Identify a SCIM resource at the destination

When a System for Cross-domain Identity Management (SCIM) Sync Destination needs to synchronize a change to a SCIM resource on the destination SCIM server, it must first fetch the destination resource. If the destination resource ID is known, the resource will be retrieved by its ID. If not, a search is performed using the mapped destination correlation attributes. Configuring this requires coordination between the Sync Class and the scim-resources.xml mapping file.

The scim-resources.xml mapping file treats the value of the <resourceIDMapping> element’s ldapAttribute attribute as the SCIM ID of the source entry. If this value is also listed as a value of the Sync Class’s destination-correlation-attributes property, then the value of this Lightweight Directory Access Protocol (LDAP) attribute is used as the SCIM ID of the destination resource.

If no value of destination-correlation-attributes matches the <resourceIDMapping> element’s ldapAttribute attribute, the SCIM ID of the destination resource is considered unknown. In this case, the SCIM Sync Destination treats the values of destination-correlation-attributes as search terms, using them to construct a filter for finding the destination resource. Each value of destination-correlation-attributes will be mapped to a corresponding SCIM attribute name, and equality matches will be used in the resulting filter.

If the ldapAttribute value is not listed as a destination correlation attribute, this setting is not used by PingDataSync.

The following table illustrates an LDAPSearch element that contains a resourceIDMapping element:

The unique ID of a destination SCIM resource will most likely be unknown, and the search method will need to be used. However, not all SCIM service providers support the use of filters. Therefore, not all SCIM service providers might be usable as SCIM Sync Destinations.