Register Sign in Need help? FAQ SailPoint directory
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Plugin custom REST API - Filter data visibility based on requester's scope

Plugin custom REST API - Filter data visibility based on requester's scope

 

Symptoms

OOTB SCIM is not restricting the requester around the data visibility. The plugin will use the requesters scope and restricts the data visibility.

 

Solution

Plugin created for Custom REST API with Scoping Support

The functionality/flow is below:

  1. Created a REST end point for reading user data (http://localhost:8080/identityiq/plugin/rest/RESTSCIMExtension/users)
  2. A capability/SPRight (UserListResourceExtendedSCIMExecutor) is created for authorizing access to this end point
  3. A scope (EmailDomainMatch) is created to return the list of users based on the requester's domain match
  4. Enabled the OAuth API Authentication for his custom end point

The above Scope/SPRight can be further extended to address your use cases/needs appropriately.

Enable OAuth 2 Clients for Authentication as explained in the below community forum or refer the attached APIAuthenticationSetup.docx

https://community.sailpoint.com/t5/IdentityIQ-Wiki/OAuth-2-0-Client-Credentials-as-a-Token-Based-Pro...

Refer the attached OAuthClientSOP.java.txt for invoking this Custom REST end point using OAuth Authentication.Note: The users are restricted to execute other SCIM APIs as below unless and until user has the SCIMExecutor capability:

  //Scenario: 401 without SCIMExecutor Capability
  //HttpGet httpGet = new HttpGet("http://localhost:8080/identityiq/scim/v2/Applications/c0a8568d76851514817685f79c3e000b");

  //Scenario: Custom REST end point required Capability is UserListResourceExtendedSCIMExecutor
  HttpGet httpGet = new HttpGet("http://localhost:8080/identityiq/plugin/rest/RESTSCIMExtension/users");
Attachments
RESTSCIMExtension.zip
Comments
pasha
‎Apr 13, 2023 05:28 PM
‎Apr 13, 2023 05:28 PM

Thanks for posting this. When I try to load it on my 8.2, it says "Unable to locate manifest file in RESTSCIMExtension.zip".

I have looked at the release notes and the version numbers seem fine.

<Plugin certificationLevel="None" displayName="RESTSCIMExtension" minSystemVersion="7.3" name="RESTSCIMExtension" version="2.2">
<Attributes>
<Map>
<entry key="minUpgradableVersion" value="1.0" />

Any help is greatly appreciated.

Pasha

pasha
‎Apr 14, 2023 08:08 AM
‎Apr 14, 2023 08:08 AM

Nevermind. I was using the wrong .zip file

Amittiwari197678
‎Aug 09, 2023 10:05 AM
‎Aug 09, 2023 10:05 AM

Hello, 

 

Do we have a SCIM API or REst API to fetch access request ids for an identity in Identityiq Sail Point.

 

Thanks

Amit Tiwari

rockmus
‎Oct 11, 2023 04:37 PM
‎Oct 11, 2023 04:37 PM

A quick note for the author of this plugin, when you have the RequiredRight annotation for your REST endpoint (@RequiredRight(value = "UserListResourceExtendedSCIMExecutor")), that will automatically cross check the requesting identity against that SPRight.  If you want to use a custom authorizer for the endpoint, then you should be annotating it with @Deferred, not @RequiredRight.

madhu_ps
‎Mar 15, 2024 02:50 AM
‎Mar 15, 2024 02:50 AM

@Amittiwari197678 Do we have a SCIM API or REst API to fetch access request ids for an identity in Identityiq Sail Point. --> are you able to achieve this?

Version history
Revision #:
2 of 2
Last update:
‎May 22, 2023 07:05 PM
Updated by:
Community Administrator
 
View Article History