PingDirectory

Configure SCIM 2.0 endpoint mappings

A System for Cross-domain Identity Management (SCIM) 2.0 endpoint mapping provides information about a specific endpoint in the SCIM 2.0 server and the kinds of entries available at that endpoint.

SCIM 2.0 servers can have multiple endpoints for different kinds of entries (for example, one for users and another for groups), and if you want to be able to synchronize different kinds of entries, then you’ll need a separate SCIM 2.0 endpoint mapping for each.

The following configuration properties are associated with a SCIM 2.0 endpoint mapping:

endpoint-path

The relative path used to access the target endpoint in the SCIM 2.0 server. This is the portion of the path that needs to be appended to the scim-service-url property from the SCIM 2.0 external server to get the full path to the endpoint. For example, if the full path to an endpoint to use for accessing user entries is https://scim2.example.com/scim/v2/Users, and if the scim-service-url value is https://scim2.example.com/scim/v2, then the appropriate endpoint-path value would be Users. This is required.

schema-urn

The URN of the SCIM 2.0 schema for the entries that are associated with this endpoint. This is required, and multiple values can be specified if there are multiple schemas associated with the endpoint.

attribute-mapping

The set of attribute mappings that will be used to construct the SCIM 2.0 representation of an entry from the LDAP representation of the source entry constructed by a sync class. These attribute mappings will be used when:

  • Fetching an entry from the SCIM 2.0 server to determine whether the entry needs to be created or updated

  • Creating a new entry

  • Updating an existing entry

At least one attribute mapping must be defined, but there will probably be several.

search-attribute-mapping

The set of attribute mappings that will be used to construct a SCIM 2.0 filter that will be used to search for the SCIM entry that corresponds to the mapped Lightweight Directory Access Protocol (LDAP) representation of the source entry. For example, when mapping an LDAP user to a SCIM 2.0 user, you might map the uid LDAP attribute to the userName SCIM attribute, and an LDAP entry with a uid value of jdoe could result in a SCIM 2.0 search filter of userName eq "jdoe". This is required, and multiple values can be provided if there should be multiple search attributes (which will be combined in an AND filter).

sync-class-name

The name of the sync class that will be used to map source entries for synchronization to the target endpoint. This is optional, and it can be omitted if the SCIM 2.0 sync destination is only associated with a single endpoint. If the SCIM 2.0 sync destination will be associated with multiple endpoints, then this property must be specified. It can be given multiple values if multiple sync classes can be used to map source entries for the same endpoint.

You can use the following example configuration change to create a SCIM 2.0 endpoint mapping:

dsconfig create-scim2-endpoint-mapping \
     --mapping-name "Users Endpoint" \
     --set endpoint-path:Users \
     --set schema-urn:urn:ietf:params:scim:schemas:core:2.0:User \
     --set "attribute-mapping:User Name Mapping" \
     --set "attribute-mapping:Name Mapping" \
     --set "attribute-mapping:Display Name Mapping" \
     --set "attribute-mapping:Email Address Mapping" \
     --set "attribute-mapping:Postal Address Mapping" \
     --set "attribute-mapping:Phone Number Mapping" \
     --set "search-attribute-mapping:User Name Mapping" \