Home
Home
German Version
Support
Impressum
25.2 Release ►

Start Chat with Collection

    Main Navigation

    • Preparation
      • Connectors
      • Create an InSpire VM on Hyper-V
      • Initial Startup for G7 appliances
      • Setup InSpire G7 primary and Standby Appliances
    • Datasources
      • Configuration - Atlassian Confluence Connector
      • Configuration - Best Bets Connector
      • Configuration - Box Connector
      • Configuration - COYO Connector
      • Configuration - Data Integration Connector
      • Configuration - Documentum Connector
      • Configuration - Dropbox Connector
      • Configuration - Egnyte Connector
      • Configuration - GitHub Connector
      • Configuration - Google Drive Connector
      • Configuration - GSA Adapter Service
      • Configuration - HL7 Connector
      • Configuration - IBM Connections Connector
      • Configuration - IBM Lotus Connector
      • Configuration - Jira Connector
      • Configuration - JVM Launcher Service
      • Configuration - LDAP Connector
      • Configuration - Microsoft Azure Principal Resolution Service
      • Configuration - Microsoft Dynamics CRM Connector
      • Configuration - Microsoft Exchange Connector
      • Configuration - Microsoft File Connector (Legacy)
      • Configuration - Microsoft File Connector
      • Configuration - Microsoft Graph Connector
      • Configuration - Microsoft Loop Connector
      • Configuration - Microsoft Project Connector
      • Configuration - Microsoft SharePoint Connector
      • Configuration - Microsoft SharePoint Online Connector
      • Configuration - Microsoft Stream Connector
      • Configuration - Microsoft Teams Connector
      • Configuration - Salesforce Connector
      • Configuration - SCIM Principal Resolution Service
      • Configuration - SemanticWeb Connector
      • Configuration - ServiceNow Connector
      • Configuration - Web Connector
      • Configuration - Yammer Connector
      • Data Integration Guide with SQL Database by Example
      • Indexing user-specific properties (Documentum)
      • Installation & Configuration - Atlassian Confluence Sitemap Generator Add-On
      • Installation & Configuration - Caching Principal Resolution Service
      • Installation & Configuration - Mindbreeze InSpire Insight Apps in Microsoft SharePoint On-Prem
      • Mindbreeze InSpire Insight Apps in Microsoft SharePoint Online
      • Mindbreeze Web Parts for Microsoft SharePoint
      • User Defined Properties (SharePoint 2013 Connector)
      • Whitepaper - Mindbreeze InSpire Insight Apps in Salesforce
      • Whitepaper - Web Connector - Setting Up Advanced Javascript Usecases
    • Configuration
      • CAS_Authentication
      • Configuration - Alerts
      • Configuration - Alternative Search Suggestions and Automatic Search Expansion
      • Configuration - Back-End Credentials
      • Configuration - Chinese Tokenization Plugin (Jieba)
      • Configuration - CJK Tokenizer Plugin
      • Configuration - Collected Results
      • Configuration - CSV Metadata Mapping Item Transformation Service
      • Configuration - Entity Recognition
      • Configuration - Exporting Results
      • Configuration - External Query Service
      • Configuration - Filter Plugins
      • Configuration - GSA Late Binding Authentication
      • Configuration - Identity Conversion Service - Replacement Conversion
      • Configuration - InceptionImageFilter
      • Configuration - Index-Servlets
      • Configuration - InSpire AI Chat and Insight Services for Retrieval Augmented Generation
      • Configuration - Item Property Generator
      • Configuration - Japanese Language Tokenizer
      • Configuration - Kerberos Authentication
      • Configuration - Management Center Menu
      • Configuration - Metadata Enrichment
      • Configuration - Metadata Reference Builder Plugin
      • Configuration - Mindbreeze Proxy Environment (Remote Connector)
      • Configuration - Personalized Relevance
      • Configuration - Plugin Installation
      • Configuration - Principal Validation Plugin
      • Configuration - Profile
      • Configuration - Reporting Query Logs
      • Configuration - Reporting Query Performance Tests
      • Configuration - Request Header Session Authentication
      • Configuration - Shared Configuration (Windows)
      • Configuration - Vocabularies for Synonyms and Suggest
      • Configuration of Thumbnail Images
      • Cookie-Authentication
      • Documentation - Mindbreeze InSpire
      • I18n Item Transformation
      • Installation & Configuration - Outlook Add-In
      • Installation - GSA Base Configuration Package
