7.3.2. Configuration#

Important

The Nubus SCIM Server is in an early state with limited configuration capability. For detailed limitations, see Limitations.

This section describes how to customize the Nubus SCIM in Nubus for Kubernetes. You need the Helm Chart for Nubus, your customized custom_values.yaml values file, and the files for customization. The key configuration parameters include:

7.3.2.1. Activate SCIM Server#

By default, Nubus for Kubernetes has the Nubus SCIM Server deactivated. The following steps describe the procedure for activating the Nubus SCIM Server in detail:

  1. To activate the Nubus SCIM Server, set the Helm value nubusScimServer.enabled to true in your custom_values.yaml values file. Listing 7.5 shows an example.

    Listing 7.5 Activate Nubus SCIM Server in custom values file#
    nubusScimServer:
      enabled: true
    
  2. Authentication requires an OpenID connect client. To configure the client ID and audience, follow the steps in authentication configuration.

  3. To apply the configuration, follow the steps in Apply configuration.

7.3.2.2. Optional configuration#

The Nubus SCIM Server Helm chart has configuration options to support different use cases. This section describes common use cases and how you configure them.

7.3.2.2.1. Custom hostname#

The default hostname is scim.<your_nubus_domain>, where <your_nubus_domain> comes from global.domain. If you want to serve the Nubus SCIM Server under a different hostname you can configure a custom hostname. By default, the Nubus SCIM Server endpoints use the prefix scim/v2, that’s also available for customization.

To customize the hostname and the endpoint prefix, use the following steps:

  1. To customize them, add the appropriate Helm Chart values to your custom_values.yaml values file. Listing 7.6 shows an example.

    Listing 7.6 Configure custom hostname for Nubus SCIM Server#
    nubusScimServer:
      config:
        host: "https://scim.example.com"
        corsOrigins: '["https://scim.example.com"]'
        apiPrefix: "/scim/v2"
      ingress:
        host: "scim.example.com"
    
  2. To apply the configuration, follow the steps in Apply configuration.

7.3.2.2.2. External ID mapping#

The SCIM standard supports external IDs that it uses to store a unique identifier for an object of a different IAM system. The Nubus SCIM Server supports storing this ID in UDM in a UDM property of your choice.

Tip

Univention recommends storing the external IDs in extended attributes, so Nubus updates don’t overwrite them. For information about how to add extended attributes to your UDM objects, see Add extended attributes.

The value is an existing UDM property in the user and group UDM object that stores the external ID. The default value is none, therefore the Nubus SCIM Server does not store or return external IDs. Use the following steps to configure the external ID mapping:

  1. To configure a mapping for external IDs, you need to add the following Helm Chart values to your custom_values.yaml values file. Listing 7.7 shows an example.

    Listing 7.7 Configure mapping for external IDs#
    nubusScimServer:
      config:
        externalId:
          userMapping: "your_user_extended_attribute_name"
          groupMapping: "your_group_extended_attribute_name"
    
  2. To apply the configuration, follow the steps in Apply configuration.

7.3.2.2.3. Roles mapping#

The SCIM standard supports roles. The Nubus SCIM Server supports storing roles as JSON serialized data in UDM.

Tip

Univention recommends storing the roles in extended attributes, so Nubus updates don’t overwrite them. For information about how to add extended attributes to your UDM objects, see Add extended attributes.

You need to configure the UDM property that stores the SCIM roles as a string-serialized JSON. Use the following steps to configure it:

  1. To configure a mapping for roles, you need to add the nubusScimServer.config.roles.userMapping Helm Chart values to your custom_values.yaml values file. The value is an existing UDM property in the user UDM object that stores the roles. The default value is none, therefore the Nubus SCIM Server doesn’t map roles. Listing 7.8 shows an example.

    Listing 7.8 Configure mapping for roles#
    nubusScimServer:
      config:
        roles:
          userMapping: "your_user_extended_attribute_name"
    
  2. To apply the configuration, follow the steps in Apply configuration.