PingDirectory

Custom SCIM 2.0 attribute mappings for extended schemas

You can map custom attributes defined in extended schemas to System for Cross-domain Identity Management (SCIM) 2.0 sync destinations.

Consider the following example JSON that creates testUser using SCIM 2.0 and includes the custom attributes workAnniversary and employeeAge from an extended schema:

{
"schemas": [
"urn:ietf:params:scim:schemas:extension:gluu:2.0:User",
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "7e929a2d-18d3-462f-8c32-653a9ed170e2",
"meta": {
"resourceType": "User",
"created": "2022-12-07T03:33:45.469Z",
"lastModified": "2022-12-07T03:34:45.830Z",
"location": "https://rhel8/identity/restv1/scim/v2/Users/7e929a2d-18d3-462f-8c32-653a9ed170e2"
},
"userName": "testUser",
"name": {
"familyName": "User",
"givenName": "Test",
"formatted": "Test User"
},
"active": true,
"displayName": "Test User",
"urn:ietf:params:scim:schemas:extension:gluu:2.0:User": {
"workAnniversary": "1994-12-16T10:32:00Z",
"employeeAge": 55
}
}

To map custom attributes for synchronization with the SCIM 2.0 destination, you must:

  • Create a composed complex attribute mapping with the custom schema URN

  • Define any custom attributes associated with the custom schema as sub-attributes of the complex attribute

For example, to map the custom attributes workAnniversary and employeeAge, use the following commands.

To map the sub-attribute employeeAge:

dsconfig create-scim2-attribute-mapping \
--mapping-name urn:ietf:params:scim:schemas:extension:gluu:2.0:User.employeeAge \
--type number \
--set scim-attribute-name:employeeAge \
--set attribute-usage:create-during-realtime-sync \
--set attribute-usage:create-during-resync \
--set attribute-usage:update-during-realtime-sync \
--set attribute-usage:update-during-resync \
--set ldap-attribute-name:loginGraceLimit \
--set single-valued:true \
--set default-value:55

To map the sub-attribute workAnniversary:

dsconfig create-scim2-attribute-mapping \
--mapping-name urn:ietf:params:scim:schemas:extension:gluu:2.0:User.workAnniversary \
--type date-time \
--set scim-attribute-name:workAnniversary \
--set attribute-usage:create-during-realtime-sync \
--set attribute-usage:create-during-resync \
--set attribute-usage:update-during-realtime-sync \
--set attribute-usage:update-during-resync \
--set ldap-attribute-name:loginTime \
--set single-valued:true \
--set default-value:1994-12-16T10:32:00Z

To map the composed complex attribute:

dsconfig create-scim2-attribute-mapping \
--mapping-name urn:ietf:params:scim:schemas:extension:gluu:2.0:User \
--type composed-complex \
--set scim-attribute-name:urn:ietf:params:scim:schemas:extension:gluu:2.0:User \
--set attribute-usage:create-during-realtime-sync \
--set attribute-usage:create-during-resync \
--set attribute-usage:fetch \
--set attribute-usage:update-during-realtime-sync \
--set attribute-usage:update-during-resync \
--set sub-attribute-mapping:urn:ietf:params:scim:schemas:extension:gluu:2.0:User.employeeAge \
--set sub-attribute-mapping:urn:ietf:params:scim:schemas:extension:gluu:2.0:User.workAnniversary

After running the previous example commands, you must add the composed complex attribute to the list of attribute mappings for the appropriate SCIM 2.0 endpoint mapping.