      • JWT Authentication
      • Language detection - LanguageDetector Plugin
      • Mindbreeze Personalization
      • Mindbreeze Property Expression Language
      • Mindbreeze Query Expression Transformation
      • SAML-based Authentication
      • Trusted Peer Authentication for Mindbreeze InSpire
      • Using the InSpire Snapshot for Development in a CI_CD Scenario
      • Whitepaper - AI Chat
      • Whitepaper - Create a Google Compute Cloud Virtual Machine InSpire Appliance
      • Whitepaper - Create a Microsoft Azure Virtual Machine InSpire Appliance
      • Whitepaper - Create AWS 10M InSpire Appliance
      • Whitepaper - Create AWS 1M InSpire Appliance
      • Whitepaper - Create AWS 2M InSpire Appliance
      • Whitepaper - Create Oracle Cloud 10M InSpire Application
      • Whitepaper - Create Oracle Cloud 1M InSpire Application
      • Whitepaper - MMC_ Services
      • Whitepaper - Natural Language Question Answering (NLQA)
      • Whitepaper - SSO with Microsoft AAD or AD FS
      • Whitepaper - Text Classification Insight Services
    • Operations
      • Adjusting the InSpire Host OpenSSH Settings - Set LoginGraceTime to 0 (Mitigation for CVE-2024-6387)
      • app.telemetry Statistics Regarding Search Queries
      • CIS Level 2 Hardening - Setting SELinux to Enforcing mode
      • Configuration - app.telemetry dashboards for usage analysis
      • Configuration - Usage Analysis
      • Deletion of Hard Disks
      • Handbook - Backup & Restore
      • Handbook - Command Line Tools
      • Handbook - Distributed Operation (G7)
      • Handbook - Filemanager
      • Handbook - Indexing and Search Logs
      • Handbook - Updates and Downgrades
      • Index Operating Concepts
      • Inspire Diagnostics and Resource Monitoring
      • Provision of app.telemetry Information on G7 Appliances via SNMPv3
      • Restoring to As-Delivered Condition
      • Whitepaper - Administration of Insight Services for Retrieval Augmented Generation
    • User Manual
      • Browser Extension
      • Cheat Sheet
      • iOS App
      • Keyboard Operation
    • SDK
      • api.chat.v1beta.generate Interface Description
      • api.v2.alertstrigger Interface Description
      • api.v2.export Interface Description
      • api.v2.personalization Interface Description
      • api.v2.search Interface Description
      • api.v2.suggest Interface Description
      • api.v3.admin.SnapshotService Interface Description
      • Debugging (Eclipse)
      • Developing an API V2 search request response transformer
      • Developing Item Transformation and Post Filter Plugins with the Mindbreeze SDK
      • Development of a Query Expression Transformer
      • Development of Insight Apps
      • Embedding the Insight App Designer
      • Java API Interface Description
      • OpenAPI Interface Description
    • Release Notes
      • Release Notes 20.1 Release - Mindbreeze InSpire
      • Release Notes 20.2 Release - Mindbreeze InSpire
      • Release Notes 20.3 Release - Mindbreeze InSpire
      • Release Notes 20.4 Release - Mindbreeze InSpire
      • Release Notes 20.5 Release - Mindbreeze InSpire
      • Release Notes 21.1 Release - Mindbreeze InSpire
      • Release Notes 21.2 Release - Mindbreeze InSpire
      • Release Notes 21.3 Release - Mindbreeze InSpire
      • Release Notes 22.1 Release - Mindbreeze InSpire
      • Release Notes 22.2 Release - Mindbreeze InSpire
      • Release Notes 22.3 Release - Mindbreeze InSpire
      • Release Notes 23.1 Release - Mindbreeze InSpire
      • Release Notes 23.2 Release - Mindbreeze InSpire
      • Release Notes 23.3 Release - Mindbreeze InSpire
      • Release Notes 23.4 Release - Mindbreeze InSpire
      • Release Notes 23.5 Release - Mindbreeze InSpire
      • Release Notes 23.6 Release - Mindbreeze InSpire
      • Release Notes 23.7 Release - Mindbreeze InSpire
      • Release Notes 24.1 Release - Mindbreeze InSpire
      • Release Notes 24.2 Release - Mindbreeze InSpire
      • Release Notes 24.3 Release - Mindbreeze InSpire
      • Release Notes 24.4 Release - Mindbreeze InSpire
      • Release Notes 24.5 Release - Mindbreeze InSpire
      • Release Notes 24.6 Release - Mindbreeze InSpire
      • Release Notes 24.7 Release - Mindbreeze InSpire
      • Release Notes 24.8 Release - Mindbreeze InSpire
      • Release Notes 25.1 Release - Mindbreeze InSpire
      • Release Notes 25.2 Release - Mindbreeze InSpire
    • Security
      • Known Vulnerablities
    • Product Information
      • Product Information - Mindbreeze InSpire - Standby
      • Product Information - Mindbreeze InSpire
    Home

