A simple PHP API built using Slim that handles and responds to all of the SCIM requests made by OneLogin for user provisioning.
The sample is based on the OneLogin Core User Schema but could be easily adapted to support the Enterprise schema.
This projects uses composer. Execute at the root of the project
composer install
in order to install all the project dependencies.
You will also need to publish the app with Apache or Nginx. Read more about how publish a Slim app here.
The endpoints are configured in the src
folder, at the routes.php
file and each has a corresponding method of a controller (UserController or GroupController) which is found in the src/Controllers
directory.
// Users
$app->get('/Users', 'UserController:list')->setName('users.list');
$app->get('/Users/{id}', 'UserController:get')->setName('users.get');
$app->post('/Users', 'UserController:create')->setName('users.create');
$app->put('/Users/{id}', 'UserController:update')->setName('users.update');
$app->delete('/Users/{id}', 'UserController:delete')->setName('users.delete');
// Groups
$app->get('/Groups', 'GroupController:list')->setName('groups.list');
$app->post('/Groups', 'GroupController:create')->setName('groups.create');
$app->patch('/Groups/{id}', 'GroupController:update')->setName('groups.update');
In addition there is an endpoint to generate the Bearer Token required to authenticate the requests,
$app->get('/jwt', 'JWTController:generate')->setName('jwt.generate');
Right now that endpoint is public and open, but in production should be removed or protected by user credentials.
When you run this sample, you first need to execute
php db/database.php
and it will create a scim.sqlite
file in the db
folder that contains users
and groups
.
Be sure the proper permissions are set
This file based db is powered using Sqlite and is not intended for production use. It is simply for this example.
It is expected that you would replace the calls to this db with your own database or api calls.
This sample shamelessly uses logs/app.log
all over the place as a simple way to display whats going on as the endpoints are hit. It is expected that you will replace this with your favorite logging solution.
You can run this locally and watch the logs as OneLogin sends provisioning requests.
From your terminal
git clone https://github.com/onelogin/onelogin-scim-php.git
cd onelogin-scim-php && composer install
The OneLogin SCIM implementation uses a bearer token supplied in an authorization header of each request. This api will validate the token matches before allowing any provisioning tasks to take place.
Access the /jwt endpoint described previously to get a valid token.
You will need to enter the same token into the SCIM Bearer Token field when setting up your SCIM app via the OneLogin portal.
This will start the SCIM API on http://localhost:8080
cd public
php -S localhost:8080
To run this sample end to end with OneLogin it needs to be exposed to the internet so that OneLogin can make provisioning requests to the various endpoints.
For this we recommend using Apache or Nginx. On produciton, be sure you protect the /jwt endpoint and you enable HTTPs
If you already have a SCIM app configured then simply paste the url in the SCIM Base URL field on the Configuration tab of your app.
If you don't have a SCIM app configured yet then follow this guide to create an app using the SCIM Provisioner with SAML (Core Schema v1.1).
Follow this guide to enable provisioning and test your SCIM API.