Add SCIM 2.0 Identity Provider plugin

Placeholder Copilotrequested to merge
copilot/add-scim-identity-provider-plugin into main

Implements SCIM 2.0 identity provider integration following the existing LDAP plugin architecture. Enables user/group provisioning from Azure AD, Okta, OneLogin, and other SCIM-compliant identity management systems.

Implementation

Core Components

  • ScimIdentityProviderSession - Implements ReadOnlyIdentityProvider with user/group query operations, authorization checks, and pagination
  • ScimClient - HTTP client supporting Bearer/Basic/OAuth2 authentication with automatic token refresh and retry protection
  • ScimConfiguration - Configurable SCIM endpoints, attribute mappings, connection settings, and SSL/TLS options
  • ScimIdentityProviderPlugin - ProcessEnginePlugin registration extending configuration class for direct property binding

Query Implementations

  • ScimUserQueryImpl / ScimGroupQuery / ScimTenantQuery - Standard query pattern with SCIM filter translation
  • ScimUserEntity / ScimGroupEntity - Entity classes with SCIM ID tracking

Utilities

  • ScimPluginLogger - Structured logging for debugging and error tracking
  • SCIM filter escaping and JSON path resolution for complex attribute mappings

Configuration Example

<plugin>
  <class>org.cibseven.bpm.identity.impl.scim.plugin.ScimIdentityProviderPlugin</class>
  <properties>
    <property name="serverUrl">https://scim.example.com</property>
    <property name="authenticationType">oauth2</property>
    <property name="oauth2TokenUrl">https://auth.example.com/token</property>
    <property name="oauth2ClientId">${CLIENT_ID}</property>
    <property name="oauth2ClientSecret">${CLIENT_SECRET}</property>
    
    <!-- Attribute mappings -->
    <property name="userIdAttribute">userName</property>
    <property name="userEmailAttribute">emails[type eq "work"].value</property>
  </properties>
</plugin>

Limitations

Read-only provider by design - user/group mutations must occur in the source SCIM system. Password validation unsupported (SCIM is provisioning, not authentication). Multi-tenancy not supported.

Dependencies

  • Apache HttpClient 5.3.1 (HTTP/REST operations)
  • Jackson 2.15.2 (JSON parsing)

Both verified clean against GitHub Advisory Database.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • artifacts.cibseven.org
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.11/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.11/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.11 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.11/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/cibseven/cibseven org.codehaus.plexus.classworlds.launcher.Launcher clean compile -DskipTests (dns block)
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.11/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.11/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.11 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.11/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/cibseven/cibseven org.codehaus.plexus.classworlds.launcher.Launcher clean install -DskipTests -pl engine-plugins/identity-scim -am (dns block)
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.11/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.11/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.11 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.11/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/cibseven/cibseven org.codehaus.plexus.classworlds.launcher.Launcher clean install -DskipTests -pl engine-plugins/identity-scim -am ndor/bin/grep httpclient5 0.xml rep grep (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

Summary

Implement a SCIM (System for Cross-domain Identity Management) Identity Provider plugin for CIB seven, similar to the existing LDAP Identity Provider plugin located at engine-plugins/identity-ldap/.

Background

CIB seven currently supports LDAP as an external identity provider. Many organizations use SCIM 2.0 compliant identity management systems (such as Azure AD, Okta, OneLogin, etc.) for user provisioning. Adding SCIM support will enable CIB seven to integrate with these modern identity providers.

Requirements

Plugin Structure

Create a new plugin module under engine-plugins/identity-scim/ following the same pattern as the LDAP plugin with the following structure:

engine-plugins/identity-scim/
├── pom.xml
└── src/main/java/org/cibseven/bpm/identity/impl/scim/
    ├── ScimConfiguration.java
    ├── ScimIdentityProviderFactory.java
    ├── ScimIdentityProviderPlugin.java
    ├── ScimIdentityProviderSession.java
    ├── ScimClient.java
    ├── ScimUserEntity.java
    ├── ScimGroupEntity.java
    ├── ScimUserQueryImpl.java
    ├── ScimGroupQuery.java
    ├── ScimTenantQuery.java
    └── util/
        └── ScimPluginLogger.java

Core Implementation Requirements

  1. ScimIdentityProviderSession: Implement ReadOnlyIdentityProvider interface similar to LdapIdentityProviderSession.java at engine-plugins/identity-ldap/src/main/java/org/cibseven/bpm/identity/impl/ldap/LdapIdentityProviderSession.java

    • Support user queries (findUserById, createUserQuery, findUserByQueryCriteria)
    • Support group queries (findGroupById, createGroupQuery, findGroupByQueryCriteria)
    • Support finding users by group membership
    • Handle authorization checks
    • Support pagination

  2. ScimConfiguration: Configuration class with properties for:

    • SCIM server URL and version (2.0)
    • Authentication (Bearer token, Basic auth, OAuth2 client credentials)
    • User endpoint configuration (attributes mapping)
    • Group endpoint configuration (attributes mapping)
    • Connection settings (timeouts, max connections)
    • SSL/TLS settings
    • Authorization check settings

  3. ScimClient: HTTP client for SCIM API operations:

    • Search users with SCIM filter syntax
    • Search groups with SCIM filter syntax
    • Get group members
    • Support OAuth2 token refresh
    • Proper error handling

