The Identity Access API
The PingDirectory server, PingDirectoryProxy server, and PingDataSync server support an extension to the SCIM 1.1 standard called the Identity Access API. The Identity Access API provides an alternative to LDAP by supporting CRUD (create, read, update, and delete) operations to access PingDirectory server data over an HTTP connection.
SCIM 1.1 and the Identity Access API are provided as a unified service through the SCIM HTTP Servlet Extension. The SCIM HTTP Servlet Extension can be configured to only enable core SCIM resources (for example, 'Users' and 'Groups'), only LDAP object classes (for example, top
, domain
, inetOrgPerson
, or groupOfUniqueNames
), or both. Because SCIM and the Identity Access API have different schemas, if both are enabled, there can be two representations with different schemas for any resources defined in the scim-resources.xml
file: the SCIM representation and the raw LDAP representation. Likewise, because resources are exposed by an LDAP object class, and because these are hierarchical (for example, top
→ person
→ organizationalPerson
→ inetOrgPerson
, and so forth), a client application can access an entry in multiple ways because of the different paths/URIs to a given resource.
This chapter provides information on configuring the SCIM and the Identity Access API services on the server.