Environment variable to enable SCIM for manual installations?

a_g1 · February 27, 2023, 5:49pm

I’m wanting to enable SCIM with Azure AD on my self-host install, but when testing the connection in Azure AD I’m getting an error message stating there was an error sending the response. The page is erroring out with HTTP 404 so it seems the endpoint isn’t listening at all.

I had run into this same issue with setting up OIDC and I fixed this by adding globalSettings_enableCloudCommunication=true so the license could sync and I guess that is what allowed SSO to actually work.

I’m thinking this may also be related to the license AND requiring a specific environment variable to enable SCIM. (Since the Linux install requires updating the config.yml file to have enable_scim=true I believe the global.override.env file also requires something similar.)

I’ve tried enable_scim=true as well as globalSettings_enable_scim=true but neither allow the SCIM connection to properly function. Anyone know what the actual env variable should be?

cksapp · February 27, 2023, 6:46pm

Hi @a_g1,

Have you taken a look at the Self-hosting SCIM help article?

You will want to change your config.yml to include enable_scim=true as you have done.
Be sure to also apply your changes afterwards by running

./bitwarden.sh rebuild

&

./bitwarden.sh update

And you should be able to continue and follow the Azure AD SCIM Integration Bitwarden Help guide.

a_g1 · February 27, 2023, 7:00pm

Hello @cksapp ,

The config.yml file is only available when having used the Bitwarden shell script to deploy Bitwarden. I have a manual deployment of Bitwarden so the config.yml file is not used to orchestrate the deployment of all necessary containers, instead I use the docker-compose.yml file.

Unfortunately the steps you provided would not apply to my install. I did try adding enable_scim=true and globalSettings_enable_scim=true to my global.override.env file but that did not help with getting SCIM working either.

a_g1 · February 28, 2023, 9:57pm

Perhaps I should rephrase my question since I haven’t had any luck and Support hasn’t been able to provide a solution just yet.

If someone were to do a manual setup of Bitwarden, following the setup instructions found here…how would they be able to get SCIM working? Because enabling scim via the config.yml file is not an option, therefore unless there is a missing parameter in the global.override.env file, this should not require any additional services since the bitwarden/scim container specifically references a Linux deployment.

No documentation on this topic exists, and there were a few other issues I had to figure out which I’ll follow up with in a separate post giving a complete rundown on how to successfully deploy Bitwarden manually.

@cksapp hate to tag you again, but perhaps you can send the above to the Dev/Support team with a bit more visibility versus my open Support ticket?

cksapp · March 1, 2023, 4:04pm

Sorry I had missed the manual install portion in my first response.

You are correct there seems to be little documentation on the subject apart from the provided Help article and some related community postings here.

Alas I am only a Community_Leader and so just another user here, not a member of Bitwarden Staff or affiliated with the team.
I did have a bookmark to come check back on this though, so I appreciate the ping.
I have been trying as I can to dig down into the documentation in the Help center, and scouring the GitHub repo for an answer.

One thing you might try, could be to use globalSettings__enable__scim=true or possibly try globalSettings__enablescim=true as I have noticed with the current documented env vars there is a consistency to use double underscore _ _
i.e.

globalSettings__enableCloudCommunication=
globalSettings__mail__smtp__startTls=
globalSettings__sso__enforceSsoPolicyForAllUsers=

In a last ditch answer, from what I could find according to the manual install option you are directed to download all provided images within “the docker-compose.yml file in docker-stub.zip.”

The docker stub appears to remove the config.yml on build since it won’t be used in the manual install, but from the best I can tell the current stubbed version does not include image: bitwarden/scim:latest within the docker-compose.yml that would appear needs to be running for SCIM to function.
(Unfortunately I cannot test this myself as I only have access to the Family Plan personally, with Enterprise being our production license at work)

github.com

bitwarden/server/blob/66de2f34f5e930faf9f810feb96bb54acae7f7d5/util/Setup/Templates/DockerCompose.hbs#L216-L230


      
          scim:
            image: bitwarden/scim:{{{CoreVersion}}}
            container_name: bitwarden-scim
            restart: always
            volumes:
              - ../core:/etc/bitwarden/core
              - ../ca-certificates:/etc/bitwarden/ca-certificates
              - ../logs/scim:/etc/bitwarden/logs
            env_file:
              - global.env
              - ../env/uid.env
              - ../env/global.override.env
            networks:
              - default
              - public

I would definitely look towards support for an official answer and resolution, hopefully this may be something that just is lacking in the Docker stubbed version and can be added for these types of manual offline install methods.
I would also highly recommend that once an answer is found that the documentation be updated as well, you can make suggestions to the team at the bottom of the relevant Help doc page, (or if you answer back here I can also make the suggestion on the page if you prefer).
Hopefully once there is a resolution to your question from support, to can be added as well as here in the community for any further future users looking for a similar question.

P.S. On a separate note, it appears something that should be functional I would imagine, as there is a similar environment variable within the Bitwarden Unified (beta).

Variable	Description
…	…
BW_ENABLE_SSO	Enable or disable SSO services for Enterprise organizations. Default `false`.

So while I know this may not be of assistance not. The Unified image may be something to look into especially once it comes out of Beta and moves into a production release.

Hopefully you get an answer soon for the current manual install method.

lukasmatt · August 22, 2023, 11:34am

Hey,

I had exactly the same issue. There is no configuration variable nessacary for offline installations.
Simply add the right endpoint to your nginx configuration:

diff --git a/group_vars/bitwarden/nginx.yml b/group_vars/bitwarden/nginx.yml
index 9ed6ada..959e9dd 100644
--- a/group_vars/bitwarden/nginx.yml
+++ b/group_vars/bitwarden/nginx.yml
@@ -98,10 +98,20 @@ nginx_vhosts:
       location /events/ {
         proxy_pass http://localhost:5005/;
       }

+      location /scim/ {
+        proxy_pass http://localhost:5009/;
+      }
+
       location /sso {
         proxy_pass http://localhost:5006;
         include /etc/nginx/security-headers-ssl.conf;

And startup the missing scim container:

diff --git a/roles/bitwarden/templates/docker-compose.yml b/roles/bitwarden/templates/docker-compose.yml
index c9d8969..865bf26 100644
--- a/roles/bitwarden/templates/docker-compose.yml
+++ b/roles/bitwarden/templates/docker-compose.yml
@@ -97,6 +97,24 @@ services:
       - default
       - public

+  scim:
+    image: bitwarden/scim:{{ bitwarden_version }}
+    container_name: bitwarden-scim
+    restart: always
+    volumes:
+      - ../core:/etc/bitwarden/core
+      - ../ca-certificates:/etc/bitwarden/ca-certificates
+      - ../logs/scim:/etc/bitwarden/logs
+    env_file:
+      - global.env
+      - ../env/uid.env
+      - ../env/global.override.env
+    ports:
+      - "127.0.0.1:5009:5000"
+    networks:
+      - default
+      - public
+
   sso:
     image: bitwarden/sso:{{ bitwarden_version }}
     container_name: bitwarden-sso

Then proceed with the wiki article: https://bitwarden.com/help/azure-ad-scim-integration/

!! My port mapping is different. Do not simply copy’n’paste