7.4. SCIM Client

Use the SCIM Client for a setup to provision user and user group information from Nubus for Kubernetes to an external target.

Important

The SCIM Client is experimental and intended for preliminary testing only. It isn’t yet recommended for production use.

This page describes how to deploy and configure the SCIM Client for Nubus for Kubernetes. The SCIM Client acts as a connector to provision users and user groups to a SCIM-compliant downstream application that’s external to Nubus for Kubernetes.

This page is for operators that want to integrate a downstream application with Nubus for Kubernetes through SCIM.

7.4.1. Installation

This section describes how to install the SCIM Client through Helm.

7.4.1.1. Prerequisites

Before you install the SCIM Client, you need to ensure the following prerequisites:

1. A Nubus for Kubernetes deployment. For installation, see Deployment.

2. A SCIM-compliant service provider, called the SCIM target on this page.

3. Connection details for the SCIM target, including endpoint URL and authentication credentials.

7.4.1.2. Installation through Helm

To install the SCIM Client through Helm, use the commands in Listing 7.15. For the configuration of the SCIM Client, see Configuration.

You need to install the SCIM Client in the same namespace as Nubus for Kubernetes. The reason is that the SCIM Client needs internal access to the Provisioning API and the LDAP Server.

Listing 7.15 Install the SCIM Client through Helm

$ export NUBUS_NAMESPACE="<Your Nubus for Kubernetes namespace>"
$ helm install \
    scim-client \
    --namespace "$NUBUS_NAMESPACE" \
    oci://artifacts.software-univention.de/nubus/charts/scim-client \
    --values values.yaml

7.4.2. Configuration

This section describes the configuration options for the SCIM Client.

To configure the SCIM Client, you need to create a scim-client-values.yaml values file for the SCIM Client Helm Chart. The Helm chart comes with default values. For a list of all possible values, see the values.yaml file in the Helm chart of the SCIM Client. This section distinguishes between mandatory and optional values.

7.4.2.1. Mandatory values

You must set the following values in your scim-client-values.yaml values file. Without these values, the SCIM Client doesn’t work as expected. Listing 7.16 shows a minimal configuration example that needs the following Helm Chart values:

• scimServer.connection.url: The URL of the SCIM target.

• scimServer.auth.oidcTokenUrl: The OIDC token URL for authentication of the SCIM target.

• scimServer.auth.clientId: The client ID for the SCIM target.

• scimServer.auth.password: The client secret for the SCIM target.

• provisioningApi.auth.username: The username for the Provisioning API.

• provisioningApi.auth.password: The password for the Provisioning API.

• ldap.auth.bindDn: The bind DN for the LDAP Server.

• ldap.auth.existingSecret.name: The name of the existing secret for the LDAP Server.

Listing 7.16 Minimal example for SCIM Client configuration

scimServer:
  connection:
    url: "https://scim.example.com/scim/v2/"
  auth:
    oidcTokenUrl: "https://auth.example.com/realms/nubus/protocol/openid-connect/token"
    clientId: "scim-client"
    password: "your-client-secret"

provisioningApi:
  auth:
    username: "admin"
    password: "your-provisioning-api-password"

ldap:
  auth:
    bindDn: "cn=admin,dc=swp-ldap,dc=internal"
    existingSecret:
      name: nubus-ldap-server-admin

7.4.2.2. Optional values

You can optionally override the following default values in your scim-client-values.yaml values file. Listing 7.17 shows an example with all optional values.

scimClient.config.logLevel

The log level for the SCIM Client. The default value is INFO.

scimClient.config.prefill

A boolean value to control if Nubus for Kubernetes shall provide existing user and user group data to the SCIM target through the provisioning subscription. The default value is true.

scimClient.config.groupSync

A boolean value to control if Nubus for Kubernetes shall synchronize user groups. The default value is true.

scimClient.config.externalIdUserMapping

The UDM attribute that UDM maps to the externalId field of Users in SCIM. The default value is univentionObjectIdentifier.

scimClient.config.externalIdGroupMapping

The UDM attribute that UDM maps to the externalId field of Groups in SCIM. The default value is univentionObjectIdentifier.

Listing 7.17 Example for optional SCIM Client configuration

scimClient:
  config:
    logLevel: "DEBUG"
    prefill: false
    groupSync: false
    externalIdUserMapping: "customUserId"
    externalIdGroupMapping: "customGroupId"

Note

The default value for the mapping is univentionObjectIdentifier for both users and user groups. If the SCIM target uses different attributes for user and user group IDs, you need to adapt the values for scimClient.config.externalIdUserMapping and scimClient.config.externalIdGroupMapping.

