg?style=flat-square&amp;label=latest" alt="npm Version" /></a><a href="https://www.npmjs.com/package/scimgateway"><img src="https://img.shields.io/npm/dt/scimgateway.svg?style=flat-square" alt="npm Downloads" /></a> <a href="https://elshaug.xyz/md/scimgateway#disqus_thread"><img src="https://jelhub.github.io/images/chat.svg" alt="chat disqus" /></a> <a href="https://github.com/jelhub/scimgateway"><img src="https://img.shields.io/github/forks/jelhub/scimgateway.svg?style=social&amp;label=Fork" alt="GitHub forks" /></a>  
</p>
<hr />
<p>Author: Jarle Elshaug  
</p>
<p>Validated through IdP's:  
</p>
<ul>
<li>CA Identity Manager</li>
<li>Microsoft Azure Active Directory  
</li>
<li>OneLogin  
</li>
<li>Okta<br />
  Please let me know when you have deployed SCIM Gateway with your preffered IdP so list can be updated  
</li>
</ul>
<p>Latest news:  
</p>
<ul>
<li>Codebase moved from callback of h... to the the promise(d) land of async/await</li>
<li>Supports configuration by environments and external files</li>
<li>Health monitoring through &quot;/ping&quot; URL, and option for error notifications by email</li>
<li>Azure AD user provisioning including license management (e.g. Office 365), installed and configured within minutes!</li>
<li>Includes API Gateway for none SCIM/provisioning - becomes what you want it to become   
</li>
<li>Running SCIM Gateway as a Docker container  
</li>
</ul>
<h2>Overview</h2>
<p>With SCIM Gateway we could do user management by using REST based <a href="http://www.simplecloud.info/">SCIM</a> protocol. Gateway will then translate incoming SCIM requests and expose CRUD functionality (create, read, update and delete user/group) towards destinations using endpoint specific protocols. Gateway do not require SCIM to be used, it's also an API Gateway that could be used for other things than user provisioning.  
</p>
<p>SCIM Gateway is a standalone product, however this document shows how the gateway could be used by products like CA Identity Manager.</p>
<p>Using CA Identity Manager, we could setup one or more endpoints of type SCIM pointing to the gateway. Specific ports could then be used for each type of endpoint, and the SCIM Gateway would work like a &quot;CA Connector Server&quot; communicating with endpoints.</p>
<p><img src="https://jelhub.github.io/images/ScimGateway.svg" /></p>
<p>Instead of using IM-SDK for building our own integration for none supported endpoints, we can now build new integration based on SCIM Gateway plugins. SCIM Gateway works with IM as long as IM supports SCIM.</p>
<p>SCIM Gateway is based on the popular asynchronous event driven framework <a href="https://nodejs.dev/">Node.js</a> using JavaScript. It is firewall friendly using REST webservices. Runs on almost all operating systems, and may load balance between hosts (horizontal) and cpu's (vertical). Could even be uploaded and run as a cloud application.</p>
<p><strong>Following example plugins are included:</strong></p>
<ul>
<li>
<p><strong>Loki</strong> (NoSQL Document-Oriented Database)<br />
Gives a SCIM endpoint located on SCIM Gateway<br />
Demonstrates user provisioning towards document-oriented database<br />
Using <a href="http://lokijs.org">LokiJS</a> for a fast, in-memory document-oriented database (much like MongoDB/PouchDB)<br />
Default gives two predefined test users loaded using in-memory only (no persistence)<br />
Setting <code>{&quot;persistence&quot;: true}</code> gives persistence file store (no test users)<br />
Example of a fully functional SCIM Gateway plugin  
</p>
</li>
<li>
<p><strong>RESTful</strong> (REST Webservice)<br />
Demonstrates user provisioning towards REST-Based endpoint <br />
Using plugin &quot;Loki&quot; as a REST endpoint</p>
</li>
<li>
<p><strong>Forwardinc</strong> (SOAP Webservice)<br />
Demonstrates user provisioning towards SOAP-Based endpoint <br />
Using endpoint Forwardinc that comes with CA IM SDK (SDKWS) - <a href="https://docops.ca.com/ca-identity-manager/12-6-8/EN/programming/connector-programming-reference/sdk-sample-connectors/sdkws-sdk-web-services-connector/sdkws-sample-connector-build-requirements" title="wiki.ca.com">wiki.ca.com</a>  <br />
Shows how to implement a highly configurable multi tenant or multi endpoint solution using <code>baseEntity</code> parameter  
</p>
</li>
<li>
<p><strong>MSSQL</strong> (MSSQL Database)<br />
Demonstrates user provisioning towards MSSQL database  
</p>
</li>
<li>
<p><strong>SAP HANA</strong> (SAP HANA Database)<br />
Demonstrates SAP HANA specific user provisioning  
</p>
</li>
<li>
<p><strong>Azure AD</strong> (REST Webservices)<br />
Azure AD user provisioning including Azure license management (App Service plans) e.g. Office 365<br />
Using Microsoft Graph API<br />
Using customized SCIM attributes according to Microsoft Graph API<br />
Includes CA ConnectorXpress metafile for creating CA IM &quot;Azure - ScimGateway&quot; endpoint type    
</p>
</li>
<li>
<p><strong>API</strong> (REST Webservices)<br />
Demonstrates API Gateway/plugin functionality using post/put/patch/get/delete<br />
None SCIM plugin, becomes what you want it to become.<br />
Endpoint complexity could be put in this plugin, and client could instead communicate through Gateway using your own simplified REST specification.<br />
One example of usage could be creation of tickets in ServiceDesk/HelpDesk and also the other way, closing a ticket could automatically approve/reject corresponding workflow in Identity Manager.    
</p>
</li>
</ul>
<h2>Installation</h2>
<h4>Install Node.js</h4>
<p>Node.js is a prerequisite and have to be installed on the server.  
</p>
<p><a href="https://nodejs.org/en/download/">Download</a> the windows installer (.msi 64-bit) and install using default options.  
</p>
<h4>Install SCIM Gateway</h4>
<p>Open a command window (run as administrator)<br />
Create your own package directory e.g. C:\my-scimgateway and install SCIM Gateway within this package.</p>
<pre><code>mkdir c:\my-scimgateway
cd c:\my-scimgateway
npm init -y
npm install scimgateway --save
</code></pre>

<p>Please <strong>ignore any error messages</strong> unless soap WSSecurityCert functionality is needed in your custom plugin code. Module soap installation of optional dependency 'ursa' that also includes 'node-gyp' then needs misc. prerequisites to bee manually installed.</p>
<p><strong>c:\my-scimgateway</strong> will now be <code>&lt;package-root&gt;</code> </p>
<p>index.js, lib and config directories containing example plugins have been copied to your package from the original scimgateway package located under node_modules.  
</p>
<p>If internet connection is blocked, we could install on another machine and copy the scimgateway folder.</p>
<h4>Startup and verify default Loki plugin</h4>
<pre><code>node c:\my-scimgateway

Start a browser (note, IE does not support JSON content)

http://localhost:8880/ping
=&gt; Health check with a &quot;hello&quot; response

http://localhost:8880/Users  
http://localhost:8880/Groups
or 
http://localhost:8880/Users?attributes=userName
http://localhost:8880/Groups?attributes=displayName  
=&gt; Logon using gwadmin/password and two users / four groups should be listed  

http://localhost:8880/Users/bjensen
http://localhost:8880/Groups/Admins
=&gt; Lists all attributes for specified user/group

&quot;Ctrl + c&quot; to stop the SCIM Gateway
</code></pre>

<p>For more functionality using browser (post/patch/delete) a REST extension/add-on is needed. 	</p>
<h4>Upgrade SCIM Gateway</h4>
<p>Not needed after a fresh install  
</p>
<p>Check if newer versions are available: </p>
<pre><code>cd c:\my-scimgateway
npm outdated
</code></pre>

<p>Lists current, wanted and latest version. No output on screen means we are running the latest version.</p>
<p>Upgrade to latest minor version:  
</p>
<pre><code>cd c:\my-scimgateway
npm install scimgateway
</code></pre>

<p>Note, always backup/copy C:\my-scimgateway before upgrading. Custom plugins and corresponding configuration files will not be affected.  
</p>
<p>To force a major upgrade (version x.*.* =&gt; y.*.*) that will brake compability with any existing custom plugins, we have to include the <code>@latest</code> suffix in the install command: <code>npm install scimgateway@latest</code></p>
<h2>Configuration</h2>
<p><strong>index.js</strong> defines one or more plugins to be started. We could comment out those we do not need. Default configuration only starts the loki plugin.  
</p>
<pre><code>const loki = require('./lib/plugin-loki')
// const restful = require('./lib/plugin-restful')
// const forwardinc = require('./lib/plugin-forwardinc')
// const mssql = require('./lib/plugin-mssql')
// const saphana = require('./lib/plugin-saphana')  // prereq: npm install hdb --save
// const api = require('./lib/plugin-api')
// const azureAD = require('./lib/plugin-azure-ad')
</code></pre>

