PingDirectory

Mapping SCIM resource IDs

The default scim-resources.xml configuration maps the SCIM resource ID to the LDAP entryUUID attribute. The entryUUID attribute, whose read-only value is assigned by the server, meets the requirements of the SCIM specification regarding resource ID immutability. However, configuring a mapping to the attribute can result in inefficient group processing, since LDAP groups use the entry DN as the basis of group membership. The resource configuration allows the SCIM resource ID to be mapped to the LDAP entry DN. However, the entry DN does not meet the requirements of the SCIM specification regarding resource ID immutability. LDAP permits entries to be renamed or moved, thus modifying the DN. Likewise, you can use the Identity Access API to change the value of an entry’s RDN attribute, thereby triggering a MODDN operation.

A resource can also be configured such that its SCIM resource ID is provided by an arbitrary attribute in the request body during POST operations. This SCIM attribute must be mapped to an LDAP attribute so that the SCIM resource ID can be stored in the server. By default, it is the responsibility of the SCIM client to guarantee ID uniqueness. However, the UID Unique Attribute Plugin can be used by the server to enforce attribute value uniqueness. For information about the UID Unique Attribute Plugin, see Working with the Unique Attribute plugin.

Resource IDs cannot be mapped to virtual attributes. For more information about configuring SCIM Resource IDs, see About the resourceIDMapping element.