7.4.3. Supported schemas

The SCIM Client supports the following schemas for provisioning:

• User schema

• Group schema

7.4.3.1. User schema

The client supports the core User schema as defined in RFC 7643 and the following extensions:

• urn:ietf:params:scim:schemas:core:2.0:User

• urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

• urn:ietf:params:scim:schemas:extension:Univention:1.0:User

• urn:ietf:params:scim:schemas:extension:DapUser:2.0:User

7.4.3.2. Group schema

The client supports the core Group schema as defined in RFC 7643 and the following extensions:

• urn:ietf:params:scim:schemas:core:2.0:Group

• urn:ietf:params:scim:schemas:extension:Univention:1.0:Group

7.4.4. Provisioning subscription

The SCIM Client is a consumer of the Provisioning Service in Nubus for Kubernetes. It requires a provisioning subscription to receive events about users and user groups. For each SCIM target, you need to configure a SCIM Client consumer by configuring a provisioning subscription for it.

To configure a provisioning subscription, you need to register the consumer in the nubus-values.yaml values file of your Nubus for Kubernetes installation, not the Helm Chart for the SCIM Client. The separation ensures that the subscription is idempotent and that you can manage it as part of your Nubus for Kubernetes installation.

To add a subscription for the SCIM Client, add the configuration in Listing 7.18 to your nubus-values.yaml values file.

Listing 7.18 Add subscription for SCIM Client to Nubus for Kubernetes Helm Chart

nubusProvisioning:
  registerConsumers:
    createUsers:
      scimClient:
        existingSecret:
          name: scim-client-provisioning
          keyMapping:
            password: "registration"

7.4.5. Deployment

You deploy the SCIM Client and Nubus for Kubernetes through independent Helm charts. After you have configured their respective values files—in the example on this page the scim-client-values.yaml file and the nubus-values.yaml file—you can deploy or upgrade the installations, as shown in Listing 7.19.

Although you deploy the SCIM Client and Nubus for Kubernetes independently, their configuration relates to each other. For example, the provisioningApi and ldap sections in the SCIM Client's scim-client-values.yaml values file must correctly point to Nubus for Kubernetes. Likewise, the provisioning subscription in the Nubus nubus-values.yaml values file must match the SCIM Client values.

Listing 7.19 Deploy SCIM Client and update Nubus for Kubernetes

$ export NUBUS_NAMESPACE="<Your Nubus for Kubernetes namespace>"
$ export RELEASE_NAME_FOR_NUBUS="<The release name of your Nubus installation>"

$ helm upgrade \
    --install \
    scim-client \
    --namespace "$NUBUS_NAMESPACE" \
    oci://artifacts.software-univention.de/nubus/charts/scim-client \
    --values scim-client-values.yaml

$ helm upgrade \
    --install \
    "$RELEASE_NAME_FOR_NUBUS" \
    --namespace "$NUBUS_NAMESPACE" \
    oci://artifacts.software-univention.de/nubus/charts/nubus \
    --values nubus-values.yaml

7.4.6. Reference values

This section provides a reference for the Helm Chart values of the SCIM Client.

Name:

scim-client

Version:

0.41.3

Description:

A Helm chart for the Nubus SCIM client

You find the configuration options for scim-client in the following sections.

7.4.6.1. containerSecurityContext

containerSecurityContext.allowPrivilegeEscalation

Enable container privilege escalation.

Default value: false

containerSecurityContext.capabilities.drop

Default value: ["ALL"]

containerSecurityContext.enabled

Enable security context.

Default value: true

containerSecurityContext.privileged

Default value: false

containerSecurityContext.readOnlyRootFilesystem

Mounts the container’s root file system as read-only.

Default value: true

containerSecurityContext.runAsGroup

Process group id.

Default value: 1000

containerSecurityContext.runAsNonRoot

Run container as a user.

Default value: true

containerSecurityContext.runAsUser

Process user id.

Default value: 1000

containerSecurityContext.seccompProfile.type

Disallow custom Seccomp profile by setting it to RuntimeDefault.

Default value: "RuntimeDefault"

7.4.6.2. extraEnvVars

extraEnvVars

Array with extra environment variables to add to containers:

extraEnvVars:
  - name: FOO
    value: "bar"

Default value: []

7.4.6.3. extraVolumeMounts

extraVolumeMounts

Optionally specify an extra list of additional volumeMounts.

Default value: []

7.4.6.4. extraVolumes

extraVolumes

Optionally specify an extra list of additional volumes.

Default value: []

7.4.6.5. global

global.imagePullPolicy

Define an ImagePullPolicy. # Ref.: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy #

Default value: "IfNotPresent"

global.imagePullSecrets

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/:

imagePullSecrets:
  - "docker-registry"

Default value: []

global.imageRegistry

Container registry address.

Default value:

"artifacts.software-univention.de"

scim-client:global.secrets.masterPassword

Note

scim-client is a prefix to avoid name clashes for documentation cross-references. In your values.yaml file, use the key global.secrets.masterPassword.

Default value: null

7.4.6.6. ldap

ldap.auth.bindDn

Bind distinguished name to authenticate with the LDAP Server.

