SCIM2 not found in WSO2is

1
votes

I use WSO2is 5.9, and I have enabled scim tool in deployment.toml as follows:

[user_store]:
     scim_enabled=true

I try to create a user using this command:

curl -v -k --user admin:admin --data '{"schemas":[],"name":{"familyName":"jackson","givenName":"kim"},"userName":"[email protected]","password":"kimwso2","emails":[{"primary":true,"value":"[email protected]","type":"home"},{"value":"[email protected]","type":"work"}]}' --header "Content-Type:application/json" https://myidentity.com/scim2/Users

part of my output:

* upload completely sent off: 224 out of 224 bytes
< HTTP/1.1 401

If I make a request to scim2 via GET, I get the message:

No service was found.

Another error using curl is:

{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Can not obtain carbon realm service..","status":"500"}* Closing connection 0

in WSO2 log i have:

ERROR {org.wso2.carbon.identity.scim2.provider.resources.AbstractResource} - Server error while handling the request. org.wso2.charon3.core.exceptions.CharonException
    at org.wso2.carbon.identity.scim2.common.impl.IdentitySCIMManager.getUserManager(IdentitySCIMManager.java:124)
    at org.wso2.carbon.identity.scim2.provider.resources.GroupResource.processRequest(GroupResource.java:439)
    at org.wso2.carbon.identity.scim2.provider.resources.GroupResource.getGroup(GroupResource.java:305)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179)
    at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
    at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:193)
    at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:103)
    at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
    at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
    at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
    at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
    at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
    at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
    at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:225)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:607)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
    at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80)
    at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:92)
    at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:93)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
    at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
    at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:146)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
    at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
    at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:116)
    at org.wso2.carbon.tomcat.ext.valves.RequestEncodingValve.invoke(RequestEncodingValve.java:49)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:853)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1587)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)

The URL https://myidentity.com/scim/Users works to create users, but I can't add custom claims to new users.

2
wso2wso2is
Can you confirm the authorization credentials are correct "admin:admin"?Sajith
Yes, credentials are ok.BryGom

2 Answers

2
votes

It seems that you have used the username as "[email protected]" which contains '@' character and the Identity Server interprets this as an email address. If you have a requirement to use an email address as a username you need to enable email address as the user name in Identity Server. Please refer [1] to configure it and use above curl command with [email protected] as the user name to create the user. If you don't need to use an email address as a user name please try following curl command.

curl -v -k --user admin:admin --data '{"schemas":[],"name":{"familyName":"jackson","givenName":"kim"},"userName":"kim","password":"kimwso2","emails":[{"primary":true,"value":"[email protected]","type":"home"},{"value":"[email protected]","type":"work"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users

[1] https://is.docs.wso2.com/en/5.9.0/learn/using-email-address-as-the-username/

2
votes

Since you are using https://myidentity.com/scim2/Users endpoint, we presume that you are trying to create user in super tenant.

Since you are using email as username, the admin username should also be an emailusername. Use the following command if you are trying to create a user in super tenant.

 curl -v -k --user [email protected]:admin --data '{"schemas":[],"name":{"familyName":"jackson","givenName":"kim"},"userName":"[email protected]","password":"kimwso2","emails":[{"primary":true,"value":"[email protected]","type":"home"},{"value":"[email protected]","type":"work"}]}'
--header "Content-Type:application/json" https://localhost:9443/scim2/Users

You got the 401 unautheorised error as you are not using emailusername for super admin user.

If you are trying to create a user in a tenant, the admin username should be emailusername appended with respective tenant. And the scim endpoint also should be tenant specific.

An example is given when the tenant is abc.com:

curl -v -k --user [email protected]@abc.com:admin --data '{"schemas":[],"name":{"familyName":"jackson","givenName":"kim"},"userName":"[email protected]","password":"kimwso2","emails":[{"primary":true,"value":"[email protected]","type":"home"},{"value":"[email protected]","type":"work"}]}'
--header "Content-Type:application/json" https://localhost:9443/t/abc.com/scim2/Users

You can refer to the scim api documentation for further reference: https://is.docs.wso2.com/en/5.9.0/develop/using-the-scim-2.0-rest-apis/