SCIM policy request attributes

The following tables describe policy request attributes and their functions.

The following table identifies the attributes associated with a policy request that the System for Cross-domain Identity Management (SCIM) service generates.

Policy request attribute Description Type

Policy request attribute	Description	Type
`action`	Identifies the SCIM request as one of the following types: `create` `modify` `retrieve` `delete` `search` `search-request`	String
`attributes`	Additional attributes that do not correspond to a specific entity type in the PingAuthorize Trust Framework. For more information, see the following table.	Object
`domain`	Unused.	String
`identityProvider`	Name of the access token validator that evaluates the bearer token used in an incoming request.	String
`service`	Identifies the SCIM service and resource type using a value of the form `SCIM2.<resource type>`. For example, for a request using the "Users" resource type, the service value would be `SCIM2.Users`.	String

action

Identifies the SCIM request as one of the following types:

create
modify
retrieve
delete
search
search-request

String

attributes

Additional attributes that do not correspond to a specific entity type in the PingAuthorize Trust Framework. For more information, see the following table.

Object

domain

Unused.

String

identityProvider

Name of the access token validator that evaluates the bearer token used in an incoming request.

String

service

Identifies the SCIM service and resource type using a value of the form SCIM2.<resource type>.

For example, for a request using the "Users" resource type, the service value would be SCIM2.Users.

String

The following table identifies the additional attributes that are included in attributes.

Attribute Description Type

Attribute	Description	Type
`HttpRequest.AccessToken`	Parsed access token. For more information, see the following table.	Object
`HttpRequest.ClientCertificate`	Properties of the client certificate, if one is used.	Object
`HttpRequest.CorrelationId`	A unique value that identifies the request and response, if available.	String
`HttpRequest.IPAddress`	The client IP address.	String
`HttpRequest.QueryParameters`	Request URI query parameters.	Object
`HttpRequest.RequestBody`	The request body, if available. This attribute is available for POST, PUT, and PATCH requests.	Object
`HttpRequest.RequestHeaders`	The HTTP request headers.	Object
`HttpRequest.RequestURI`	The request URI.	String
`HttpRequest.ResourcePath`	Uniquely identifies the SCIM resource that is being requested, in the format `<Resource Type>/<SCIM ID>`, as the following example shows: `Users/0450b8db-f055-35d8-8e2f-0f203a291cd1`	String
`HttpRequest.ResponseBody`	The response body, if available. This attribute is provided only for outbound policy requests.	Object
`HttpRequest.ResponseHeaders`	The HTTP response headers, if available.	Object
`HttpRequest.ResponseStatus`	The HTTP response status code, if available.	Number
`impactedAttributes`	Provides the set of attributes that the request modifies.	Collection
`SCIM2`	Provides additional, SCIM2-specific information about the request.	Object
`TokenOwner`	Access token subject as a SCIM resource, as obtained by the access token validator.	Object

HttpRequest.AccessToken

Parsed access token. For more information, see the following table.

Object

HttpRequest.ClientCertificate

Properties of the client certificate, if one is used.

Object

HttpRequest.CorrelationId

A unique value that identifies the request and response, if available.

String

HttpRequest.IPAddress

The client IP address.

String

HttpRequest.QueryParameters

Request URI query parameters.

Object

HttpRequest.RequestBody

The request body, if available. This attribute is available for POST, PUT, and PATCH requests.

Object

HttpRequest.RequestHeaders

The HTTP request headers.

Object

HttpRequest.RequestURI

The request URI.

String

HttpRequest.ResourcePath

Uniquely identifies the SCIM resource that is being requested, in the format <Resource Type>/<SCIM ID>, as the following example shows:

Users/0450b8db-f055-35d8-8e2f-0f203a291cd1

String

HttpRequest.ResponseBody

The response body, if available. This attribute is provided only for outbound policy requests.

Object

HttpRequest.ResponseHeaders

The HTTP response headers, if available.

Object

HttpRequest.ResponseStatus

The HTTP response status code, if available.

Number

impactedAttributes

Provides the set of attributes that the request modifies.

Collection

SCIM2

Provides additional, SCIM2-specific information about the request.

Object

TokenOwner

Access token subject as a SCIM resource, as obtained by the access token validator.

Object

The access token validator populates the HttpRequest.AccessToken attribute, which contains the fields in the following table. These fields correspond approximately to the fields that the IETF Token Introspection specification (RFC 7662) defines.

