7.3.2. Configuration#

Important

The Nubus SCIM Server is in an early state with limited configuration capability. For detailed limitations, see Limitations.

This section describes how to customize the Nubus SCIM in Nubus for Kubernetes. You need the Helm Chart for Nubus, your customized custom_values.yaml values file, and the files for customization. The key configuration parameters include:

7.3.2.1. Activate SCIM Server#

By default, Nubus for Kubernetes has the Nubus SCIM Server deactivated. The following steps describe the procedure for activating the Nubus SCIM Server in detail:

  1. To activate the Nubus SCIM Server, set the Helm value nubusScimServer.enabled to true in your custom_values.yaml values file. Listing 7.5 shows an example.

    Listing 7.5 Activate Nubus SCIM Server in custom values file#
    nubusScimServer:
      enabled: true
    
  2. Authentication requires an OpenID connect client. To configure the client ID and audience, follow the steps in authentication configuration.

  3. To apply the configuration, follow the steps in Apply configuration.

7.3.2.2. Optional configuration#

The Nubus SCIM Server Helm chart has configuration options to support different use cases. This section describes common use cases and how you configure them.

7.3.2.2.1. Custom hostname#

If you want to serve the Nubus SCIM Server under a different hostname you can configure a custom hostname.

nubusScimServer.ingress.host

The variable defines where the Nubus SCIM Server serves the API. The default value is scim.<your_nubus_domain>, where <your_nubus_domain> comes from global.domain.

nubusScimServer.config.host

The variable controls the URL prefix that the Nubus SCIM Server returns in SCIM’s $ref attribute, which points to the URL of a resource. By default, the Nubus SCIM Server endpoints use the prefix scim/v2, that’s also available for customization. In other words: which URL prefix does the service use when generating reference URLs?

To customize the hostname and the endpoint prefix, use the following steps:

  1. To customize them, add the appropriate Helm Chart values to your custom_values.yaml values file. Listing 7.6 shows an example.

    Listing 7.6 Configure custom hostname for Nubus SCIM Server#
    nubusScimServer:
      config:
        host: "https://scim.example.com"
        corsOrigins: '["https://scim.example.com"]'
        apiPrefix: "/scim/v2"
      ingress:
        host: "scim.example.com"
    
  2. To apply the configuration, follow the steps in Apply configuration.

7.3.2.2.2. External ID mapping#

The SCIM standard supports external IDs that it uses to store a unique identifier for an object of a different IAM system. The Nubus SCIM Server supports storing this ID in UDM in a UDM property of your choice.

Important

If you want Nubus for Kubernetes to store the external IDs, you need to use extended attributes. For information about how to add extended attributes to your UDM objects, see Add extended attributes in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [6].

The value is an existing UDM property in the user and group UDM object that stores the external ID. The default value is none, therefore the Nubus SCIM Server doesn’t store or return external IDs. Use the following steps to configure the external ID mapping:

  1. To configure a mapping for external IDs, you need to add the following Helm Chart values to your custom_values.yaml values file. Listing 7.7 shows an example.

    Listing 7.7 Configure mapping for external IDs#
    nubusScimServer:
      config:
        externalId:
          userMapping: "your_user_extended_attribute_name"
          groupMapping: "your_group_extended_attribute_name"
    
  2. To apply the configuration, follow the steps in Apply configuration.

7.3.2.2.3. Roles mapping#

The SCIM standard supports roles. The Nubus SCIM Server treats roles differently depending on their type:

  • The Nubus SCIM Server stores roles of type guardian-direct on the user. The Guardian can evaluate them.

  • Roles of type guardian-indirect inherit from Guardian roles. The user group stores the Guardian role. A user can be a member in multiple groups and therefore inherit multiple Guardian roles.

  • Any other types of roles have no effect in Nubus for Kubernetes.

The Nubus SCIM Server always stores roles of type guardian-direct and guardian-indirect. You need to configure the UDM property that stores any other type of roles as a string-serialized JSON.

Important

If you want Nubus for Kubernetes to store the roles, you need to use extended attributes. For information about how to add extended attributes to your UDM objects, see Add extended attributes in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [6].

The value is an existing UDM property in the user UDM object that stores the roles. The default value is none, therefore the Nubus SCIM Server doesn’t map any other types of roles. Use the following steps to configure it:

  1. To configure a mapping for roles, you need to add the nubusScimServer.config.roles.userMapping Helm Chart values to your custom_values.yaml values file. Listing 7.8 shows an example.

    Listing 7.8 Configure mapping for roles#
    nubusScimServer:
      config:
        roles:
          userMapping: "your_user_extended_attribute_name"
    
  2. To apply the configuration, follow the steps in Apply configuration.