SCIM provisioner settings reference

Configuration settings and provisioning options for the SCIM Provisioner.

Field Name Description

SCIM URL

The SCIM base URL for the target service. For example:

http://scim-example.com/v2/

SCIM Version

The SCIM version supported by the target service. The options are:

2.0 (default)
1.1.

Authentication Methods

The authentication method expected by the target service. The options are:

None (default)
Basic Authentication
OAuth 2 Bearer Token
OAuth 2 Client Credentials.

When an authentication method is selected, only the data required for that method will be processed. Entries in fields for other authentication methods will be ignored.

Basic Authentication

Basic Authentication Username

The username of the administrator account on the target service.

Basic Authentication Password

The password of the administrator account on the target service.

OAuth 2 Bearer Token

Access Token

The OAuth access token for the target service.

OAuth 2 Client Credentials

Token Request Endpoint

The endpoint that the connector uses to get an access token. For example:

https://scim-example.com/as/token.oauth2

Client ID

The client ID for the target service.

Client Secret

The client secret the target service.

Scope

An optional field that allows an admin to specify a comma-delimited list of OAuth scopes that access tokens requested from the SCIM provider should contain.

SCIM Overrides

Unique User Identifier

The attribute that uniquely identifies a user when PingFederate does not have access to the unique user ID that the target application assigns to a user.

userName (default)

The value of the user name attribute. This sets the following filter expression:

userName eq  <userName_value>

workEmail

The value of the work email attribute. Use when synchronization based on the username is not desirable. This sets the following filter expression:

emails eq  <workEmail_value>

To override a default filter, use the Filter Expression field.

To change the unique user identifier:

Delete the existing SP connection.
Restart PingFederate.
Create an SP Connection with the new Unique User Identifier setting.

Filter Expression

A rule that determines how the connector uses the unique user identifier to match existing users in the target application to users in the data store.

This expression overrides the default filter expression that is set by the Unique User Identifier field.

The filter expression contains three parts:

<attribute_name> <operation> <attribute_value>

The <attribute_value> is represented by "%s" in the expression. It is populated by the value of the Unique User Identifier.

Example filter expressions:

username eq "%s"
email co "%s"

Check the target service documentation and the SCIM Filtering specification to see which filter expressions are supported.

Authorization Header Type

The type of HTTP authorization header used. For example, oauth2.

Users API Path

The users API path is used when the users endpoint deviates from the SCIM specification (/Users is used by default when left blank).

Groups Path API

The groups API path is used when the groups endpoint deviates from the SCIM specification (/Groups is used by default when left blank).

Results Per Page

Determines the number of groups that PingFederate requests per GET request when searching all groups for a match. If the target service has a limit, change this value to match.

A value of -1 retrieves the largest page size allowed by the target service.

The default value is 1000.

Provisioning Options

User Create

Selected (default): PingFederate creates users in the target service.
Cleared: PingFederate does not create users in the target service.

User Update

Selected (default): PingFederate updates existing users in the target service.
Cleared: PingFederate does not update existing users in the target service.

User Disable / Delete

Selected (default)

PingFederate removes users from the target service according to the Remove User Action setting.

You might need to enable User Update for this to work with some services.

Cleared

PingFederate does not remove users from the target service.

Provision Disabled Users

Selected: PingFederate creates users in the target service with a "disabled" status.
Cleared (default): If a user has a "disabled" status, PingFederate does not create the user in the target service.

If any of the previous provisioning options are cleared, PingFederate logs a warning in the user workflow section of provisioner.log when the related action fails.

Remove User Action

Delete: PingFederate deletes the user from the target service.
Disable (default): PingFederate disables the user in the target service.

Some target applications do not support hard deleting users through external interfaces. For those services, users are disabled.

This option applies when User Disable / Delete is selected, and either:

A previously provisioned user no longer meets the condition set on the Source Location tab.
A user has been disabled or deleted from the data store.

Group Name Source

Common Name (CN) (default): PingFederate provisions groups to the target service with a name equal to the common name (CN) of the group in the datastore.
Distinguished Name (DN): PingFederate provisions groups with a name equal to the distinguished name (DN) of the group in the datastore.

Use PATCH for Group Updates

Selected: PingFederate uses the PATCH method to update groups in the target service. Select this option if the target service supports PATCH updates to use lighter API calls.
Cleared (default): PingFederate uses the PUT method to update groups in the target service.

Custom Attribute Schema URNs

An optional field that allows an admin to explicitly specify a comma-delimited list of schema URNS for which to look for custom attributes.

This is only required if the SCIM provider doesn’t follow the standard naming convention for schema extensions that define custom attributes. For example, URNs such as:

urn:ietf:params:scim:schemas:extension:<Organization Name>:2.0:User.