<p>Each endpoint plugin needs a JavaScript file (.js) and a configuration file (.json). <strong>They both must have the same naming prefix</strong>. For SAP Hana endpoint we have:  
</p>
<blockquote>
<p>lib\plugin-saphana.js<br />
config\plugin-saphana.json</p>
</blockquote>
<p>Edit specific plugin configuration file according to your needs.<br />
Below shows an example of config\plugin-saphana.json  
</p>
<pre><code>{
  &quot;scimgateway&quot;: {
    &quot;port&quot;: 8884,
    &quot;localhostonly&quot;: false,
    &quot;scim&quot;: {
      &quot;version&quot;: &quot;1.1&quot;,
      &quot;customSchema&quot;: null,
      &quot;customUniqueAttrMapping&quot; : {
        &quot;userName&quot; : null,
        &quot;displayName&quot;: null
      }
    },
    &quot;loglevel&quot;: {
      &quot;file&quot;: &quot;debug&quot;,
      &quot;console&quot;: &quot;error&quot;
    },
    &quot;auth&quot;: {
      &quot;basic&quot;: {
        &quot;username&quot;: &quot;gwadmin&quot;,
        &quot;password&quot;: &quot;password&quot;
      },
      &quot;bearer&quot;: {
        &quot;token&quot;: null,
        &quot;jwt&quot;: {
          &quot;azure&quot;: {
            &quot;tenantIdGUID&quot;: null
          },
          &quot;standard&quot;: {
            &quot;secret&quot;: null,
            &quot;publicKey&quot;: null,
            &quot;options&quot;: {
              &quot;issuer&quot;: null
            }
          }
        }
      }
    },
    &quot;certificate&quot;: {
      &quot;key&quot;: null,
      &quot;cert&quot;: null,
      &quot;ca&quot;: null,
      &quot;pfx&quot;: {
        &quot;bundle&quot;: null,
        &quot;password&quot;: null
      }
    },
    &quot;emailOnError&quot;: {
      &quot;smtp&quot;: {
        &quot;enabled&quot;: false,
        &quot;host&quot;: null,
        &quot;port&quot;: 587,
        &quot;proxy&quot;: null,
        &quot;authenticate&quot;: true,
        &quot;username&quot;: null,
        &quot;password&quot;: null,
        &quot;sendInterval&quot;: 15,
        &quot;to&quot;: null,
        &quot;cc&quot;: null
      }
    }
  },
  &quot;endpoint&quot;: {
    &quot;host&quot;: &quot;hostname&quot;,
    &quot;port&quot;: 30015,
    &quot;username&quot;: &quot;username&quot;,
    &quot;password&quot;: &quot;password&quot;,
    &quot;saml_provider&quot;: &quot;saml_provider_name&quot;
  }
}
</code></pre>

<p>Configuration file have two main JSON objects: <code>scimgateway</code> and <code>endpoint</code>  
</p>
<p>Definitions in <code>scimgateway</code> object have fixed attributes but values can be modified. This object is used by the core functionality of the SCIM Gateway.  
</p>
<p>Definitions in <code>endpoint</code> object are customized according to our plugin code. Plugin typically need this information for communicating with endpoint  
</p>
<ul>
<li>
<p><strong>port</strong> - Gateway will listen on this port number. Clients (e.g. Provisioning Server) will be using this port number for communicating with the gateway. For endpoint the port is the port number used by plugin for communicating with SAP Hana.  
</p>
</li>
<li>
<p><strong>localhostonly</strong> - true or false. False means gateway accepts incoming requests from all clients. True means traffic from only localhost (127.0.0.1) is accepted (gateway must then be installed on the CA Connector Server).  
</p>
</li>
<li>
<p><strong>scim.version</strong> - &quot;1.1&quot; or &quot;2.0&quot;. Default is &quot;1.1&quot;. For Azure AD as IdP &quot;2.0&quot; should be used.  
</p>
</li>
<li>
<p><strong>scim.customSchema</strong> - filename of JSON file located in <code>&lt;package-root&gt;\config\schemas</code> containing custom schema attributes, see configuration notes  
</p>
</li>
<li>
<p><strong>scim.customUniqueAttrMapping</strong> - Option for replacing mandatory userName/displayName if IdP use other attributes  
</p>
</li>
<li>
<p><strong>scim.customUniqueAttrMapping.userName</strong> - attribute replacing userName (User object)</p>
</li>
<li>
<p><strong>scim.customUniqueAttrMapping.displayName</strong> - attribute replacing displayName (Group object)</p>
</li>
<li>
<p><strong>loglevel.file</strong> - error, info or debug. Output to logfile <code>logs\plugin-saphana.log</code>  
</p>
</li>
<li>
<p><strong>loglevel.console</strong> - error, info or debug. Output to stdout and errors to stderr.    
</p>
</li>
<li>
<p><strong>auth</strong> - Contains one or more authentication/authorization methods used by clients for accessing gateway. <strong>Methods are disabled by setting corresponding attributes to null</strong>  
</p>
</li>
<li>
<p><strong>auth.basic</strong> - Basic Authentication with <strong>username<strong>/</strong>password</strong>. Note, we set a clear text password and when gateway is started password will become encrypted and updated in the configuration file.  
</p>
</li>
<li>
<p><strong>auth.bearer</strong> - Contains misc bearer token methods for authorization of client requests.  
</p>
</li>
<li>
<p><strong>auth.bearer.token</strong> - Shared token/secret (supported by Azure). Clear text value will become encrypted when gateway is started.  
</p>
</li>
<li>
<p><strong>auth.bearer.jwt</strong> - Contains misc JSON Web Token (JWT) methods for authorization.  
</p>
</li>
<li>
<p><strong>auth.bearer.jwt.azure</strong> - JWT used by Azure SyncFabric. <strong>tenantIdGUID</strong> must be set to Azure Active Directory Tenant ID.  
</p>
</li>
<li>
<p><strong>auth.bearer.jwt.standard</strong> - Standard JWT. Using <strong>secret</strong> or <strong>publicKey</strong> for signature verification. publicKey should be set to the filename of public key or certificate pem-file located in <code>&lt;package-root&gt;\config\certs</code>. Clear text secret will become encrypted when gateway is started. <strong>options.issuer</strong> is mandatory. Other options may also be included according to jsonwebtoken npm package definition.   
</p>
</li>
<li>
<p><strong>certificate</strong> - If not using SSL/TLS certificate, set &quot;key&quot;, &quot;cert&quot; and &quot;ca&quot; to <strong>null</strong>. When using SSL/TLS, &quot;key&quot; and &quot;cert&quot; have to be defined with the filename corresponding to the primary-key and public-certificate. Both files must be located in the <code>&lt;package-root&gt;\config\certs</code> directory e.g:  
</p>
<pre><code>&quot;certificate&quot;: {
  &quot;key&quot;: &quot;key.pem&quot;,
  &quot;cert&quot;: &quot;cert.pem&quot;,
  &quot;ca&quot;: null
}  
</code></pre>

<p>Example of how to make a self signed certificate:  
</p>
<pre><code>openssl req -nodes -newkey rsa:2048 -x509 -sha256 -days 3650 -keyout key.pem -out cert.pem -subj &quot;/O=Testing/OU=SCIM Gateway/CN=&lt;FQDN&gt;&quot; -config &quot;&lt;path&gt;\openssl.cnf&quot;
</code></pre>

<p><code>&lt;FQDN&gt;</code> is Fully Qualified Domain Name of the host having SCIM Gateway installed</p>
<p>Note, when using CA Provisioning, the &quot;certificate authority - CA&quot; also have to be imported on the Connector Server. For self-signed certificate CA and the certificate (public key) is the same.  
</p>
<p>PFX / PKCS#12 bundle can be used instead of key/cert/ca e.g: </p>
<pre><code>&quot;pfx&quot;: {
  &quot;bundle&quot;: &quot;certbundle.pfx&quot;,
  &quot;password&quot;: &quot;password&quot;
}
</code></pre>

<p>Note, we should normally use certificate (https) for communicating with SCIM Gateway unless we install ScimGatway locally on the manager (e.g. on the CA Connector Server). When installed on the manager, we could use <code>http://localhost:port</code> or <code>http://127.0.0.1:port</code> which will not be passed down to the data link layer for transmission. We could then also set {&quot;localhostonly&quot;: true}  
</p>
</li>
<li>
<p><strong>emailOnError</strong> - Contains configuration for sending error notifications by email. Note, only the first error will be sent until sendInterval have passed </p>
</li>
<li><strong>emailOnError.smtp.enabled</strong> - true or false, value set to true will enable email notifications  
</li>
<li><strong>emailOnError.smtp.host</strong> - Mailserver e.g. &quot;smtp.office365.com&quot;  
</li>
<li><strong>emailOnError.smtp.port</strong> - Port used by mailserver e.g. 587, 25 or 465</li>
<li><strong>emailOnError.smtp.proxy</strong> - If using mailproxy e.g. &quot;http://proxy-host:1234&quot;</li>
<li><strong>emailOnError.smtp.authenticate</strong> - true or false, set to true will use username/password authentication</li>
<li><strong>emailOnError.smtp.username</strong> - Mail account for authentication and also the sender of the email, e.g. &quot;user@outlook.com&quot;  
</li>
<li><strong>emailOnError.smtp.password</strong> - Mail account password  
</li>
<li><strong>emailOnError.smtp.sendInterval</strong> - Mail notifications on error are deferred until sendInterval <strong>minutes</strong> have passed since the last notification. Default 15 minutes</li>
<li><strong>emailOnError.smtp.to</strong> - Comma separated list of recipients email addresses e.g: &quot;someone@example.com&quot;</li>
<li>
<p><strong>emailOnError.smtp.cc</strong> - Comma separated list of cc email addresses</p>
</li>
<li>
<p><strong>endpoint</strong> - Contains endpoint specific configuration according to our <strong>plugin code</strong>.    
</p>
</li>
</ul>
<h4>Configuration notes</h4>
<ul>
<li>Setting environment variable <code>SEED</code> will override default password seeding logic.  
</li>
<li>All configuration can be set based on environment variables. Syntax will then be <code>&quot;process.env.&lt;ENVIRONMENT&gt;&quot;</code> where <code>&lt;ENVIRONMENT&gt;</code> is the environment variable used. E.g. scimgateway.port could have value &quot;process.env.PORT&quot;, then using environment variable PORT.</li>
<li>
<p>All configuration can be set based on corresponding JSON-content in external file using plugin name as parent JSON object (supports also dot notation). Syntax will then be <code>&quot;process.file.&lt;path&gt;&quot;</code> where <code>&lt;path&gt;</code> is the file used. E.g. endpoint.password could have value &quot;process.file./var/run/vault/secrets.json&quot;  
</p>
<p>Example:  
</p>
<pre><code>{
  &quot;scimgateway&quot;: {
    ...
    &quot;port&quot;: &quot;process.env.PORT&quot;,
    ...
    &quot;loglevel&quot;: {
      &quot;file&quot;: &quot;process.env.LOG_LEVEL_FILE&quot;,
      ...
      &quot;auth&quot;: {
        &quot;basic&quot;: {
          &quot;username&quot;: &quot;process.file./var/run/vault/secrets.json&quot;,
          &quot;password&quot;: &quot;process.file./var/run/vault/secrets.json&quot;,
          ...
    },
    &quot;endpoint&quot;: {
      ...
      &quot;username&quot;: &quot;process.file./var/run/vault/secrets.json&quot;,
      &quot;password&quot;: &quot;process.file./var/run/vault/secrets.json&quot;,
      ...
    }
}  
</code></pre>