  4. ScimIdentityProviderPlugin: ProcessEnginePlugin that configures the SCIM identity provider

  5. Query implementations: ScimUserQueryImpl, ScimGroupQuery, ScimTenantQuery

  6. Entity classes: ScimUserEntity, ScimGroupEntity extending the base entity classes

File Header

All Java files must use this license header:

/*
 * Copyright CIB software GmbH and/or licensed to CIB software GmbH
 * under one or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information regarding copyright
 * ownership. CIB software licenses this file to you under the Apache License,
 * Version 2.0; you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

Dependencies

  • Apache HttpClient 5 for HTTP requests
  • Jackson for JSON processing
  • Follow the same dependency patterns as the LDAP plugin

Update Parent POM

Add the new identity-scim module to engine-plugins/pom.xml

Reference Implementation

Use the LDAP Identity Provider as the reference implementation:

  • LdapIdentityProviderSession.java for the session pattern
  • LdapConfiguration.java for configuration pattern
  • LdapIdentityProviderPlugin.java for plugin registration
  • LdapUserQueryImpl.java and LdapGroupQuery.java for query patterns

Acceptance Criteria

  • Plugin compiles and integrates with CIB seven build
  • Users can be queried from a SCIM server
  • Groups can be queried from a SCIM server
  • User-group memberships are properly resolved
  • Authorization checks work correctly
  • Pagination is supported
  • Multiple authentication methods are supported (Bearer, Basic, OAuth2)
  • Proper logging is implemented
  • Unit tests are included

This pull request was created as a result of the following prompt from Copilot chat.

Summary

Implement a SCIM (System for Cross-domain Identity Management) Identity Provider plugin for CIB seven, similar to the existing LDAP Identity Provider plugin located at engine-plugins/identity-ldap/.

Background

CIB seven currently supports LDAP as an external identity provider. Many organizations use SCIM 2.0 compliant identity management systems (such as Azure AD, Okta, OneLogin, etc.) for user provisioning. Adding SCIM support will enable CIB seven to integrate with these modern identity providers.

Requirements

Plugin Structure

Create a new plugin module under engine-plugins/identity-scim/ following the same pattern as the LDAP plugin with the following structure:

engine-plugins/identity-scim/
├── pom.xml
└── src/main/java/org/cibseven/bpm/identity/impl/scim/
    ├── ScimConfiguration.java
    ├── ScimIdentityProviderFactory.java
    ├── ScimIdentityProviderPlugin.java
    ├── ScimIdentityProviderSession.java
    ├── ScimClient.java
    ├── ScimUserEntity.java
    ├── ScimGroupEntity.java
    ├── ScimUserQueryImpl.java
    ├── ScimGroupQuery.java
    ├── ScimTenantQuery.java
    └── util/
        └── ScimPluginLogger.java

Core Implementation Requirements

  1. ScimIdentityProviderSession: Implement ReadOnlyIdentityProvider interface similar to LdapIdentityProviderSession.java at engine-plugins/identity-ldap/src/main/java/org/cibseven/bpm/identity/impl/ldap/LdapIdentityProviderSession.java

    • Support user queries (findUserById, createUserQuery, findUserByQueryCriteria)
    • Support group queries (findGroupById, createGroupQuery, findGroupByQueryCriteria)
    • Support finding users by group membership
    • Handle authorization checks
    • Support pagination

  2. ScimConfiguration: Configuration class with properties for:

    • SCIM server URL and version (2.0)
    • Authentication (Bearer token, Basic auth, OAuth2 client credentials)
    • User endpoint configuration (attributes mapping)
    • Group endpoint configuration (attributes mapping)
    • Connection settings (timeouts, max connections)
    • SSL/TLS settings
    • Authorization check settings

  3. ScimClient: HTTP client for SCIM API operations:

    • Search users with SCIM filter syntax
    • Search groups with SCIM filter syntax
    • Get group members
    • Support OAuth2 token refresh
    • Proper error handling

  4. ScimIdentityProviderPlugin: ProcessEnginePlugin that configures the SCIM identity provider

  5. Query implementations: ScimUserQueryImpl, ScimGroupQuery, ScimTenantQuery

  6. Entity classes: ScimUserEntity, ScimGroupEntity extending the base entity classes

File Header

All Java files must use this license header:

/*
 * Copyright CIB software GmbH and/or licensed to CIB software GmbH
 * under one or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information regarding copyright
 * ownership. CIB software licenses this file to you under the Apache License,
 * Version 2.0; you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

Dependencies

  • Apache HttpClient 5 for HTTP requests
  • Jackson for JSON processing
  • Follow the same dependency patterns as the LDAP plugin

Update Parent POM

Add the new identity-scim module to engine-plugins/pom.xml

Reference Implementation

Use the LDAP Identity Provider as the reference implementation:

  • LdapIdentityProviderSession.java for the session pattern
  • LdapConfiguration.java for configuration pattern
  • LdapIdentityProviderPlugin.java for plugin registration
  • LdapUserQueryImpl.java and LdapGroupQuery.java for query patterns

Acceptance Criteria

  • Plugin compiles and integrates with CIB seven build
  • Users can be queried from a SCIM server
  • Groups can be queried from a SCIM server
  • User-group memberships are properly resolved
  • Authorization checks work correctly
  • Pagination is supported
  • Multiple authentication methods are supported (Bearer, Basic, OAuth2)
  • Proper logging is implemented
  • Unit tests are included

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Merge request reports