PingDirectory

Configuring Permissions for SCIM 2.0 Operations

Configure permissions so that POST requests with the userAdd scope succeed on a PingDirectoryProxy deployment.

Before you begin

Set up an LDAP mapping System for Cross-domain Identity Management (SCIM) 2.0 resource type for the inetOrgPerson objectclass.

Learn more in Configuring an LDAP-mapped SCIM resource type.

About this task

To configure permissions:

Steps

  1. Set the SCIM resource type property:

    Choose from:

    • If the SCIM resource type being targeted already has a value for the create-dn-pattern property, skip to step 2.

    • To set the SCIM resource type property, run the following dsconfig command on the PingDirectoryProxy server.

      dsconfig set-scim-resource-type-prop \
--type-name Users \
--set create-dn-pattern:entryUUID=generated,ou=People,dc=example,dc=com

  2. Send the following request to the PingDirectoryProxy server’s SCIM /Users endpoint.

    curl -k -X POST \
https://localhost:8443/scim/v2/Users/ \
-H 'Authorization: Bearer {"active":true}' \
-H 'Content-type: application/json' \
--data '{"username":"user.test", "name":{"formatted":"Test",
"familyName":"User"}, "schemas":["urn:pingidentity:schemas:User:1.0"]}'

    The HTTP port can vary depending on the deployment configuration.

    Example:

    The response from the server should have a status of 403 and should contain a correlation ID similar to the following.

    {
"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],
"status":"403",
"detail":"Request failed:
correlationID='faa707b3-5d48-42e6-9e78-2c8dbb1e2cac'"
}

    This is the expected response since this SCIM request does not have the permission needed to write to an entry. For more information on viewing the full server error message, see Troubleshooting the SCIM 2.0 servlet Extension.

  3. Add an access control instruction (ACI) to the backend server’s ou=People,dc=example,dc=com subtree.

    1. Run the following ldapmodify command for creating the ACI on the backend PingDirectory server (and not the PingDirectoryProxy) endpoint.

      $ ldapmodify
dn:ou=People,dc=example,dc=com
changetype:modify
add:aci
aci:(version 3.0; acl "ACI for userAdd scope"; allow (add)
oauthscope="userAdd";)

      This ACI doesn’t grant write access to attributes, which means modify operations will not succeed. For more information on ACI configurations, see Overview of access control.

      This ACI grants permission to add entries to the specified subtree as long as the SCIM request contains the userAdd scope.

  4. Send the POST request to the SCIM /Users endpoint again, and include the userAdd scope in the bearer token.

    Example:

    curl -k -X POST \
https://localhost:8443/scim/v2/Users \
-H 'Authorization: Bearer {"active":true, "scope":"userAdd"}' \
-H 'Content-type: application/json' \
--data '{"username":"user.test", "name":{"formatted":"Test",
"familyName":"User"}, "schemas":["urn:pingidentity:schemas:User:1.0"]}'

    Result:

    The response from the server contains the created SCIM resource, which also contains values for the name and username attributes similar to the following.

    {
"name":{
"familyName":"User",
"formatted":"Test"
},
"username":"user.test",
"id":"6f9a89b8-e766-478c-9667-def049daf6bc",
"meta":{
"resourceType":"Users",
"location":"https://localhost:8443/scim/v2/Users/6f9a89b8-e766-478c-9667-
def049daf6bc"
},
"schemas":["urn:pingidentity:schemas:User:1.0"]
}