<p>secrets.json for plugin-forwardinc - example #1:  
</p>
<pre><code>{
  &quot;plugin-forwardinc&quot;: {
    &quot;scimgateway&quot;: {
      &quot;auth&quot;: {
        &quot;basic&quot;: {
          &quot;username&quot;: &quot;gwadmin&quot;,
          &quot;password&quot;: &quot;password&quot;
        } 
      }
    },
    &quot;endpoint&quot;: {
      &quot;username&quot;: &quot;superuser&quot;,
      &quot;password&quot;: &quot;secret&quot;
    }
  }
}  
</code></pre>

<p>secrets.json for plugin-forwardinc - example #2 (dot notation):  
</p>
<pre><code>{
  &quot;plugin-forwardinc.scimgateway.auth.basic.username&quot;: &quot;gwadmin&quot;,
  &quot;plugin-forwardinc.scimgateway.auth.basic.password&quot;: &quot;password&quot;,
  &quot;plugin-forwardinc.endpoint.username&quot;: &quot;superuser&quot;,
  &quot;plugin-forwardinc.endpoint.password&quot;: &quot;secret&quot;
}  
</code></pre>

</li>
<li>
<p>Custom schema attributes can be added by plugin configuration <code>scim.customSchema</code> having value set to filename of a JSON schema-file located in <code>&lt;package-root&gt;/config/schemas</code> e.g:  
</p>
<pre><code>&quot;scim&quot;: {
  &quot;version&quot;: &quot;1.1&quot;,
  &quot;customSchema&quot;: &quot;plugin-forwardinc-schema.json&quot;
},
</code></pre>

<p>JSON file have following syntax:  
</p>
<pre><code>[
  { 
    &quot;name&quot;: &quot;User&quot;,
    &quot;attributes&quot;: [...]
  },
  { 
    &quot;name&quot;: &quot;Group&quot;,
    &quot;attributes&quot;: [...]
  }
]
</code></pre>

<p>Where array <code>attributes</code> contains custom attribute objects according to SCIM 1.1 or 2.0 spesification e.g:  
</p>
<pre><code>&quot;attributes&quot;: [
  {
    &quot;name&quot;: &quot;musicPreference&quot;,
    &quot;type&quot;: &quot;string&quot;,
    &quot;multiValued&quot;: false,
    &quot;description&quot;: &quot;Music Preferences&quot;,
    &quot;readOnly&quot;: false,
    &quot;required&quot;: false,
    &quot;caseExact&quot;: false
  },
  {
    &quot;name&quot;: &quot;populations&quot;,
    &quot;type&quot;: &quot;complex&quot;,
    &quot;multiValued&quot;: true,
    &quot;multiValuedAttributeChildName&quot;: &quot;population&quot;,
    &quot;description&quot;: &quot;Population array&quot;,
    &quot;readOnly&quot;: false,
    &quot;required&quot;: false,
    &quot;caseExact&quot;: false,
    &quot;subAttributes&quot;: [
      {
        &quot;name&quot;: &quot;value&quot;,
        &quot;type&quot;: &quot;string&quot;,
        &quot;multiValued&quot;: false,
        &quot;description&quot;: &quot;Population value&quot;,
        &quot;readOnly&quot;: false,
        &quot;required&quot;: true,
        &quot;caseExact&quot;: false
      }
    ]
  }
]
</code></pre>

<p>Note, custom schema attributes will be merged into core:1.0/2.0 schema, and names must not conflict with standard SCIM attribute names.</p>
</li>
</ul>
<h2>Manual startup</h2>
<p>Gateway can now be started from a command window running in administrative mode</p>
<p>3 ways to start:</p>
<pre><code>node c:\my-scimgateway

node c:\my-scimgateway\index.js

&lt;package-root&gt;node .
</code></pre>

<p><kbd>Ctrl</kbd>+<kbd>c</kbd> to stop  
</p>
<h2>Automatic startup - Windows Task Scheduler</h2>
<p>Start Windows Task Scheduler (taskschd.msc), right click on &quot;Task Scheduler Library&quot; and choose &quot;Create Task&quot;  
</p>
<pre><code>General tab:  
-----------
Name = SCIM Gateway
User account = SYSTEM
Run with highest privileges

Triggers tab:
-------------
Begin the task = At startup

Actions tab:
------------
Action = Start a program
Program/script = c:\Program Files\nodejs\node.exe
Arguments = c:\my-scimgateway

Settings - tab:
---------------
Stop the task if runs longer than = Disabled (greyed out)
</code></pre>

<p>Verification:</p>
<ul>
<li>Right click task - <strong>Run</strong>, verify process node.exe (SCIM Gateway) can be found in the task manager (not the same as task scheduler). Also verify logfiles <code>&lt;pakage-root&gt;\logs</code>  
</li>
<li>Right click task - <strong>End</strong>, verify process node.exe have been terminated and disappeared from task manager   
</li>
<li><strong>Reboot</strong> server and verify SCIM Gateway have been automatically started</li>
</ul>
<h2>Running as a isolated virtual Docker container</h2>
<p>On Linux systems we may also run SCIM Gateway as a Docker image (using docker-compose)  
</p>
<ul>
<li>
<p>Docker Pre-requisites:<br />
<strong>docker-ce<br />
docker-compose</strong></p>
</li>
<li>
<p>Install SCIM Gateway within your own package and copy provided docker files:</p>
<pre><code>mkdir /opt/my-scimgateway  
cd /opt/my-scimgateway  
npm init -y  
npm install scimgateway --save  
cp ./config/docker/* .  
</code></pre>

<p><strong>docker-compose.yml</strong>   &lt;== Here is where you would set the exposed port and environment<br />
<strong>Dockerfile</strong>   &lt;== Main dockerfile<br />
<strong>DataDockerfile</strong>   &lt;== Handles volume mapping <br />
<strong>docker-compose-debug.yml</strong> &lt;== Debugging  
</p>
</li>
<li>
<p>Create a scimgateway user on your Linux VM.   
</p>
<pre><code>adduser scimgateway
</code></pre>

</li>
<li>
<p>Create a directory on your VM host for the scimgateway configs:  
</p>
<pre><code>mkdir /home/scimgateway/config
</code></pre>

</li>
<li>
<p>Copy your updated configuration file e.g. /opt/my-scimgateway/config/plugin-loki.json to /home/scimgateway/config.  Use scp to perform the copy.</p>
<p>NOTE: /home/scimgateway/config is where all important configuration and loki datastore will reside outside of the running docker container.  If you upgrade scimgateway you won't lose your configurations and data.</p>
</li>
<li>
<p>Build docker images and start it up  
</p>
<pre><code>docker-compose up --build -d
</code></pre>

<p>NOTE: Add the -d flag to run the command above detached.  
</p>
<p>Be sure to confirm that port 8880 is available with a simple http request</p>
<p>If using default plugin-loki and we have configured <code>{&quot;persistence&quot;: true}</code>, we could confirm scimgateway created loki.db:</p>
<pre><code>su scimgateway  
cd /home/scimgateway/config  
ls loki.db  
</code></pre>

</li>
</ul>
<p>To list running containers information:<br />
<code>docker ps</code></p>
<p>To list available images:<br />
<code>docker images</code></p>
<p>To view the logs:<br />
<code>docker logs scimgateway</code></p>
<p>To execute command within your running container:<br />
<code>docker exec scimgateway &lt;bash command&gt;</code></p>
<p>To stop scimgateway:<br />
<code>docker-compose stop</code></p>
<p>To restart scimgateway:<br />
<code>docker-compose start</code></p>
<p>To debug running container (using Visual Studio Code):<br />
<code>docker-compose -f docker-compose.yml -f docker-compose-debug.yml up -d</code><br />
Start Visual Studio Code and follow <a href="https://code.visualstudio.com/docs/nodejs/nodejs-debugging">these</a> debugging instructions  
</p>
<p>To upgrade scimgateway docker image (remove the old stuff before running docker-compose up --build):  
</p>
<pre><code>docker rm scimgateway  
docker rm $(docker ps -a -q); docker rmi $(docker images -q -f &quot;dangling=true&quot;)  
</code></pre>

<h2>CA Identity Manager as IdP using SCIM Gateway</h2>
<p>Using the CA Provisioning Manager we have to configure  
</p>
<p><code>Endpoint type = SCIM (DYN Endpoint)</code>  
</p>
<p>SCIM endpoint configuration example for Loki plugin (plugin-loki)</p>
<pre><code>Endpoint Name = Loki  
User Name = gwadmin  
Password = password  
SCIM Authentication Method = HTTP Basic Authentication  
SCIM Based URL = http://localhost:8880  

or:  

SCIM Based URL = http://localhost:8880/&lt;baseEntity&gt;
</code></pre>

<p>Username, password and port must correspond with plugin configuration file. For &quot;Loki&quot; plugin it will be <code>config\plugin-loki.json</code>  
</p>
<p>&quot;SCIM Based URL&quot; refer to the FQDN (or localhost) having SCIM Gateway installed. Portnumber must be included. Use HTTPS instead of HTTP if SCIM Gateway configuration includes certificates. </p>
<p>&quot;baseEntity&quot; is optional. This is a parameter used for multi tenant or multi endpoint solutions. We could create several endpoints having same base url with unique baseEntity. e.g:  
</p>
<p>http://localhost:8880/clientA<br />
http://localhost:8880/clientB</p>
<p>Each baseEntity should then be defined in the plugin configuration file with custom attributes needed. Please see examples in plugin-forwardinc.json</p>
<p>IM 12.6 SP7 (and above) also supports pagination for SCIM endpoint (data transferred in bulks - endpoint explore of users). Loki plugin supports pagination. Other plugin may ignore this setting.  
</p>
<h2>SCIM Gateway REST API</h2>
<pre><code>Create = POST http://example.com:8880/Users  
(body contains the user information)

Update = PATCH http://example.com:8880/Users/&lt;id&gt;
(body contains the attributes to be updated)

Search/Read = GET http://example.com:8880/Users?userName eq 
&quot;userID&quot;&amp;attributes=&lt;comma separated list of scim-schema defined attributes&gt;

Search/explore all users:
GET http://example.com:8880/Users?attributes=userName

Delete = DELETE http://example.com:8880/Users/&lt;id&gt;
</code></pre>

<p>Discovery:</p>
<pre><code>GET http://example.com:8880/ServiceProviderConfigs
Specification compliance, authentication schemes, data models.