    Path

    Sure, you can handle it. But should you?
    Let our experts manage the tech maintenance while you focus on your business.
    See Consulting Packages

    Installation und Configuration
    SCIM Principal Resolution Service

    IntroductionPermanent link for this heading

    The SCIM Principal Resolution Service can be used to resolve groups from identity providers that support SCIM, e.g. Microsoft Azure. These groups can be sent from the identity provider to the Mindbreeze SCIM Service. The SCIM Principal Resolution Service can then resolve groups and users with the help of the SCIM Service.

    Configuration of the SCIM ServicesPermanent link for this heading

    Configuration in MindbreezePermanent link for this heading

    Add a new service in the “Indices” tab with “+Add Service”. Then select “SCIM Service” for the “Service” setting in the new service.

    Now configure the SCIM service with the settings in the “Connection Settings” section.

    Connection SettingsPermanent link for this heading

    Setting

    Description

    Example/Default Setting

    Bind Port*

    The port on which the SCIM service is started and can be reached. Port 18080 has been opened for this purpose.

    Default Setting:

    18080

    Authorization Token*

    A credential of type Password created in the Network tab, which contains the password for SCIM authorization. This password must be used by the identity provider to authenticate to the SCIM service.

    Example:

    SCIM Secret

    Server Certificate Credential

    The credential of type Client Certificate created in the Network tab, which contains an SSL certificate. If this is configured, the SCIM service uses https.

    Example:

    SSL Certificate

    Supported TLS Protocols
    (Advanced Settings)

    Comma separated list of TLS protocol names. The accepted values for protocol names are JSSE Standard Names. By default ‘TLSv1,TLSv1.1,TLSv1.2’ is used.

    Example:

    TLSv1,TLSv1.1,TLSv1.2

    SCIM Service Thread Count
    (Advanced Settings)

    Defines the number of threads with which the SCIM server is started to process several requests simultaneously.

    Default Setting:

    100

    Log All Requests
    (Advanced Settings)

    If this option is activated, all requests sent to the SCIM service are logged in an api-request-log.csv file. Only activate this option to analyze problems.

    Default Setting:

    Disabled

    * = These settings must be configured so that the Sitemap Generator works and is built. All other settings must be configured according to the use case.

    Settings marked with „(Advanced Settings)“ require the activation of „Advanced Settings“ in the configuration. These settings are only necessary in special cases.

    Configuration of Provisioning in Microsoft AzurePermanent link for this heading

    To connect Microsoft Azure to the SCIM service, create an enterprise application in Microsoft Azure under “Enterprise Applications” and then “New Application”. Then select “Create your own application”, enter the name of your application (e.g. Mindbreeze SCIM App), select “Integrate any other application you don't find in the gallery (Non-gallery) and click on “Create”.

    In the overview of your Enterprise Application, in “Manage” go to “Provisioning”:

    Then navigate again to “Manage” and then to “Provisioning” and change the Provisioning Mode to Automatic. In the Secret Token field, enter the password of the credential that you have configured as the Authorization Token for the SCIM service in Mindbreeze InSpire. You can then test the connection with “Test Connection”. If the test is successful, save your settings with “Save”.

