PingDirectory

Considerations for synchronizing to a SCIM destination

When configuring an Lightweight Directory Access Protocol (LDAP) to System for Cross-domain Identity Management (SCIM) Sync Pipe, consider the following:

Use scim-resources.xml for attribute and DN mappings

There are two layers of mapping: once at the Sync Class level and again at the SCIM Sync Destination level in the scim-resources.xml file. To reduce complexity, do all possible mappings in the scim-resources.xml file.

Avoid groups unless the SCIM ID is DN based

Group synchronization is supported if the SCIM ID is based on the distinguished name (DN). If the SCIM ID is not the DN itself, it must be one of the components of the RDN, meaning that the DNs of group members must contain the necessary attribute.

SCIM modifies entries using PUT

The SCIM Sync Destination modifies entries using the full HTTP PUT method. For every modify, SCIM replaces the entire resource with the updated resource. For information about the implications of this on password updates, see Password considerations with SCIM.