GET http://example.com:8880/Schemas
Introspect resources and attribute extensions.
</code></pre>

<p>Note:  
</p>
<ul>
<li>userName (mandatory) = UserID  
</li>
<li>id (mandatory) = Unique id. Could be set to the same as UserID but don't have to.  
</li>
</ul>
<h2>SAP Hana endpoint</h2>
<pre><code>Get all users (explore):  
select USER_NAME from SYS.USERS where IS_SAML_ENABLED like 'TRUE';

Get a specific user:  
select USER_NAME, USER_DEACTIVATED from SYS.USERS where USER_NAME like '&lt;UserID&gt;';

Create User:  
CREATE USER &lt;UserID&gt; WITH IDENTITY '&lt;UserID&gt;' FOR SAML PROVIDER &lt;SamlProvider&gt;;

Delete user:  
DROP USER &lt;UserID&gt;;

Modify user (enable user):  
ALTER USER &lt;UserID&gt; ACTIVATE;

Modify user (disable user):  
ALTER USER &lt;UserID&gt; DEACTIVATE;  
</code></pre>

<p>Postinstallation:  
</p>
<pre><code>cd c:\my-scimgateway
npm install hdb --save  
</code></pre>

<p>Only SAML users will be explored and managed</p>
<p>Supported template attributes:  
</p>
<ul>
<li>User Name (UserID)</li>
<li>Suspended (Enabled/Disabled)  
</li>
</ul>
<p>Currently no other attributes needed. Trying to update other attributes will then give an error message.  <strong>The SCIM Provisioning template should therefore not include any other global user attribute references.</strong></p>
<p>SAP Hana converts UserID to uppercase. Provisioning use default lowercase. Provisioning template should therefore also convert to uppercase.</p>
<pre><code>User Name = %$$TOUPPER(%AC%)%
</code></pre>

<h2>Azure Active Directory endpoint</h2>
<p>Using plugin-azure-ad we could do user provisioning towards Azure AD including license management e.g. O365  
</p>
<p>For testing purposes we could get an Azure free account and in addition the free Office 365 for testing license management through Azure.</p>
<p><strong>Azure AD prerequisites</strong>  
</p>
<ul>
<li>Logon to <a href="https://portal.azure.com">Azure</a> as global administrator  
</li>
<li>
Azure Active Directory - properties
<ul>
<li>Copy <strong>&quot;Directory ID&quot;</strong>  
</li>
<li>or Azure Active Directory - Custom domain names (copy primary domain name)</li>
</ul>
</li>
<li>
Azure Active Directory - App registrations - New application registration 
<ul>
<li>Name = newApp  
</li>
<li>Application type = Web app API</li>
<li>Sign-on URL = http://localhost (not used)</li>
<li>Click &quot;Create&quot;</li>
</ul>
</li>
<li>
Click &quot;newApp&quot;
<ul>
<li>Copy <strong>&quot;Application ID&quot;</strong>  
</li>
<li>
Required permissions - Windows Azure Active Directory
<ul>
<li>Enable &quot;APPLICATION PERMISSIONS&quot; (all application sub categories enabled)</li>
<li>Click &quot;Save&quot;</li>
</ul>
</li>
<li>
Keys
<ul>
<li>Key description = Key1</li>
<li>Duration = Never expires</li>
<li>Click &quot;Save&quot;</li>
<li>Copy Key1 <strong>&quot;value&quot;</strong>&quot; (client secret)</li>
</ul>
</li>
</ul>
</li>
</ul>
<p><strong>Application needs to be member of &quot;User Account Administrator&quot; when running behalf of application rather than user</strong> </p>
<ul>
<li>Start Powershell command window</li>
<li>
Install the <a href="https://docs.microsoft.com/en-us/powershell/msonline/">Azure AD Module</a> (if not already installed)  

<ul>
<li>Install-Module MSOnline</li>
</ul>
</li>
<li>Import-Module MSOnline</li>
<li>Connect-MsolService (logon as a user having &quot;Global administrator&quot; role)   
</li>
<li>
Get-MsolServicePrincipal -AppPrincipalId {Application ID}  

<ul>
<li>Copy ObjectId</li>
</ul>
</li>
<li>
List all roles and find &quot;User Account Administrator&quot;  

<ul>
<li>Get-MsolRole  
</li>
</ul>
</li>
<li>
List current members of this role:
<ul>
<li>Get-MsOlRoleMember -RoleObjectId fe930be7-5e62-47db-91af-98c3a49a38b1</li>
</ul>
</li>
<li>
Add application to &quot;User Account Administrator&quot; role:  

<ul>
<li>Add-MsolRoleMember -RoleName &quot;User Account Administrator&quot; -RoleMemberType ServicePrincipal -RoleMemberObjectId {ObjectIdOfServicePrincipal}  
</li>
</ul>
</li>
<li>
Verify:  

<ul>
<li>Get-MsOlRoleMember -RoleObjectId fe930be7-5e62-47db-91af-98c3a49a38b1  
</li>
</ul>
</li>
</ul>
<p><strong>Edit index.js</strong><br />
Uncomment startup of plugin-azure-ad, other plugins could be comment out if not needed</p>
<pre><code>const azureAD = require('./lib/plugin-azure-ad')
</code></pre>

<p><strong>Edit plugin-azure-ad.json</strong></p>
<p><code>Username</code> and <code>password</code> used to connect the SCIM Gateway must be defined.</p>
<p>Update <code>tenantIdGUID</code>, <code>clientID</code> and <code>clientSecret</code> according to Azure AD prerequisites configuration.  
</p>
<p>If using proxy, set proxy.host to <code>&quot;http://&lt;FQDN-ProxyHost&gt;:&lt;port&gt;&quot;</code> e.g <code>&quot;http://proxy.mycompany.com:3128&quot;</code>  
</p>
<pre><code>&quot;endpoint&quot;: {
  &quot;entity&quot;: {
    &quot;undefined&quot;: {
      &quot;tenantIdGUID&quot;: &quot;DomainName or DirectoryID (GUID)&quot;,
      &quot;clientId&quot;: &quot;Application ID&quot;,
      &quot;clientSecret&quot;: &quot;Generated application key value&quot;,
      &quot;proxy&quot;: {
        &quot;host&quot;: null,
        &quot;username&quot;: null,
        &quot;password&quot;: null
      }
    }
  }
}
</code></pre>

<p>Note, clientSecret and any proxy.password will become encrypted in this file on the first Azure connection.  
</p>
<p>For multi-tenant or multi-endpoint support, we may add several entities:</p>
<pre><code>&quot;endpoint&quot;: {
  &quot;entity&quot;: {
    &quot;undefined&quot;: {
        ...
    }
    &quot;clientA&quot;: {
        ...
    }
    &quot;clientB&quot;: {
        ...
    }
  }
}
</code></pre>

<p>For additional details, see baseEntity description.  
</p>
<p>Note, we should normally use certificate (https) for communicating with SCIM Gateway unless we install gateway locally on the manager (e.g. on the CA Connector Server). When installed on the manager, we could use <code>http://localhost:port</code> or <code>http://127.0.0.1:port</code> which will not be passed down to the data link layer for transmission. We could then also set {&quot;localhostonly&quot;: true}  
</p>
<p><strong>For CA Provisioning, create endpoint type &quot;Azure - ScimGateway&quot;</strong>  
</p>
<ul>
<li>
Start SCIM Gateway
<ul>
<li>&quot;const azureAD&quot; must be uncomment in <code>index.js</code></li>
<li>username, password and port defined in <code>plugin-azure-ad.json</code> must also be known </li>
</ul>
</li>
<li>Start ConnectorXpress</li>
<li>
Setup Data Sources
<ul>
<li>Add</li>
<li>Layer7 (this is SCIM)</li>
<li>Name = SCIM Gateway-8881</li>
<li>Base URL = http://localhost:8881 (SCIM Gateway installed locally on Connector Server)  
</li>
</ul>
</li>
<li>
Add the new &quot;Azure - ScimGateway&quot; endpoint type
<ul>
<li>Metadata - Import - &quot;my-scimgateway\node_modules\scimgateway\config\resources\Azure - ScimGateway.xml&quot;</li>
<li>Select the datasource we created - SCIM Gateway-8881</li>
<li>Enter password for the user defined in datasource (e.g. gwadmin/password)  
</li>
<li>On the right - expand Provisioning Servers - your server - and logon</li>
<li>
Right Click &quot;Endpoint Types&quot;, Create New Endpoint Type
<ul>
<li>You may use default name &quot;Azure - ScimGateway&quot; and click &quot;OK&quot; to create endpoint</li>
</ul>
</li>
</ul>
</li>
</ul>
<p>Note, metafile &quot;Azure - ScimGateway.xml&quot; is based on CA &quot;Azure - WSL7&quot; with some minor adjustments like using Microsoft Graph API attributes instead of Azure AD Graph attributes.</p>
<p><strong>Using the CA Provisioning Manager we have to configure</strong>  
</p>
<p><code>Endpoint type = Azure - ScimGateway (DYN Endpoint)</code>  
</p>
<p>Endpoint configuration example:</p>
<pre><code>Endpoint Name = Azure-AD-8881  
User Name = gwadmin  
Password = password  
SCIM Authentication Method = HTTP Basic Authentication  
SCIM Based URL = http://localhost:8881  
or  
SCIM Based URL = http://localhost:8881/&lt;baseEntity&gt;  
</code></pre>

