--- title: SCIM provisioner settings reference description: Configuration settings and provisioning options for the SCIM Provisioner. component: scim page_id: scim:setup:pf_scim_connector_scim_connector_settings_reference canonical_url: https://docs.pingidentity.com/integrations/scim/setup/pf_scim_connector_scim_connector_settings_reference.html revdate: June 25, 2024 --- # SCIM provisioner settings reference Configuration settings and provisioning options for the SCIM Provisioner. | Field Name | Description | | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **SCIM URL** | The SCIM base URL for the target service. For example:http\://scim-example.com/v2/ | | **SCIM Version** | The SCIM version supported by the target service. The options are:- **2.0** (default) - **1.1**. | | **Authentication Methods** | The authentication method expected by the target service. The options are:- **None** (default) - **Basic Authentication** - **OAuth 2 Bearer Token** - **OAuth 2 Client Credentials**. When an authentication method is selected, only the data required for that method will be processed. Entries in fields for other authentication methods will be ignored. | | Basic Authentication | | | **Basic Authentication Username** | The username of the administrator account on the target service. | | **Basic Authentication Password** | The password of the administrator account on the target service. | | OAuth 2 Bearer Token | | | **Access Token** | The OAuth access token for the target service. | | OAuth 2 Client Credentials | | | **Token Request Endpoint** | The endpoint that the connector uses to get an access token. For example:https\://scim-example.com/as/token.oauth2 | | **Client ID** | The client ID for the target service. | | **Client Secret** | The client secret the target service. | | **Scope** | An optional field that allows an admin to specify a comma-delimited list of OAuth scopes that access tokens requested from the SCIM provider should contain. | | SCIM Overrides | | | **Unique User Identifier** | The attribute that uniquely identifies a user when PingFederate does not have access to the unique user ID that the target application assigns to a user.- userName (default) The value of the user name attribute. This sets the following filter expression: ``` userName eq ``` - workEmail The value of the work email attribute. Use when synchronization based on the username is not desirable. This sets the following filter expression: ``` emails eq ```To override a default filter, use the **Filter Expression** field. To change the unique user identifier: Delete the existing SP connection. Restart PingFederate. Create an SP Connection with the new Unique User Identifier setting. | | **Filter Expression** | A rule that determines how the connector uses the unique user identifier to match existing users in the target application to users in the data store.This expression overrides the default filter expression that is set by the **Unique User Identifier** field.The filter expression contains three parts:``` ```The *\* is represented by `"%s"` in the expression. It is populated by the value of the Unique User Identifier.Example filter expressions:- `username eq "%s"` - `email co "%s"` Check the target service documentation and the SCIM Filtering specification to see which filter expressions are supported. | | **Authorization Header Type** | The type of HTTP authorization header used. For example, `oauth2`. | | **Users API Path** | The users API path is used when the users endpoint deviates from the SCIM specification (`/Users` is used by default when left blank). | | **Groups Path API** | The groups API path is used when the groups endpoint deviates from the SCIM specification (`/Groups` is used by default when left blank). | | **Results Per Page** | Determines the number of groups that PingFederate requests per `GET` request when searching all groups for a match. If the target service has a limit, change this value to match.A value of `-1` retrieves the largest page size allowed by the target service.The default value is `1000`. | | Provisioning Options | | | **User Create** | * Selected (default) PingFederate creates users in the target service. * Cleared PingFederate does not create users in the target service. | | **User Update** | - Selected (default) PingFederate updates existing users in the target service. - Cleared PingFederate does not update existing users in the target service. | | **User Disable / Delete** | * Selected (default) PingFederate removes users from the target service according to the **Remove User Action** setting. You might need to enable User Update for this to work with some services. * Cleared PingFederate does not remove users from the target service. | | **Provision Disabled Users** | - Selected PingFederate creates users in the target service with a "disabled" status. - Cleared (default) If a user has a "disabled" status, PingFederate does not create the user in the target service. | | | If any of the previous provisioning options are cleared, PingFederate logs a warning in the user workflow section of provisioner.log when the related action fails. | | **Remove User Action** | * Delete PingFederate deletes the user from the target service. * Disable (default) PingFederate disables the user in the target service. Some target applications do not support hard deleting users through external interfaces. For those services, users are disabled.This option applies when **User Disable / Delete** is selected, and either:* A previously provisioned user no longer meets the condition set on the **Source Location** tab. * A user has been disabled or deleted from the data store. | | **Group Name Source** | - Common Name (CN) (default) PingFederate provisions groups to the target service with a name equal to the common name (CN) of the group in the datastore. - Distinguished Name (DN) PingFederate provisions groups with a name equal to the distinguished name (DN) of the group in the datastore. | | **Use PATCH for Group Updates** | * Selected PingFederate uses the `PATCH` method to update groups in the target service. Select this option if the target service supports `PATCH` updates to use lighter API calls. * Cleared (default) PingFederate uses the `PUT` method to update groups in the target service. | | **Custom Attribute Schema URNs** | An optional field that allows an admin to explicitly specify a comma-delimited list of schema URNS for which to look for custom attributes.This is only required if the SCIM provider doesn't follow the standard naming convention for schema extensions that define custom attributes. For example, URNs such as:urn:ietf:params:scim:schemas:extension:*\*:2.0:User. |