Enabling user mapping for SCIM 2.0 operations
Access token validator identity mapping ties a local user account to an operation performed in the SCIM 2.0 servlet in the PingDirectory server.
About this task
This topic applies only to the PingDirectory server. |
The default configuration for the PingDirectory server for the SCIM 2.0 servlet doesn’t require an access token to map to a local user, and operations are recorded in the logs as the SCIM2 Servlet
user. For more detailed logging and auditing, enable the map-access-tokens-to-local-users
property to require access tokens to map to a local user.
The users that are being mapped to the access tokens must have the necessary access control rights required to perform the operations that the SCIM 2.0 servlet will invoke on their behalf. You should update the authorization server to issue tokens that include the |
The map-access-tokens-to-local-users
property is an optional configuration with the three settings shown in the following table.
Setting | Definition |
---|---|
|
The server doesn’t attempt to map SCIM 2.0 access tokens to local users and operations are processed under the authority of the |
|
The server attempts to map SCIM 2.0 access tokens to local users and, if successful, the operations are processed under the authority of that user. The distinguished name (DN) of the mapped user appears in the access logs. If unsuccessful, the server falls back to the default behavior. |
|
The server must map the SCIM 2.0 access token to one local user or the operation is rejected. |
To set the map-access-tokens-to-local-users
property:
Steps
-
Run
dsconfig
with theset-http-servlet-extension-prop
option.Choose from:
-
To set the property to
required
, run the following command.dsconfig set-http-servlet-extension-prop \ --extension-name SCIM2 \ --set map-access-tokens-to-local-users:required
-
To set property to
optional
, run the following command.dsconfig set-http-servlet-extension-prop \ --extension-name SCIM2 \ --set map-access-tokens-to-local-users:optional
-
To reset the property to the default setting,
disabled
, run the following command.dsconfig set-http-servlet-extension-prop \ --extension-name SCIM2 \ --set map-access-tokens-to-local-users:disabled
-