As mentioned in https://kantega-sso.atlassian.net/wiki/spaces/KSE/pages/1868369, a load balancer, reverse proxy or other gateway is required to use SCIM. This page has very basic example configs for a small selection of common proxy or load balancer solutions. It is intended as a starting point only. Consult the vendor documentation for your specific product for further details and best practices.

Nginx

The below example terminates HTTPS and proxies requests from scim.example.com:443 (external) to the KSSO API server on 10.0.0.100:5001 (internal).

server {
    listen       443 ssl;
    server_name  scim.example.com;
 
    access_log /var/log/nginx/access.log main;
    error_log  /var/log/nginx/error.log;
 
    ssl_certificate     /etc/nginx/ssl/cert.crt;
    ssl_certificate_key /etc/nginx/ssl/cert.key;
 
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_stapling_verify on;
 
    location /scim {
      proxy_pass http://10.0.0.100:5001/scim;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
    }
}

HAProxy

This example configuration balances requests to four separate Jira servers (Datacenter cluster).

global
  log /var/log/haproxy    local0
  log /var/log/haproxy    local1 notice
 
  ca-base /etc/ssl/haproxy
  crt-base /etc/ssl/haproxy
 
  tune.ssl.default-dh-param 2048
 
 
defaults
  timeout connect 30000
  timeout client  300000
  timeout server  300000
 
frontend scim_tls
  bind *:443 ssl crt /etc/ssl/haproxy/cert.pem
  mode http
 
  default_backend scim_servers
 
 
backend scim_servers
  mode http
 
  option tcp-check
 
  balance random
  server api1 jira01:5501 check 
  server api2 jira02:5501 check 
  server api3 jira03:5501 check 
  server api4 jira04:5501 check

Kantega SSO Enterprise

Proxy/gateway examples

Nginx

HAProxy