<p>For details, please see section &quot;CA Identity Manager as IdP using SCIM Gateway&quot;</p>
<h2>Azure Active Directory as IdP using SCIM Gateway</h2>
<p>Azure AD could do automatic user provisioning by synchronizing users towards SCIM Gateway, and gateway plugins will update endpoints.</p>
<p>Plugin configuration file must include <strong>SCIM Version &quot;2.0&quot;</strong> (scimgateway.scim.version) and either <strong>Bearer Token</strong> (scimgateway.auth.bearer.token) or <strong>Azure Tenant ID GUID</strong> (scimgateway.auth.bearer.jwt.azure.tenantIdGUID) or both:  
</p>
<pre><code>scimgateway: {
  &quot;scim&quot;: {
    &quot;version&quot;: &quot;2.0&quot;,
    ...
  },
  ...
  &quot;auth&quot;: {
    ...
    &quot;bearer&quot;: {
      &quot;token&quot;: &quot;shared-secret&quot;,
      &quot;jwt&quot;: {
        &quot;azure&quot;: {
          &quot;tenantIdGUID&quot;: &quot;xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&quot;
        }
      ...
    }
    ...
  }
  ...
}
</code></pre>

<p><code>bearer.token</code> configuration must correspond with &quot;Secret Token&quot; defined in Azure AD<br />
<code>tenantIdGUID</code> configuration must correspond with Azure Active Directory Tenant ID  
</p>
<p>In Azure Portal:
<code>Azure-Azure Active Directory-Enterprise Application-&lt;My Application&gt;-Provisioning-Secret Token</code><br />
Note, when &quot;Secret Token&quot; is left blank, Azure will use JWT (tenantIdGUID)</p>
<p><code>Azure-Azure Active Directory-Properties-Directory ID</code></p>
<p>User mappings attributes between AD and SCIM also needs to be configured  
</p>
<p><code>Azure-Azure Active Directory-Enterprise Application-&lt;My Application&gt;-Provisioning-Mappings</code></p>
<p>Azure AD default SCIM attribute mapping for <strong>USER</strong> have:  
</p>
<pre><code>externalId mapped to mailNickname (matching precedence #1)  
userName mapped to userPrincipalName  
</code></pre>

<p>SCIM Gateway accepts externalId (as matching precedence) instead of  userName, but <code>userName and externalId must be mapped to the same AD attribute</code> e.g:</p>
<pre><code>externalId mapped to mailNickname (matching precedence #1)  
userName mapped to mailNickname  

or:  

externalId mapped to userPrincipalName (matching precedence #1)  
userName mapped to userPrincipalName  
</code></pre>

<p>Azure AD default SCIM attribute mapping for <strong>GROUP</strong> have:  
</p>
<pre><code>externalId mapped to displayName (matching precedence #1)  
displayName mapped to mailNickname  
</code></pre>

<p>SCIM Gateway accepts externalId (as matching precedence) instead of displayName, but <code>displayName and externalId must then be mapped to the same AD attribute</code> e.g:  
</p>
<pre><code>externalId mapped to displayName (matching precedence #1)
displayName mapped to displayName
</code></pre>

<p>Some notes related to Azure AD:  
</p>
<ul>
<li>
<p>Azure Active Directory SCIM <a href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-scim-provisioning">documentation</a>  
</p>
</li>
<li>
<p>Use the &quot;<a href="https://manage.windowsazure.com">old Portal</a>&quot; for adding/creating your SCIM application.  Adding an application using the &quot;<a href="https://portal.azure.com">new Portal</a>&quot; will not give an OAuth/JWT compatible app - only bearer token (Secret Token) will be used. After the app have been registered (passing the &quot;Test phase&quot;), we could start using the &quot;new Portal&quot;</p>
</li>
<li>
<p>Azure AD do a regular check for a &quot;none&quot; existing user/group. This check seems to be a &quot;keep alive&quot; to verify connection.</p>
</li>
<li>
<p>Azure AD first checks if user/group exists, if not exist they will be created (no explore of all users like CA Identity Manager)  
</p>
</li>
<li>
<p>Deleting a user in Azure AD sends a modify user <code>{&quot;active&quot;:&quot;False&quot;}</code> which means user should be disabled. This logic is configured in attribute mappings. Standard SCIM &quot;DELETE&quot; method seems not to be used.  
</p>
</li>
</ul>
<h2>API Gateway</h2>
<p>Gateway also works as an API Gateway when using url <code>/api</code> or <code>/&lt;baseEntity&gt;/api</code>  
</p>
<p>Following methods for the none SCIM based api-plugin are supported:  
</p>
<pre><code>    GET /api  
    GET /api?queries  
    GET /api/{id}  
    POST /api + body  
    PUT /api/{id} + body  
    PATCH /api/{id} + body  
    DELETE /api/{id}  
</code></pre>

<p>Please see example plugin: <strong>plugin-api.js</strong></p>
<h2>How to build your own plugins</h2>
<p>For JavaScript coding editor you may use <a href="https://code.visualstudio.com/" title="Visual Studio Code">Visual Studio Code</a> </p>
<p>Preparation:</p>
<ul>
<li>Copy &quot;best matching&quot; example plugin e.g. <code>lib\plugin-loki.js</code> and <code>config\plugin-loki.json</code> and rename both copies to your plugin name prefix e.g. plugin-mine.js and plugin-mine.json (for SOAP Webservice endpoint we might use plugin-forwardinc as a template) </li>
<li>Edit plugin-mine.json and define a unique port number for the gateway setting  
</li>
<li>Edit index.js and add a new line for starting your plugin e.g. <code>let mine = require('./lib/plugin-mine');</code>  
</li>
<li>Start SCIM Gateway and verify. If using CA Provisioning you could setup a SCIM endpoint using the port number you defined  
</li>
</ul>
<p>Now we are ready for custom coding by editing plugin-mine.js
Coding should be done step by step and each step should be verified and tested before starting the next (they are all highlighted by comments in existing code).  
</p>
<ol>
<li><strong>Turn off group functionality</strong> in getGroup, getGroupMembers, getGroupUsers and modifyGroupMembers<br />
Please see callback definitions in plugin-saphana that do not use groups.</li>
<li><strong>exploreUsers</strong> (test provisioning explore users)</li>
<li><strong>getUser</strong> (test provisioning retrieve account)</li>
<li><strong>createUser</strong> (test provisioning new account)</li>
<li><strong>deleteUser</strong> (test provisioning delete account)</li>
<li><strong>modifyUser</strong> (test provisioning modify account)</li>
<li><strong>exploreGroups</strong> (test provisioning explore groups)</li>
<li><strong>Turn on group functionality</strong> (if supporting groups)</li>
<li><strong>getGroup</strong> (test provisioning group list groups)</li>
<li><strong>getGroupMembers</strong> (test provisioning retrieve account - group list groups)</li>
<li><strong>modifyGroupMembers</strong> (test provisioning retrieve account - group add/remove groups)</li>
<li><strong>getGroupUsers</strong> (if using &quot;groups member of user&quot;)   
</li>
<li><strong>createGroup</strong> (test provisioning new group)  
</li>
</ol>
<p>Template used by CA Provisioning role should only include endpoint supported attributes defined in our plugin. Template should therefore have no links to global user for none supported attributes (e.g. remove %UT% from &quot;Job Title&quot; if our endpoint/code do not support title)  
</p>
<p>CA Provisioning using default SCIM endpoint do not support SCIM Enterprise User Schema Extension (having attributes like employeeNumber, costCenter, organization, division, department and manager). If we need these or other attributes not found in CA Provisioning, we could define our own by using the free-text &quot;type&quot; definition in the multivalue entitlements or roles attribute. In the template entitlements definition, we could for example define type=Company and set value to %UCOMP%. Please see plugin-forwardinc.js using Company as a multivalue &quot;type&quot; definition.  
</p>
<p>Using CA Connector Xpress we could create a new SCIM endpoint type based on the original SCIM. We could then add/remove attributes and change from default assign &quot;user to groups&quot; to assign &quot;groups to user&quot;. There are also other predefined endpoints based on the original SCIM. You may take a look at &quot;ServiceNow - WSL7&quot; and &quot;Zendesk - WSL7&quot;. </p>
<p>For project setup:  
</p>
<ul>
<li>Datasource =  Layer7 (CA API) - this is SCIM  
</li>
<li>Layer7 Base URL = SCIM Gateway url and port (SCIM Base URL)  
</li>
<li>Authentication = Basic Authentication<br />
(connect using gwadmin/password defined in plugin config-file)</li>
</ul>
<h3>How to change &quot;user member of groups&quot; to &quot;groups member of user&quot;</h3>
<p>Using Connector Xpress based on the original SCIM endpoint.</p>
<p>Delete defaults:<br />
Group - Associations - with User Account<br />
User Account - Attributes - Group Membership</p>
<p>Create new attribute:<br />
User Account - Attributes: Groups - Flexi DN - Multivalue - <strong>groups</strong></p>
<p>Create User - Group associations:<br />
User Account - Accociations - <strong>Direct association with = Group</strong><br />
User Account - Accociations - with Group</p>
<p>Note, &quot;Include a Reverse Association&quot; - not needed if we don't need Group object functionality e.g list/add/remove group members</p>
<p>User Attribute = <strong>Physical Attribute = Groups</strong><br />
Match Group = By Attribute = Name</p>
<p>Objects Must Exist<br />
Use DNs in Attribute = deactivated (toggled off)  
</p>
<p>Include a Reverse Association (if needed)<br />
Group Attribute = <strong>Virtual Attribute = User Membership</strong><br />
Match User Account = By Attribute = User Name  
</p>
<p>Note, groups should be capability attribute (updated when account is synchronized with template):<br />
advanced options - <strong>Synchronized</strong> = enabled (toggled on)</p>
<h2>Methods</h2>
<p>Plugins should have following initialization:  
</p>
<pre><code>// mandatory plugin initialization - start
const path = require('path')
let ScimGateway = null
try {
  ScimGateway = require('scimgateway')
} catch (err) {
  ScimGateway = require('./scimgateway')
}
let scimgateway = new ScimGateway()
let pluginName = path.basename(__filename, '.js')
let configDir = path.join(__dirname, '..', 'config')
let configFile = path.join(`${configDir}`, `${pluginName}.json`)
let config = require(configFile).endpoint
let validScimAttr = [] // empty array - all attrbutes are supported by endpoint
// add any external config process.env and process.file
config = scimgateway.processExtConfig(pluginName, config)
// mandatory plugin initialization - end
</code></pre>

