Considerations for synchronizing to a SCIM destination
When configuring an Lightweight Directory Access Protocol (LDAP) to System for Cross-domain Identity Management (SCIM) Sync Pipe, consider the following:
- Use
scim-resources.xml
for attribute and DN mappings -
There are two layers of mapping: once at the Sync Class level and again at the SCIM Sync Destination level in the
scim-resources.xml
file. To reduce complexity, do all possible mappings in thescim-resources.xml
file. - Avoid groups unless the SCIM ID is DN based
-
Group synchronization is supported if the SCIM ID is based on the distinguished name (DN). If the SCIM ID is not the DN itself, it must be one of the components of the RDN, meaning that the DNs of group members must contain the necessary attribute.
- SCIM modifies entries using PUT
-
The SCIM Sync Destination modifies entries using the full HTTP PUT method. For every modify, SCIM replaces the entire resource with the updated resource. For information about the implications of this on password updates, see Password considerations with SCIM.