SCIM Provisioner

The SCIM Provisioner allows PingFederate to integrate with a wide range of services that support the System for Cross-domain Identity Management (SCIM) for user provisioning and single sign-on (SSO).

Features

Manages users in the target service based on changes in an external datastore that is attached to PingFederate.
- Creates, updates, disables, and deletes users
- Allows you to enable the create, update, disable, and delete capabilities independently
- Allows you to choose whether to disable or delete users when deprovisioning
- Allows you to provision disabled users
Manages groups in the target service based on changes in an external datastore that is attached to PingFederate.
- Creates, updates, and deletes groups
- Updates group memberships
Enables browser-based SSO initiated by the service provider (SP) or identity provider (IdP).

The SCIM Connector implements the official specifications provided from simplecloud.info. The following table provides a brief summary.

Feature	Outbound provisioning
SCIM specification	Step 1.1, 2.0
Data format	JSON
User and group CRUD operations	Yes
Custom schema support	Users: Yes. Groups: No.
Filtering support	Users: Yes Groups: The connector allows group filtering by retrieving all groups and finding a match.
PATCH	Users: No Groups: Yes
Authentication method	HTTP Basic Authentication, OAuth bearer token and OAuth client credentials
Source data stores	Active Directory and other LDAPv3-compliant directory servers

Feature

Outbound provisioning

SCIM specification

Step 1.1, 2.0

Data format

JSON

User and group CRUD operations

Yes

Custom schema support

Users: Yes.

Groups: No.

Filtering support

Users: Yes

Groups: The connector allows group filtering by retrieving all groups and finding a match.

PATCH

Users: No

Groups: Yes

Authentication method

HTTP Basic Authentication, OAuth bearer token and OAuth client credentials

Source data stores

Active Directory and other LDAPv3-compliant directory servers

Components

The SCIM provisioning and SSO connector:

Allows PingFederate to manage users in the service based on changes in an external user data store
Optional configuration allows PingFederate to create an SSO connection to the service
Includes a quick-connection template that pre-populates some configuration settings

Intended audience

This document is intended for PingFederate administrators.

If you need help during the setup process, see the following resources:

PingFederate documentation:
The SCIM 1.1 Developer Guide on the Ping Identity Developer site
The SCIM specification on simplecloud.info

System requirements

PingFederate 9.0 or later.
To allow PingFederate to make outbound connections, you might need to allow SCIM endpoints in your firewall.