<h3>exploreUsers</h3>
<pre><code>scimgateway.exploreUsers = async (baseEntity, attributes, startIndex, count) =&gt; {
    let ret = {
        &quot;Resources&quot;: [],
        &quot;totalResults&quot;: null
    }
    ...
    return ret
}  
</code></pre>

<ul>
<li>baseEntity = Optional for multi-tenant or multi-endpoint support (defined in base url e.g. <code>&lt;baseurl&gt;/client1</code> gives baseEntity=client1)  
</li>
<li>startIndex = Pagination - The 1-based index of the first result in the current set of search results  
</li>
<li>count = Pagination - Number of elements to be returned in the current set of search results  
</li>
<li>ret: <br />
ret.Resources = array filled with objects containing userName and id (userName and id set to the same value) e.g [{&quot;userName&quot;:&quot;bjensen&quot;,&quot;id&quot;:&quot;bjensen&quot;}, &quot;userName&quot;:&quot;jsmith&quot;,&quot;id&quot;:&quot;jsmith&quot;}]<br />
ret.totalResults = if supporting pagination, then attribute should be set to the total numbers of elements (users) at the endpoint, else set to null</li>
</ul>
<h3>exploreGroups</h3>
<pre><code>scimgateway.exploreGroups = async (baseEntity, attributes, startIndex, count) =&gt; {
    let ret = {
        &quot;Resources&quot;: [],
        &quot;totalResults&quot;: null
    }
    ...
    return ret
}  
</code></pre>

<ul>
<li>ret:<br />
ret.Resources = array filled with objects containing group displayName and id (displayName and id set to the same value) e.g [{&quot;displayName&quot;:&quot;Admins&quot;,&quot;id&quot;:&quot;Admins&quot;}, &quot;displayName&quot;:&quot;Employees&quot;,&quot;id&quot;:&quot;Employees&quot;}]<br />
ret.totalResults = if supporting pagination attribute should be set to the total numbers of elements (groups) at the endpoint else set to null</li>
</ul>
<h3>getUser</h3>
<pre><code>scimgateway.getUser = async (baseEntity, userName, attributes) =&gt; {
    ...
    return userObj
}  
</code></pre>

<ul>
<li>userName = user id (eg. bjensen)  
</li>
<li>attributes = scim attributes to be returned. If no attributes defined, all should be returned.  
</li>
<li>return userObj: userObj containing scim userattributes/values
eg:<br />
{&quot;id&quot;:&quot;bjensen&quot;,&quot;name&quot;:{&quot;formatted&quot;:&quot;Ms. Barbara J Jensen III&quot;,&quot;familyName&quot;:&quot;Jensen&quot;,&quot;givenName&quot;:&quot;Barbara&quot;}}</li>
</ul>
<p>Note, CA Provisioning use two types of &quot;getUser&quot;<br />
1. Check if user exist: attributes=userName and/or id<br />
2. Retrive user: attributes=list of all attributes</p>
<h3>createUser</h3>
<pre><code>scimgateway.createUser = async (baseEntity, userObj) =&gt; {
    ...
    return null
} 
</code></pre>

<ul>
<li>userObj = user object containing userattributes according to scim standard<br />
Note, multi-value attributes excluding user attribute 'groups' are customized from array to object based on type  
</li>
<li>return null: null if OK, else throw error  
</li>
</ul>
<h3>deleteUser</h3>
<pre><code>scimgateway.deleteUser = async (baseEntity, id) =&gt; {
    ...
    return null
} 
</code></pre>

<ul>
<li>id = user id to be deleted </li>
<li>return null: null if OK, else throw error  
</li>
</ul>
<h3>modifyUser</h3>
<pre><code>scimgateway.modifyUser = async (baseEntity, id, attrObj) =&gt; {
    ...
    return null
} 
</code></pre>

<ul>
<li>id = user id  
</li>
<li>attrObj = object containing userattributes to be modified according to scim standard<br />
Note, multi-value attributes excluding user attribute 'groups' are customized from array to object based on type  
</li>
<li>return null: null if OK, else throw error</li>
</ul>
<h3>getGroup</h3>
<pre><code>scimgateway.getGroup = async (baseEntity, displayName, attributes) =&gt; {
    ...
    return retObj
} 
</code></pre>

<ul>
<li>displayName = group name  
</li>
<li>attributes  = scim attributes to be returned in callback (displayName and members is mandatory)  
</li>
<li>
<p>return retObj: retObj containing group displayName and id (+ members if using default &quot;users are member of group&quot;)  
</p>
<p>eg. using default &quot;users are member of group&quot;:<br />
{&quot;displayName&quot;:&quot;Admins&quot;,&quot;id&quot;:&quot;Admins&quot;,&quot;members&quot;:[{&quot;value&quot;:&quot;bjensen&quot;,&quot;display&quot;:&quot;bjensen&quot;]}  
</p>
<p>eg. using &quot;groups are member of user&quot;:<br />
{&quot;displayName&quot;:&quot;Admins&quot;,&quot;id&quot;:&quot;Admins&quot;}</p>
<p>If we do not support groups, callback(null, null)</p>
</li>
</ul>
<h3>getGroupMembers</h3>
<pre><code>scimgateway.getGroupMembers = async (baseEntity, id, attributes) =&gt; {
    let arrRet = []
    ...
    return arrRet
}
</code></pre>

<p>Retrieve all users for a spesific group WHEN <strong>&quot;user member of group&quot;</strong>. This setting is CA IM default scim endpoint configuration. This means Group having multivalue attribute members containing userName.  
</p>
<ul>
<li>id = user id (eg. bjensen)  
</li>
<li>attributes = attributes to be returned in callback (we only return the name of groups - displayName and current user as member)  
</li>
<li>startIndex = Pagination - The 1-based index of the first result in the current set of search results  
</li>
<li>count = Pagination - Number of elements to be returned in the current set of search results  
</li>
<li>
<p>return ret:<br />
ret.Resources = array to be filled with objects containing groups with current user as member<br />
e.g [{&quot;displayName&quot;:&quot;Admins&quot;,&quot;members&quot;: [{ &quot;value&quot;: bjensen}]}, {&quot;displayName&quot;:&quot;Employees&quot;, &quot;members&quot;: [{ &quot;value&quot;: bjensen}]}]  
</p>
<p>ret.totalResults = if supporting pagination attribute should be set to the total numbers of elements (group members) at the endpoint else set to null  
</p>
<p>If we do not support groups (or &quot;user member of group&quot;), callback(null, [])  
</p>
</li>
</ul>
<h3>getGroupUsers</h3>
<pre><code>scimgateway.getGroupUsers = async (baseEntity, groupName, attributes) =&gt; {
    let arrRet = []
    ...
    return arrRet
}
</code></pre>

<p>Retrieve all users for a spesific group WHEN <strong>&quot;group member of user&quot;</strong>. This means user having multivalue attribute groups containing value GroupName  
</p>
<ul>
<li>groupName = group name (eg. UserGroup-1)  
</li>
<li>attributes = scim attributes to be returned in callback  
</li>
<li>
<p>return arrRet: arrRet = array containing the userName's'
e.g: [{&quot;userName&quot;, &quot;bjensen&quot;}, {&quot;userName&quot;, &quot;jsmith&quot;}]</p>
<p>If we do not support groups (or &quot;group member of user&quot;), then return []  
</p>
</li>
</ul>
<h3>createGroup</h3>
<pre><code>scimgateway.createGroup = async (baseEntity, groupObj) =&gt; {
    ...
    return null
})
</code></pre>

<ul>
<li>groupObj = group object containing groupattributes according to scim standard<br />
groupObj.displayName contains the group name to be created</li>
<li>return null: null if OK, else throw error  
</li>
</ul>
<h3>deleteGroup</h3>
<pre><code>scimgateway.deleteGroup = async (baseEntity, id) =&gt; {
    ...
    return null
}
</code></pre>

<ul>
<li>id = group name (eg. Admins) to be deleted</li>
<li>return null: null if OK, else throw error </li>
</ul>
<h3>modifyGroupMembers</h3>
<pre><code>scimgateway.modifyGroupMembers = async (baseEntity, id, members) =&gt; {
    ...
    return null
}
</code></pre>

