7.3.2. Configuration#
Important
The Nubus SCIM Server is in an early state with limited configuration capability. For detailed limitations, see Limitations.
This section describes how to customize the Nubus SCIM in Nubus for Kubernetes.
You need the Helm Chart for Nubus, your customized custom_values.yaml
values file,
and the files for customization.
The key configuration parameters include:
7.3.2.1. Activate SCIM Server#
By default, Nubus for Kubernetes has the Nubus SCIM Server deactivated. The following steps describe the procedure for activating the Nubus SCIM Server in detail:
To activate the Nubus SCIM Server, set the Helm value
nubusScimServer.enabled
totrue
in yourcustom_values.yaml
values file. Listing 7.5 shows an example.nubusScimServer: enabled: true
Authentication requires an OpenID connect client. To configure the client ID and audience, follow the steps in authentication configuration.
To apply the configuration, follow the steps in Apply configuration.
7.3.2.2. Optional configuration#
The Nubus SCIM Server Helm chart has configuration options to support different use cases. This section describes common use cases and how you configure them.
7.3.2.2.1. Custom hostname#
If you want to serve the Nubus SCIM Server under a different hostname you can configure a custom hostname.
nubusScimServer.ingress.host
The variable defines where the Nubus SCIM Server serves the API. The default value is
scim.<your_nubus_domain>
, where<your_nubus_domain>
comes fromglobal.domain
.nubusScimServer.config.host
The variable controls the URL prefix that the Nubus SCIM Server returns in SCIM’s
$ref
attribute, which points to the URL of a resource. By default, the Nubus SCIM Server endpoints use the prefixscim/v2
, that’s also available for customization. In other words: which URL prefix does the service use when generating reference URLs?
To customize the hostname and the endpoint prefix, use the following steps:
To customize them, add the appropriate Helm Chart values to your
custom_values.yaml
values file. Listing 7.6 shows an example.nubusScimServer: config: host: "https://scim.example.com" corsOrigins: '["https://scim.example.com"]' apiPrefix: "/scim/v2" ingress: host: "scim.example.com"
To apply the configuration, follow the steps in Apply configuration.
7.3.2.2.2. External ID mapping#
The SCIM standard supports external IDs that it uses to store a unique identifier for an object of a different IAM system. The Nubus SCIM Server supports storing this ID in UDM in a UDM property of your choice.
Important
If you want Nubus for Kubernetes to store the external IDs, you need to use extended attributes. For information about how to add extended attributes to your UDM objects, see Add extended attributes in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [6].
The value is an existing UDM property in the user and group UDM object
that stores the external ID.
The default value is none
,
therefore the Nubus SCIM Server doesn’t store or return external IDs.
Use the following steps to configure the external ID mapping:
To configure a mapping for external IDs, you need to add the following Helm Chart values to your
custom_values.yaml
values file. Listing 7.7 shows an example.nubusScimServer: config: externalId: userMapping: "your_user_extended_attribute_name" groupMapping: "your_group_extended_attribute_name"
To apply the configuration, follow the steps in Apply configuration.
7.3.2.2.3. Roles mapping#
The SCIM standard supports roles. The Nubus SCIM Server treats roles differently depending on their type:
The Nubus SCIM Server stores roles of type
guardian-direct
on the user. The Guardian can evaluate them.Roles of type
guardian-indirect
inherit from Guardian roles. The user group stores the Guardian role. A user can be a member in multiple groups and therefore inherit multiple Guardian roles.Any other types of roles have no effect in Nubus for Kubernetes.
The Nubus SCIM Server always stores roles of type guardian-direct
and guardian-indirect
.
You need to configure the UDM property that stores any other type of roles as a string-serialized JSON.
Important
If you want Nubus for Kubernetes to store the roles, you need to use extended attributes. For information about how to add extended attributes to your UDM objects, see Add extended attributes in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [6].
The value is an existing UDM property in the user UDM object
that stores the roles.
The default value is none
,
therefore the Nubus SCIM Server doesn’t map any other types of roles.
Use the following steps to configure it:
To configure a mapping for roles, you need to add the
nubusScimServer.config.roles.userMapping
Helm Chart values to yourcustom_values.yaml
values file. Listing 7.8 shows an example.nubusScimServer: config: roles: userMapping: "your_user_extended_attribute_name"
To apply the configuration, follow the steps in Apply configuration.