SCIM v1 Slack connector

Last modified 26 Oct 2021 10:24 +02:00

Identity connector for Slack using SCIM 1.1 API.

Functionalitystable
Development statusdormant (not developed actively, but still somehow maintained)
Support statussupportable
OriginEvolveum
Support provided byEvolveum
Target systemsSlack services (using SCIMv1 API)
ProtocolSCIM 1.1
Source codehttps://github.com/Evolveum/connector-scim1

The SCIMv1 connector extension for the Slack service. As stated in the SCIMv1 connector wiki page, this extension implements the 1.1 version of the System for Cross-domain Identity Management (SCIM) standard. The generic connector is extended by workaround modifications for the correct functioning and use with midPoint and to correct some provider API flaws.

Capabilities and Features

Provisioning

YES

Live Synchronization

NO

Service does not comply to the scim polling protocol specification.

Password

YES

Activation

YES

Activation via the active attribute.

Paging support

YES

Native attribute names

YES

Scripting

NO

History

This is an extension of the SCIMv1 connector for the Slack service.

Version Origin Binary Sources Build Date ConnId*Framework* Description

1.4.2.14

Polygon

download jar

GitHub

October 2016

1.4.2.16

Official release

1.4.3

Polygon

download jar

GitHub

December 2016

1.4.2.18

Official release

1.4.4

Polygon

download jar

GitHub

March 2017

1.4.2.18

Official release

Licensing

The connector itself is available under the terms of Apache License 2.0. To our best knowledge there is no extra license needed to use this connector. (Additional licensing terms and conditions may apply with services on which the connector is used).

Known limitations

The interaction with the API of the service uncovered some facts which we perceive as issues and minor flaws of the interconnected system which our connector has to remedy with workarounds. Yet there are some limitations which emerge.

The known limitations which can be apparent are as follows:

  • The delete operation performed on an account does not set this account to an discarded state. If the account resource is set to this state all operations should return a NOT FOUND status which in this case they do not. This might return unexpected results while performing GET operations and caution should be taken while performing updates on this resources

  • Some attributes had to be added to the schema definition of this service, these attributes are set with default properties as stated in the SCIMv1 schema example. The added attributes are:

    • “nickName”

    • “title”

    • "schemas"

    • "profileUrl"

    • "displayName"

    • "timezone"

    • "externalId"

    • "active"

    • "Photos"

    • Sub attribute “formatted” of the attribute “name”

  • The attribute emails has a couple of canonical values listed for the attributes type property (work, home, other) of which only the type value work is valid and accepted in a query to the account endpoint. The connector will generate schema attributes for each canonical value. These attributes are considered mandatory in the provided schema but they can be ignored. Midpoint can generate error messages because of this fact, but it should not limit any type of usage

  • A majority of filters are supported only for a handful of attributes, the attributes which are supported by most of the filters are:

    • for the ”Users” resource: “userName” and ”id”

    • for the “Groups” resource: “displayName” and “id”

    • the filter “Endswith” is not supported

  • The attributes userName and nickName seem to be processed as the same attribute while updating one the other one also changes

Configuration

A specific value has to be set to the authentication configuration property depending of the method used for authentication. This service uses generated tokens to authenticate while communicating with the connector. Because of that the value of this property should be set to token.

Our connector uses the Slack SCIM API for communication with the Slack service. Some specific conditions may apply for the use of this functionality. Please check the service documentation and web pages for further information.

For successful communication with the Slack service our connector needs a unique API token generated via the Slack oauth test token generator found on their web page dedicated to oauth test tokens . To successfully generate a test token one has to be logged in and follow the instructions on the web page. On success the field marked as token should contain a issued test token.

Mandatory property fields:

  • Scim endpoint

  • Scim version

  • Token

  • Base URL

Sample configuration values:

  • Authentication: token

  • Scim endpoint: /scim

  • Scim version: /v1

  • Base URL: https://api.slack.com

  • Token: (generated token)

Before test connection, please import certificate to midPoint Keystore.

Setting up tests

The test suite consists of a bundle of test methods some of which execute a couple of times depending on the amount of tested resource endpoints.The test parameters ale provided by data providers which fetch their data from a test configuration property file. These property files are provided within the connector source bundle in the scimV1 git repository in the testProperties folder.

Before the test suite is initialized one has to provide a couple of mandatory values into the property file.The property file consists of a couple of attribute name/value pairs which are mapped to the corresponding test method or utility method. The naming rule is that the word before the underscore character (_) corresponds to the name of the test method provider which will be populated by the provided values. The word after the underscore character is the property name or in some cases it describes a resource on which a test will be executed or a type of test.

Most likely and often changed are the attributes of the test method provider configTestProvider the first three attributes configure some basic properties used in the tests:

  • testNumber: The number which defines the order of the following test. The number is used as an ID value which is injected in some unique parameter values (e.q. userName). This is because some services do not delete their resource data (e.q. Account data) but they flag it as inactive or deactivated. The unique parameter value is then still used and can be in some cases referenced. This prohibits the usage of an equivalent value.

  • pageSize: This parameter describes the size of the returned list of resource representations.

  • pageOffset: Defines the offset used in listing resources. (e.q. I want to list 100 people but i want the list to start from the 15th entry).

The other attributes of the configTestProvider are equivalent to the configuration attributes needed to log into the service and can be seen described above in the Configuration section.

The change of other test method provider attributes is not recommended and may result in unsuccessful tests.

The tests create one representation of each resource (e.g. user, group) and then they execute all basic methods which are defined in the scim specification. The tests also incorporate negative testing use cases for proper exception reporting. One of the test cases is intentionally commented out. To trip the InvalidCredentialException the test method makes an intentional error in the login credentials while executing an operation. For reasons of unintentional lock out of the service with the runn of this test this test is optional and you can uncomment it when you are sure no harm will be done.

The slack service has a couple of specific limitation to tests. Two test methods will fail every time because of some issues with the service and are commented up for successful test execution and outcome :

  • parameterConsistencyTestProvider : Only for the Users resource endpoint. Checks if the parameters returned by the service provider are the same as those which were used for the creation. The test fails because the provided schema declares that the users email attributes has to incorporate a type value but the returned representation does not have the type value present.

  • deleteProvider: Only for the Users resource endpoint. Launches the delete operation which should set the user in an discarded state. This should prohibit any operation to be successfully performed other than the activation of the user which is not the case here.

Documentation

…​