<ul>
<li>id = group name (eg. Admins)  
</li>
<li>members = array of objects containing groupmembers modifications<br />
eg: {&quot;value&quot;:&quot;bjensen&quot;},{&quot;operation&quot;:&quot;delete&quot;,&quot;value&quot;:&quot;jsmith&quot;}<br />
(adding bjensen and deliting jsmith from group)  
</li>
<li>return null: null if OK, else throw error<br />
If we do not support groups, then return null  
</li>
</ul>
<h2>Known limitations</h2>
<ul>
<li>
<p>Installation gives error messages related to the module soap optional dependency to 'ursa' that also includes 'node-gyp'. These error messages can be ignored unless soap WSSecurityCert functionality is needed in custom plugin code.  
</p>
</li>
<li>
<p>Importing &quot;certificate authority - CA&quot; on the CA Connector Server gives a &quot;Failure&quot; message. After restarting the connector it will show certificate have been installed and HTTPS communication works fine.  
</p>
</li>
</ul>
<h2>License</h2>
<p>MIT © <a href="https://www.elshaug.xyz">Jarle Elshaug</a></p>
<h2>Change log</h2>
<h3>v2.1.9</h3>
<p>[Fix] </p>
<ul>
<li>AAD as IdP broken after content-type validation introduced in v2.1.7</li>
<li>AAD as IdP, none gallery app support</li>
<li>Incorrect SCIM 2.0 multivalue converting</li>
<li>plugin-saphana not correctly ported to v2.x  
</li>
</ul>
<p><strong>Thanks to Luca Moretto</strong>  
</p>
<h3>v2.1.8</h3>
<p>[Fix] </p>
<ul>
<li>plugin-mssql not correctly ported to v2.x, and some config syntax for this plugin have also changed in newer releases of dependencies.</li>
</ul>
<h3>v2.1.7</h3>
<p>[Fix] </p>
<ul>
<li>Validates content-type when body is included</li>
<li>Case insensitive log-masking</li>
<li>Plugins now don't using deprecated <code>url.parse</code></li>
<li>Misc cosmetics e.g. using const instead of let when not reassigned</li>
</ul>
<h3>v2.1.6</h3>
<p>[Fix] </p>
<ul>
<li>plugin-azure-ad did not return correct error code (<code>err.name = 'DuplicateKeyError'</code>) when failing on creating a duplicate user</li>
</ul>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>Includes latest versions of module dependencies</li>
</ul>
<h3>v2.1.4</h3>
<p>[Fix] </p>
<ul>
<li>Incorrect SCIM 2.0 error handling after v2.1.0</li>
<li>For duplicate key error, setting <code>err.name = 'DuplicateKeyError'</code> now gives correct status code 409 instead of defult 500 (see plugin-loki.js)  
</li>
</ul>
<h3>v2.1.3</h3>
<p>[Fix] </p>
<ul>
<li>Standardized the API Gateway response (not SCIM related)</li>
<li>Not allowing plugins to return password</li>
<li>Colorize option now automatically turned off when using stdout/stderr redirect (configuration file <code>loglevel.colorize</code> is not needed)</li>
</ul>
<h3>v2.1.2</h3>
<p>[Fix]  
</p>
<ul>
<li>SCIM 2.0 may use Operations.value as array and none array (issue #16) </li>
</ul>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>Option for replacing mandatory userName/displayName attribute by configuring customUniqueAttrMapping  
</li>
<li>Includes latest versions of module dependencies</li>
</ul>
<h3>v2.1.1</h3>
<p>[Fix]  
</p>
<ul>
<li>SCIM 2.0 may use Operations.value or Operation.value[] for PATCH syntax of the name object (issue #14)</li>
<li>plugin-loki failed to modify a none existing object, e.g name object not included in Create User </li>
</ul>
<h3>v2.1.0</h3>
<p>[ENHANCEMENT] </p>
<ul>
<li>Custom schema attributes can be added by plugin configuration <code>scim.customSchema</code> having value set to filename of a JSON schema-file located in <code>&lt;package-root&gt;/config/schemas</code></li>
</ul>
<p><strong>[UPGRADE]</strong>  
</p>
<ul>
<li>
<p>Configurationfiles for custom plugins should be changed<br />
  old syntax:  
</p>
<pre><code>&quot;scimversion&quot;: &quot;1.1&quot;,  
</code></pre>

<p>new syntax:  
</p>
<pre><code>&quot;scim&quot;: {
  &quot;version&quot;: &quot;1.1&quot;,
  &quot;customSchema&quot;: null
},
</code></pre>

<p>Note, &quot;1.1&quot; is default, if using &quot;2.0&quot; the new syntax must be used.</p>
</li>
</ul>
<h3>v2.0.2</h3>
<p>[Fix]  
</p>
<ul>
<li>SCIM 2.0 incorrect response for user not found</li>
<li>Did not mask logentries ending with newline</li>
</ul>
<h3>v2.0.0</h3>
<p><strong>[MAJOR]</strong>  
</p>
<ul>
<li>Codebase moved from callback to async/await  
</li>
<li>Koa replacing Express  
</li>
<li>Some log enhancements  
</li>
<li>Deprecated cipher methods have been replaced  
</li>
<li>Plugin restful (REST) and forwardinc (SOAP) includes failover logic based on endpoints defined in array baseUrls/baseServiceEndpoints. </li>
</ul>
<p><strong>[UPGRADE]</strong>  
</p>
<p>Note, this is a major upgrade (^1.x.x =&gt; ^2.x.x) and will brake compatibility with any existing custom plugins. To force a major upgrade, suffix <code>@latest</code> must be include in the npm install command, but it's recommended to do a fresh install and copy any custom plugins instead of upgrading an existing package  
</p>
<pre><code>cd c:\my-scimgateway
npm install scimgateway@latest
</code></pre>

<p>Custom plugins needs some changes (please see included example plugins)  
</p>
<ul>
<li><code>scimgateway.on(xxx, function (..., callback)</code> replaced with <code>scimgateway.xxx = async (...)</code> returning a result or throwing an error</li>
<li>Rest and SOAP using <code>doRequest</code> method having endpoint failover logic through array <code>baseUrls/baseServiceEndpoints</code> defined in corresponding plugin configuration file.  
</li>
<li>Additional argument <code>attributes</code> included in exploreUsers and exploreGroups method</li>
<li>Proxy configuration includes option for user/password  
</li>
<li>Encrypted passwords in configuration files needs to be reset to clear text passwords  
</li>
</ul>
<h3>v1.0.20</h3>
<p>[Fix]  
</p>
<ul>
<li>HTTP status code 200 and totalResults set to value of 0 when using SCIM 2.0 filter user/group and no resulted user/group found. SCIM 1.1 still using  status code 404.</li>
</ul>
<p><strong>[UPGRADE]</strong>  
</p>
<ul>
<li>For custom plugins to be compliant with SCIM 2.0, the <code>getUser</code> and <code>getGroup</code> methods needs to be updated. If user/group not found then return <code>callback(null, null)</code> instead of callback(err)  
</li>
</ul>
<h3>v1.0.19</h3>
<p>[Fix]  
</p>
<ul>
<li>Fix related to external configuration (ref. v1.0.18) when running multiple plugins  
</li>
</ul>
<h3>v1.0.18</h3>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>Includes latest versions of module dependencies</li>
<li>Loglevel configuration for file and console now separated</li>
<li>Loglevel colorize option (value false could be useful when redirecting console output)  
</li>
<li>All configuration can be set based on environment variables</li>
<li>All configuration can be set based on correspondig json-content in external file (supports also dot notation)</li>
</ul>
<p><strong>[UPGRADE]</strong>  
</p>
<ul>
<li>
<p>Configurationfiles for custom plugins should be changed<br />
  old syntax:  
</p>
<pre><code>loglevel: &quot;debug&quot;
</code></pre>

<p>new syntax:  
</p>
<pre><code>&quot;loglevel&quot;: {
  &quot;file&quot;: &quot;debug&quot;,
  &quot;console&quot;: &quot;error&quot;,
  &quot;colorize&quot;: true
}
</code></pre>

</li>
</ul>
<h3>v1.0.14</h3>
<p>[Fix]  
</p>
<ul>
<li>Some multiValued attributes not correctly handled (e.g. addresses)  
</li>
</ul>
<h3>v1.0.13</h3>
<p>[Fix]  
</p>
<ul>
<li>plugin-azure-ad: New version of &quot;Azure - ScimGateway.xml&quot; fixing CA IM RoleDefGenerator problem (related to creating and importing screens in CA IM)  
</li>
</ul>
<p><strong>[UPGRADE]</strong>  
</p>
<ul>
<li>Use CA ConnectorXpress, import &quot;Azure - ScimGateway.xml&quot; and deploy/redeploy endpoint</li>
</ul>
<h3>v1.0.12</h3>
<p>[Fix]  
</p>
<ul>
<li>Incorrect logging of Express stream messages (type info) when running multiple plugins    
</li>
</ul>
<h3>v1.0.11</h3>
<p>[Fix]  
</p>
<ul>
<li>plugin-azure-ad: proxy configuration did not work    
</li>
</ul>
<h3>v1.0.10</h3>
<p>[Fix]  
</p>
<ul>
<li>An issue with pagination fixed  
</li>
</ul>
<h3>v1.0.9</h3>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>Cosmetics, changed emailOnError logic - now emitted by logger</li>
</ul>
<h3>v1.0.8</h3>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>Support health monitoring using the &quot;/ping&quot; URL with a &quot;hello&quot; response, e.g. http://localhost:8880/ping. Useful for frontend load balancing/failover functionality  
</li>
<li>Option for error notifications by email  
</li>
</ul>
<p><strong>[UPGRADE]</strong>  
</p>
<ul>
<li>Configuration files for custom plugins must include the <strong>emailOnError</strong> object for enabling error notifications by email. Please see the syntax in provided example plugins and details described in the &quot;Configuration&quot; section of this document.</li>
</ul>
<h3>v1.0.7</h3>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>Docker now using node v.9.10.0 instead of v.6.9.2</li>
<li>Minor log cosmetics</li>
</ul>
<h3>v1.0.6</h3>
<p>[Fix]  
</p>
<ul>
<li>Azure AD plugin, failed to create user when licenses (app Service plans) was included  
</li>
</ul>
<h3>v1.0.5</h3>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>Supporting GET /Users, GET /Groups, PUT method and delete groups  
</li>
<li>After more than 3 invalid auth attempts, response will be delayed to prevent brute force</li>
</ul>
<p>[Fix]  
</p>
<ul>
<li>Some minor compliance fixes  
</li>
</ul>
<p><strong>Thanks to ywchuang</strong> </p>
<h3>v1.0.4</h3>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>Plugin for Azure AD now supports paging for retrieving users and groups. Any existing metafile used by CA ConnectorXpress (&quot;Azure - ScimGateway.xml&quot;) must be re-deployed.</li>
</ul>
<p>[Fix]  
</p>
<ul>
<li>Don't use deprecated existsSync in postinstallation </li>
</ul>
<h3>v1.0.3</h3>
<p>[Fix]  
</p>
<ul>
<li>Undefined root url not handled correctly after v1.0.0</li>
</ul>
<h3>v1.0.2</h3>
<p>[Fix]  
</p>
<ul>
<li>License and group defined as capability attributes in metafile used by CA ConnectorXpress regarding plugin-azure-ad     
</li>
</ul>
<h3>v1.0.1</h3>
<p>[FIX]  
</p>
<ul>
<li>Mocha test script did not terminate after upgrading from 3.x to 4.x of Mocha  
</li>
</ul>
<h3>v1.0.0</h3>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>New plugin-azure-ad.js for Azure AD user provisioning including Azure license management e.g. Office 365</li>
<li>Includes latest versions of module dependencies</li>
<li>Module hdb (for SapHana) and saml is not included by default anymore and therefore have to be manually installed if needed. </li>
</ul>
<p><strong>[UPGRADE]</strong><br />
Method <code>getGroupMembers</code> must be updated for all custom plugins</p>
<p>Replace:  
</p>
<pre><code>scimgateway.on('getGroupMembers', function (baseEntity, id, attributes, startIndex, count, callback) {
...
let ret = {
'Resources' : [],
'totalResults' : null
}
...
ret.Resources.push(userGroup)
...
callback(null, ret)
</code></pre>