Default value: null

ldap.auth.existingSecret.keyMapping.password

The key to retrieve the password from. Setting this value allows to use a key with a different name.

Default value: null

ldap.auth.existingSecret.name

The name of an existing Secret to use for retrieving the password to authenticate with the source LDAP directory. # “udm.auth.password” will be ignored if this value is set.

Default value: null

ldap.auth.password

The password used to authenticate with the LDAP Server. Either this value or an existing Secret has to be specified.

Default value: null

ldap.connection.host

LDAP Server hostname (e.g. nubus-ldap-server)

Default value: null

7.4.6.7. podSecurityContext

podSecurityContext.enabled

Enable security context.

Default value: true

podSecurityContext.fsGroup

If specified, all processes of the container are also part of the supplementary group.

Default value: 1000

podSecurityContext.fsGroupChangePolicy

Change ownership and permission of the volume before being exposed inside a Pod.

Default value: "Always"

podSecurityContext.sysctls

Allow binding to ports below 1024 without root access.

Default value:

[{"name": "net.ipv4.ip_unprivileged_port_start", "value": "1"}]

7.4.6.8. provisioningApi

provisioningApi.auth.existingSecret.keyMapping.password

The key to retrieve the password from. Setting this value allows to use a key with a different name.

Default value: null

provisioningApi.auth.existingSecret.name

The name of an existing Secret to use for retrieving the password to authenticate with the Provisioning API. # provisioningApi.auth.password will be ignored if this value is set.

Default value: null

provisioningApi.auth.password

The password used to authenticate with the Provisioning API. Either this value or an existing Secret has to be specified.

Default value: null

provisioningApi.auth.username

Username of the Nubus provisioning subscription / this client For a given Nubus deployment, all provisioning subscription names must be unique.

Default value: null

provisioningApi.config.maxAcknowledgementRetries

The maximum number of retries for acknowledging a message

Default value: 3

provisioningApi.connection.url

The base URL the provisioning API is reachable at. (e.g. “http://provisioning-api”)

Default value: null

7.4.6.9. resources

resources.limits.cpu

Default value: "1"

resources.limits.memory

Default value: "4Gi"

resources.requests.cpu

Default value: "250m"

resources.requests.memory

Default value: "512Mi"

7.4.6.10. scimClient

scimClient.config.externalIdGroupMapping

Define external_id UDM attribute for groups

Default value: "univentionObjectIdentifier"

scimClient.config.externalIdUserMapping

Define external_id UDM attribute for users

Default value: "univentionObjectIdentifier"

scimClient.config.groupSync

Default value: true

scimClient.config.logLevel

Default value: "INFO"

scimClient.config.prefill

Toggle Prefill for the provisioning subscription If activated, the client receives a synthetic “create” event for all existing objects in the Domain before receiving live events.

Default value: true

scimClient.image.imagePullPolicy

Default value: ""

scimClient.image.registry

Default value: ""

scimClient.image.repository

Default value: "nubus/images/scim-client"

scimClient.image.sha256

Define image SHA256 as an alternative to tag

Default value: null

scimClient.image.tag

Default value:

"0.41.3@sha256:76db758f6582a8e6c906dd933bc5ff2cbb5977e711b07727a42880ecd3edb205"

7.4.6.11. scimServer

scimServer.auth.clientId

Service account client ID (username)

Default value: null

scimServer.auth.enabled

Disable authentication with the SCIM Server for testing purposes

Default value: true

scimServer.auth.existingSecret.keyMapping.password

The key to retrieve the password from. Setting this value allows to use a key with a different name.

Default value: null

scimServer.auth.existingSecret.name

The name of an existing Secret to use for retrieving the password to authenticate with the SCIM Server. # scimServer.auth.password will be ignored if this value is set.

Default value: null

scimServer.auth.oidcTokenUrl

URL to obtain an OIDC access token from the Identity Provider using the client-credentials-flow.

Default value: null

scimServer.auth.password

The password used to authenticate with the SCIM Server. Either this value or an existing Secret has to be specified.

Default value: null

scimServer.connection.url

The base URL the SCIM server is reachable at. (e.g. “http://scim-server”)

Default value: null

7.4.6.12. serviceAccount

serviceAccount.annotations

Annotations to add to the service account

Default value: {}

serviceAccount.automountServiceAccountToken

Allows auto mount of ServiceAccountToken on the serviceAccount created. Can be set to false if pods using this serviceAccount do not need to use K8s API.

Default value: false

serviceAccount.create

Specifies whether a service account should be created

Default value: true

serviceAccount.labels

Additional custom labels for the ServiceAccount.

Default value: {}

serviceAccount.name

The name of the service account to use. If not set and create is true, a name is generated using the full name template.

Default value: ""

7.4.6.13. tolerations

tolerations

Default value: []