This quickstart will cover what you need to know to add both authentication and authorization to your SCIM endpoints. The SCIM component can leverage the existing services that are introduced into your ASP.NET Core application by calling UseAuthentication and UseAuthorization.
The SCIM component provides two interfaces to support authentication and authorization. The SCIM middleware delegates to an implementation of these interfaces to support authentication and authorization.
Authentication
public interface IAuthenticateScimRequest
{
ValueTask<ClaimsPrincipal> Authenticate(HttpContext context);
}
There is an out of the box implementation that supports ASP.NET Core Scheme authentication. Use the AddSchemeAuthentication method on the Scim builder to register the Scheme you would like the SCIM middleware to use to authenticate an inbound request. Alternatively register your own implementation using AddScimAuthentication.
Authorization
public interface IAuthorizeScimRequest
{
ValueTask<ScimAuthorizationResult> AuthorizeRequest(IScimActionContext context);
}
There is an out of the box implementation that supports ASP.NET Core authorization. Use the AddPolicyAuthorization method on the Scim builder to register the policy you would like the SCIM middleware to use to authorize an inbound request. Alternatively register your own implementation using AddScimAuthorization.
You MUST call AddScimAuthorization after any calls to AddScimAuthentication.
Example Configuration
To add authorization and authentication to your SCIM endpoints, you need to call the UseAuthentication method on IScimBuilder returned from the AddScim call. From there, you will need to pass through an authentication scheme for the SCIM component to use and optionally an authorization policy.
The example below shows calling the SCIM component with the CookieAuthenticationDefaults.AuthenticationScheme for the authentication scheme, and a policy named "SalesOnly" that is created in the AddAuthorization call.
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie();
services.AddAuthorization(options =>
{
options.AddPolicy("SalesOnly", policy =>
{
policy.RequireClaim("department", "sales");
});
});
services
.AddScimServiceProvider("/SCIM", new ScimLicensingOptions("Demo", "eyJTb2xkRm9yIjowLjAsI .... "))
.AddScimDefaultResourcesForInMemoryStore()
.AddSchemeAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddPolicyAuthorization( "SalesOnly");
}
public void Configure(IApplicationBuilder app)
{
app.UseAuthentication();
app.UseAuthorization();
app.UseScim();
}
}
Deprecated from version 5.1
To add authorization and authentication to your SCIM endpoints, you need to call the UseAuthentication method on IScimBuilder returned from the AddScim call. From there, you will need to pass through an authentication scheme for the SCIM component to use and optionally an authorization policy.
The example below shows calling the SCIM component with the CookieAuthenticationDefaults.AuthenticationScheme for the authentication scheme, and a policy named "SalesOnly" that is created in the AddAuthorization call.
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie();
services.AddAuthorization(options =>
{
options.AddPolicy("SalesOnly", policy =>
{
policy.RequireClaim("department", "sales");
});
});
services.AddScimServiceProvider("/SCIM", new ScimLicensingOptions("Demo", "eyJTb2xkRm9yIjowLjAsI .... "))
.AddScimDefaultResourcesForInMemoryStore()
.UseAuthentication(CookieAuthenticationDefaults.AuthenticationScheme, "SalesOnly");
}
public void Configure(IApplicationBuilder app)
{
app.UseAuthentication();
app.UseAuthorization();
app.UseScim();
}
}