<p>With:  
</p>
<pre><code>scimgateway.on('getGroupMembers', function (baseEntity ,id ,attributes, callback) {
...
let arrRet = []
...
arrRet.push(userGroup)
...
callback(null, arrRet)
</code></pre>

<h3>v0.5.3</h3>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>
Includes api gateway/plugin for general none provisioning  

<ul>
<li>GET /api</li>
<li>GET /api?queries</li>
<li>GET /api/{id}</li>
<li>POST /api + body</li>
<li>PUT /api/{id} + body</li>
<li>PATCH /api/{id} + body</li>
<li>DELETE /api/{id}</li>
</ul>
</li>
<li>plugin-api.js demonstrates api functionallity (becomes what you want it to become) </li>
</ul>
<h3>v0.5.2</h3>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>
One or more of following authentication/authorization methods are accepted:  

<ul>
<li>Basic Authentication</li>
<li>Bearer token - shared secret</li>
<li>Bearer token - Standard JSON Web Token (JWT)</li>
<li>Bearer token - Azure JSON Web Token (JWT) </li>
</ul>
</li>
</ul>
<p><strong>[UPGRADE]</strong>  
</p>
<ul>
<li>
Configuration files for custom plugins <code>config/plugin-xxx.json</code> needs to be updated regarding the new <code>scimgateway.auth</code> section:  

<ul>
<li>Copy scimgateway.auth section from one of the example plugins</li>
<li>Copy existing scimgateway.username value to new auth.basic.username value</li>
<li>Copy existing scimgateway.password value to new auth.basic.username value</li>
<li>Copy existing scimgateway.oauth.accesstoken value to new auth.bearer.token value</li>
<li>Delete scimgateway.username</li>
<li>Delete scimgateway.password</li>
<li>Delete scimgateway.oauth</li>
</ul>
</li>
</ul>
<h3>v0.4.6</h3>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>Document updated on how to run SCIM Gateway as a Docker container  
</li>
<li><code>config\docker</code> includes docker configuration examples<br />
<strong>Thanks to Charley Watson and Jeffrey Gilbert</strong>  
</li>
</ul>
<h3>v0.4.5</h3>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>Environment variable <code>SEED</code> overrides default password seeding  
</li>
<li>Setting SCIM Gateway port to <code>&quot;process.env.XXX&quot;</code> lets environment variable XXX define the port  
</li>
<li>Don't validate config-file port number for numeric value (Azure AD - iisnode using a name pipe for communication) </li>
</ul>
<p><strong>[UPGRADE]</strong>  
</p>
<ul>
<li>
Configuration files for custom plugins <code>config/plugin-xxx.json</code> needs to be updated:  

<ul>
<li>Encrypted passwords needs to be reset to clear text passwords</li>
<li>Start SCIM Gateway and passwords will become encrypted  
</li>
</ul>
</li>
</ul>
<h3>v0.4.4</h3>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>NoSQL Document-Oriented Database plugin: <code>plugin-loki</code><br />
This plugin now replace previous <code>plugin-testmode</code><br />
<strong>Thanks to Jeffrey Gilbert</strong>  
</li>
<li>Minor code/comment reorganizations in provided plugins  
</li>
<li>Minor adjustments to multi-value logic introduced in v0.4.0  
</li>
</ul>
<p><strong>[UPGRADE]</strong>  
</p>
<ul>
<li>Delete depricated <code>lib/plugin-testmode.js</code> and <code>config/plugin-testmode.json</code></li>
<li>Edit index.js, replace tesmode with loki   
</li>
</ul>
<h3>v0.4.2</h3>
<p>[Fix]  
</p>
<ul>
<li>plugin-restful minor adjustments to multivalue and cleared attributes logic introduced in v0.4.0  
</li>
</ul>
<h3>v0.4.1</h3>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>Mocha test scripts for automated testing of plugin-testmode  
</li>
<li>Automated tests run on Travis-ci.org (click on build badge) </li>
<li><strong>Thanks to Jeffrey Gilbert</strong></li>
</ul>
<p>[Fix]  
</p>
<ul>
<li>Minor adjustments to multi-value logic introduced in v0.4.0</li>
</ul>
<h3>v0.4.0</h3>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>Not using the SCIM standard for handling multivalue attributes and cleared attributes. Changed from array to object based on type. This simplifies plugin-coding for multivalue attributes like emails, phoneNumbers, entitlements, ...</li>
<li>Module dependencies updated to latest versions  
</li>
</ul>
<p><strong>[UPGRADE]</strong>  
</p>
<ul>
<li>Custom plugins using multivalue attributes needs to be updated regarding methods createUser and modifyUser. Please see example plugins for details.</li>
</ul>
<h3>v0.3.8</h3>
<p>[Fix]  
</p>
<ul>
<li>Minor changes related to SCIM specification</li>
</ul>
<h3>v0.3.7</h3>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>PFX / PKCS#12 certificate bundle is supported</li>
</ul>
<h3>v0.3.6</h3>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>SCIM Gateway used by Microsoft Azure Active Directory is supported</li>
<li>SCIM version 2.0 is supported</li>
<li>Create group is supported  
</li>
</ul>
<p><strong>[UPGRADE]</strong>  
</p>
<ul>
<li>For custom plugins to support create group, they needs to be updated regarding listener method <code>scimgateway.on('createGroup',...</code> Please see example plugins for details. </li>
</ul>
<h3>v0.3.5</h3>
<p>[Fix]  
</p>
<ul>
<li>plugin-mssql not included in postinstall  
</li>
</ul>
<h3>v0.3.4</h3>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>MSSQL example plugin: <code>plugin-mssql</code> </li>
<li>Changed multivalue logic in example plugins, now using <code>scimgateway.getArrayObject</code>  
</li>
</ul>
<p>[Fix]  
</p>
<ul>
<li>Minor changes related to SCIM specification</li>
</ul>
<h3>v0.3.3</h3>
<p>[Fix]  
</p>
<ul>
<li>Logic for handling incorrect pagination request to avoid endless loop conditions (there is a pagination bug in CA Identity Manager v.14)  
</li>
<li>Pagination now supported on getGroupMembers  
</li>
</ul>
<p><strong>[UPGRADE]</strong>  
</p>
<ul>
<li>Custom plugins needs to be updated regarding listener method <code>scimgateway.on('getGroupMembers',...</code> New arguments have been added &quot;startIndex&quot; and &quot;count&quot;. Also a new return variable &quot;ret&quot;. Please see example plugins for details.</li>
</ul>
<h3>v0.3.2</h3>
<p>[Fix]  
</p>
<ul>
<li>Minor changes related to SCIM specification</li>
</ul>
<h3>v0.3.1</h3>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>REST Webservices example plugin: <code>plugin-restful</code> </li>
</ul>
<h3>v0.3.0</h3>
<p>[ENHANCEMENT]  
</p>
<ul>
<li>Preferred installation method changed from &quot;global&quot; to &quot;local&quot;</li>
<li><code>&lt;Base URL&gt;/[baseEntity]</code> for multi tenant or multi endpoint flexibility  
</li>
<li>plugin-forwardinc includes examples of baseEntity, custom soap header and signed saml assertion  
</li>
<li>Support groups defined on user object &quot;group member of user&quot;  
</li>
<li>New module dependendcies included: saml, async and callsite  
</li>
</ul>
<p><strong>[UPGRADE]</strong>  
</p>
<ul>
<li>Use &quot;fresh&quot; install and restore any custom plugins. Custom plugins needs to be updated. Listener method names have changed and method must include &quot;baseEntity&quot; - please see example plugins.</li>
</ul>
<h3>v0.2.2 - v0.2.8</h3>
<p>[Doc]</p>
<ul>
<li>Minor readme changes and version bumps</li>
</ul>
<h3>v0.2.1</h3>
<p>[Fix]</p>
<ul>
<li>plugin-forwardinc explore of empty endpoint</li>
</ul>
<h3>v0.2.0</h3>
<p>Initial version</p>

</body>
</html>