[FEATURE] Support SCIM search for users & groups in role mapping (Security & Dashboards) #2285
Description
Is your feature request related to a problem?
When mapping roles, administrators often need to look up users or groups from an external IdP (Okta, Azure AD, Ping, OneLogin, etc.). Today, the role-mapping UI/API requires manual input or pre-known identifiers. This is slow and error-prone at scale and makes it hard to discover the correct principals, especially in large directories.
What solution would you like?
Add native SCIM 2.0 (RFC 7644) search support to both:
- OpenSearch Security plugin: a REST API to search SCIM Users and Groups (filtering, pagination, attributes).
- security-dashboards-plugin: typeahead “Search users/groups” pickers in the Role Mapping UI that call the above API and return display name + username (or group name), with paging.
What alternatives have you considered?
- Manual copy/paste of usernames/backend roles from the IdP UI.
- One-off scripts calling the IdP’s SCIM endpoints directly.
- LDAP queries (where available), which don’t standardize as cleanly as SCIM across IdPs.
Do you have any additional context?
- Use cases: mapping roles to dynamic teams, onboarding/offboarding at scale, avoiding typos, and reducing time-to-access.
- Security: integrate via least-privilege service credentials; respect IdP rate limits; cache short-lived results.
(Optional) Details & Proposal
API (Security plugin)
New endpoints under the Security plugin namespace (paths illustrative):
-
Search Users
-
POST /_plugins/_security/api/scim/users/_search -
Request body:
{ "filter": "userName co \"alice\" or displayName co \"Ops\"", "startIndex": 1, "count": 20, "attributes": ["id", "externalId", "userName", "displayName", "active", "emails.value"] } -
Response (SCIM-like):
{ "totalResults": 42, "startIndex": 1, "itemsPerPage": 20, "Resources": [ { "id": "00u1abcd...", "externalId": "[email protected]", "userName": "alice", "displayName": "Alice Johnson", "active": true } ], "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"] }
-
-
Search Groups
POST /_plugins/_security/api/scim/groups/_search- Same shape;
filterexamples:displayName co "SRE"orid eq "00g1...".
-
Behavior
- Support SCIM filters (
eq,co,sw,and,or, parentheses),startIndex,count,sortBy,sortOrder,attributes. - Pass-through to IdP SCIM
/Usersand/Groups, with response normalization. - Optional server-side caching (TTL) to reduce IdP load.
- Support SCIM filters (
UI (security-dashboards-plugin)
-
In Security → Roles → Role mappings:
-
Replace static user/backend-role inputs with searchable pickers:
- Tabs: Users / Groups.
- Typeahead uses the new SCIM search API.
- Show
[displayName] — [userName]for users and[displayName] — [id]for groups. - Infinite scroll / “Load more” using
startIndex/count.
-
Allow mixing SCIM principals and existing local/LDAP ones; show “source” badges.
-
Configuration (Security plugin)
Example config keys (names illustrative):
scim:
enabled: true
base_url: "https://idp.example.com/scim/v2"
auth:
type: "oauth2_client_credentials" # or "pat"
token_url: "https://idp.example.com/oauth2/v1/token"
client_id: "${env:SCIM_CLIENT_ID}"
client_secret: "${env:SCIM_CLIENT_SECRET}"
scope: "scim.read"
timeouts:
connect_ms: 3000
read_ms: 5000
pagination:
default_count: 20
max_count: 100
attribute_mapping:
user:
username: "userName"
display_name: "displayName"
id: "id"
external_id: "externalId"
group:
name: "displayName"
id: "id"Edge cases & UX
- Handle deactivated users (
active=false) with a visible indicator. - Graceful errors for rate limiting/timeouts with retry guidance.
- Case sensitivity: follow IdP semantics, but present UI comparisons as case-insensitive for user input.
- Distinguish similarly named users by showing email or externalId.
Acceptance criteria
- Admin can search and select SCIM users/groups in the Role Mapping UI with responsive pagination.
- Security API supports SCIM filters and returns normalized results from at least one major IdP (Okta/Azure AD) end-to-end.
- Config docs cover auth, attribute mapping, limits, and caching.
- Telemetry/logs include IdP request counts, latency, and errors (without PII).