Defining the email scope
Define a permitted access token scope to retrieve email attributes.
Steps
-
Sign on to the PingAuthorize Policy Editor using the URL and credentials from Accessing the GUIs.
-
Click Policies.
-
Expand Global Decision Point, SCIM Policy Set, Token Policies, and Scope Policies.
-
Highlight Permitted Scopes.
-
Click Components.
-
-
From the Rules list, drag Permitted SCIM scope for user to the Rules section.
-
To the right of the copied rule, click the hamburger menu.
-
Click Replace with clone.
-
Change the name to
Scope: email
. -
To expand the rule, click .
-
Change the description to
Rule that permits a SCIM user to access its own mail attribute if the access token contains the email scope
. -
In the HttpRequest.AccessToken.scope row of the Condition section, type
email
in the CHANGEME field. -
Within the rule, click Show "Applies to".
-
From the Actions section, drag retrieve to the Add definitions and targets, or drag from Components box.
This task uses different actions from the previous gateway example.
-
Within the rule, click Show Advice and Obligations.
-
Click next to Advice and Obligations.
-
From the Advice section, drag Include email attributes to the Advice and Obligations section.
This predefined advice includes a payload. If the condition for this rule is satisfied, the response includes the
mail
attribute. -
Click Save changes.
Result
After completing the configuration, you will have a new email scope, which should look like the following.