Configure SCIM 2.0 endpoint mappings
A System for Cross-domain Identity Management (SCIM) 2.0 endpoint mapping provides information about a specific endpoint in the SCIM 2.0 server and the kinds of entries available at that endpoint.
SCIM 2.0 servers can have multiple endpoints for different kinds of entries (for example, one for users and another for groups), and if you want to be able to synchronize different kinds of entries, then you’ll need a separate SCIM 2.0 endpoint mapping for each.
The following configuration properties are associated with a SCIM 2.0 endpoint mapping:
endpoint-path
-
The relative path used to access the target endpoint in the SCIM 2.0 server. This is the portion of the path that needs to be appended to the
scim-service-url
property from the SCIM 2.0 external server to get the full path to the endpoint. For example, if the full path to an endpoint to use for accessing user entries ishttps://scim2.example.com/scim/v2/Users
, and if thescim-service-url
value ishttps://scim2.example.com/scim/v2
, then the appropriate endpoint-path value would beUsers
. This is required. schema-urn
-
The URN of the SCIM 2.0 schema for the entries that are associated with this endpoint. This is required, and multiple values can be specified if there are multiple schemas associated with the endpoint.
attribute-mapping
-
The set of attribute mappings that will be used to construct the SCIM 2.0 representation of an entry from the LDAP representation of the source entry constructed by a sync class. These attribute mappings will be used when:
-
Fetching an entry from the SCIM 2.0 server to determine whether the entry needs to be created or updated
-
Creating a new entry
-
Updating an existing entry
-
At least one attribute mapping must be defined, but there will probably be several.
search-attribute-mapping
-
The set of attribute mappings that will be used to construct a SCIM 2.0 filter that will be used to search for the SCIM entry that corresponds to the mapped Lightweight Directory Access Protocol (LDAP) representation of the source entry. For example, when mapping an LDAP user to a SCIM 2.0 user, you might map the
uid
LDAP attribute to theuserName
SCIM attribute, and an LDAP entry with auid
value ofjdoe
could result in a SCIM 2.0 search filter ofuserName eq "jdoe"
. This is required, and multiple values can be provided if there should be multiple search attributes (which will be combined in anAND
filter). sync-class-name
-
The name of the sync class that will be used to map source entries for synchronization to the target endpoint. This is optional, and it can be omitted if the SCIM 2.0 sync destination is only associated with a single endpoint. If the SCIM 2.0 sync destination will be associated with multiple endpoints, then this property must be specified. It can be given multiple values if multiple sync classes can be used to map source entries for the same endpoint.
You can use the following example configuration change to create a SCIM 2.0 endpoint mapping:
dsconfig create-scim2-endpoint-mapping \ --mapping-name "Users Endpoint" \ --set endpoint-path:Users \ --set schema-urn:urn:ietf:params:scim:schemas:core:2.0:User \ --set "attribute-mapping:User Name Mapping" \ --set "attribute-mapping:Name Mapping" \ --set "attribute-mapping:Display Name Mapping" \ --set "attribute-mapping:Email Address Mapping" \ --set "attribute-mapping:Postal Address Mapping" \ --set "attribute-mapping:Phone Number Mapping" \ --set "search-attribute-mapping:User Name Mapping" \