    Then reload the page. In the Mappings area, click on Provision Microsoft Entra ID Users. Here you can customize the attribute mappings. Please note that the default attribute manager is not supported. Remove this attribute with Delete and save your changes with Save.

    Note: Not removing the manager, will lead to unnecessary PATCH requests on every provisioning.

    Now navigate back to the Provisioning page. There you can change the Scope of the provisioning in the Settings area. If you want to provision all groups and users to Mindbreeze, set Scope to Sync all users and groups.

    If you only want to provision certain users and groups, these must be assigned to the app. This can be done under Manage and then Users and groups.

    Once you have made the desired configurations, you can start provisioning on the Overview page with Start provisioning.

    Provisioning is then started within the next 40 minutes.

    Configuration of SCIM Principal Resolution ServicePermanent link for this heading

    Add a new service in the tab “Indices” with “+Add Service”. Then select “SCIM Principal Resolution Service” for the setting “Service” in the new service.

    Now configure the SCIM Principal Resolution Service with the settings in the section “SCIM Settings”.

    Hint: For more information about the creation, basic configuration of a cache for a Principal Resolution Service and other configuration options, see Installation & Configuration - Caching Principal Resolution Service.

    SCIM SettingsPermanent link for this heading

    Setting

    Description

    Example/Default Setting

    SCIM Base Url*

    The base url of the previously configured SCIM service.

    Make sure that the port matches your Service and that you use “https” if the setting “Server Certificate Credential” is set in the SCIM Service. If you use “https”, you must use the Fully Qualified Domain Name of your InSpire instead of “localhost”.

    Default setting:

    http://localhost:18080

    Example:

    https://inspire.myorganization.com:18080

    Authorization Token*

    A credential of the type Password created in the Network tab, which contains the password for SCIM authorization.

    This must be the same credential that was used in the SCIM service.

    Example:

    SCIM Secret

    Alias Attribute Path
    (Advanced Settings)

    This setting allows you to use a JsonPath expression to select attributes of groups or users whose value is to be used as an alias.

    Examples:

    The displayName of the user:
    $.displayName

    All emails of the user for which the primary attribute is set to true:
    $.emails[?(@.primary==true)].value

    * = These settings must be configured so that the Sitemap Generator works and is built. All other settings must be configured according to the use case.

    Settings marked with „(Advanced Settings)“ require the activation of „Advanced Settings“ in the configuration. These settings are only necessary in special cases.

    AppendixPermanent link for this heading

    Known Issues with Microsoft Azure ProvisioningPermanent link for this heading

    Microsoft Azure has a list of known issues. Some of these issues affect the provisioning to the Mindbreeze SCIM Service:

    Null attributes cannot be provisioned. This is most relevant, when the value of a metadata is removed entirely. Since null attributes cannot be provisioned, Microsoft Azure will not send the information, that the value of the metadata has been removed.

    Switching from Sync All to Sync Assigned not working. If you change the Scope of your provisioning, make sure you restart the provisioning. You can perform the restart via the user interface in Microsoft Azure.

    When a group is in scope and a member is out of scope, the group will be provisioned. The out-of-scope user won't be provisioned. If the member comes back into scope, the service won't detect the change. Restarting provisioning addresses this issue. Periodically restart the service to ensure that all users are properly provisioned.

    Operating SCIM Service behind a Reverse ProxyPermanent link for this heading

    Required HTTP MethodsPermanent link for this heading

    When operating the SCIM Service behind a Reverse Proxy, note that SCIM requires the following HTTP methods:

    • DELETE
    • GET
    • PATCH
    • POST
    • PUT

    Modern servers usually block DELETE, PATCH, and PUT methods by default. Ensure that all required HTTP methods are enabled.

    Required HeadersPermanent link for this heading

    Ensure that the Reverse Proxy correctly sets the HTTP header X-Forwarded-For. You can verify this by checking the log files when "Log All Requests" is enabled.

    Download PDF

    • Configuration - SCIM Principal Resolution Service

    Content

    • Introduction
    • Configuration of the SCIM Services
    • Configuration of SCIM Principal Resolution Service
    • Appendix

    Download PDF

    • Configuration - SCIM Principal Resolution Service