Attribute Description Type

Attribute	Description	Type
`access_token`	The actual access token from the client request.	String
`active`	Indicates whether this access token is currently active, as determined by the access token validator.	Boolean
`audience`	Identifies the recipients for whom the access token is intended. Typically, the authorization server sets this field to indicate the resource servers that might accept the token.	Array
`client_id`	The client ID of the application that was granted the access token.	String
`expiration`	Date and time at which the access token expires.	DateTime
`issued_at`	Date and time at which the access token was issued.	DateTime
`issuer`	Token issuer. This attribute is usually a URI that identifies the authorization server.	String
`not_before`	Date and time before which a resource server does not accept the access token.	DateTime
`scope`	Identifies the list of scopes granted to this token.	Collection
`subject`	Token subject. This attribute is a user identifier that the authorization server sets.	String
`token_owner`	User identifier that was resolved by the access token validator’s token resource lookup method. This attribute is always a SCIM ID of the form `<resource type>/<resource ID>`.	String
`token_type`	The token type, as set by the authorization server. This value is typically set to `bearer`.	String
`user_token`	Flag that the access token validator sets to indicate that the token was issued originally to a subject. If this flag is `false`, the token does not have a subject and was issued directly to a client.	Boolean
`username`	Subject’s user name. This attribute is a user identifier that the authorization server sets.	String

access_token

The actual access token from the client request.

String

active

Indicates whether this access token is currently active, as determined by the access token validator.

Boolean

audience

Identifies the recipients for whom the access token is intended. Typically, the authorization server sets this field to indicate the resource servers that might accept the token.

Array

client_id

The client ID of the application that was granted the access token.

String

expiration

Date and time at which the access token expires.

DateTime

issued_at

Date and time at which the access token was issued.

DateTime

issuer

Token issuer. This attribute is usually a URI that identifies the authorization server.

String

not_before

Date and time before which a resource server does not accept the access token.

DateTime

scope

Identifies the list of scopes granted to this token.

Collection

subject

Token subject. This attribute is a user identifier that the authorization server sets.

String

token_owner

User identifier that was resolved by the access token validator’s token resource lookup method. This attribute is always a SCIM ID of the form <resource type>/<resource ID>.

String

token_type

The token type, as set by the authorization server. This value is typically set to bearer.

String

user_token

Flag that the access token validator sets to indicate that the token was issued originally to a subject. If this flag is false, the token does not have a subject and was issued directly to a client.

Boolean

username

Subject’s user name. This attribute is a user identifier that the authorization server sets.

String

The following table identifies the fields that the HttpRequest.ClientCertificate attribute contains.

Attribute Description Type

Attribute	Description	Type
`algorithm`	Name of the certificate signature algorithm, such as `SHA256withRSA`.	String
`algorithmOID`	Signature algorithm OID.	String
`issuer`	Distinguished name (DN) of the certificate issuer.	String
`notAfter`	Expiration date and time of the certificate.	DateTime
`notBefore`	Earliest date on which the certificate is considered valid.	DateTime
`subject`	DN of the certificate subject.	String
`subjectRegex`	Regular expression that must be matched by the subject field of the certificate to ensure that the certificate belongs to the requesting client.	String
`valid`	Indicates whether the certificate is valid.	Boolean

algorithm

Name of the certificate signature algorithm, such as SHA256withRSA.

String

algorithmOID

Signature algorithm OID.

String

issuer

Distinguished name (DN) of the certificate issuer.

String

notAfter

Expiration date and time of the certificate.

DateTime

notBefore

Earliest date on which the certificate is considered valid.

DateTime

subject

DN of the certificate subject.

String

subjectRegex

Regular expression that must be matched by the subject field of the certificate to ensure that the certificate belongs to the requesting client.

String

valid

Indicates whether the certificate is valid.

Boolean

The following table identifies the fields that the SCIM2 attribute contains.

Attribute Description Type

Attribute	Description	Type
`modifications`	Contains a normalized SCIM 2 PATCH request object that represents all of the changes to apply. This attribute is available for PUT and PATCH requests.	Object
`resource`	Complete SCIM resource that the request targets. This attribute is available for GET, PUT, PATCH, and DELETE requests. The `resource` attribute is also available in the policy requests that are performed for each matching SCIM resource in a search result. For more information, see About SCIM searches.	Object

modifications

Contains a normalized SCIM 2 PATCH request object that represents all of the changes to apply. This attribute is available for PUT and PATCH requests.

Object

resource

Complete SCIM resource that the request targets. This attribute is available for GET, PUT, PATCH, and DELETE requests.

The resource attribute is also available in the policy requests that are performed for each matching SCIM resource in a search result. For more information, see About SCIM searches.

Object