SCIM inbound provisioning endpoints
PingFederate supports system for cross-domain identity management (SCIM) inbound provisioning and provides four endpoints.
The four endpoints are:
-
/pf-scim/v1/Users
-
/pf-scim/v1/Groups
-
/pf-scim/v1/Schemas
-
/pf-scim/v1/ServiceProviderConfigs
These endpoints are defined in the following SCIM 1.1 specifications:
Begin each endpoint with the fully-qualified server name and port number of your PingFederate server, for example: https://pingidentity.com:9031/pf-scim/v1/Users.
/pf-scim/v1/Users
The users endpoint is where client applications make HTTP requests to create, retrieve, update, and delete or deactivate users. This REST-based endpoint accepts POST, GET, PUT, and DELETE methods, as described in the following table.
HTTP requests must be made using either Basic or client-certificate application authentication. JSON is currently the only supported format for the HTTP message body. |
HTTP method | Description | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
POST |
For an existing user, you can also use the POST method to either update or delete or disable a user record by appending the user ID to the path in the format of |
||||||||||
GET |
|
||||||||||
PUT |
|
||||||||||
DELETE |
|
For a list of HTTP error codes that might be returned, see 3.9 HTTP Response Codes in SCIM Specification. |
/pf-scim/v1/Groups
The groups endpoint is where client applications make HTTP requests to create, retrieve, update, and delete groups.
Inbound provisioning for groups is a per-connection, optional feature. To enable group provisioning, select the User and Group Support option on the Connection Type tab when configuring the applicable IdP connection. |
This REST-based endpoint accepts POST, GET, PUT, and DELETE methods, as described in the following table.
HTTP requests must be made using either Basic or client-certificate application authentication. JSON is currently the only supported format for the HTTP message body. |
HTTP method | Description | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
POST |
For an existing group, you can also use the POST method to either update or delete the group by appending the group ID to the path, in the format of |
||||||||||
GET |
|
||||||||||
PUT |
|
||||||||||
DELETE |
|
For a list of HTTP error codes that might be returned, see 3.9 HTTP Response Codes in SCIM Specification. |
/pf-scim/v1/Schemas
The schemas endpoint is where a client can retrieve a resource’s schema. This REST-based endpoint accepts GET method as described in the following table.
HTTP requests must be made using either Basic or client-certificate application authentication. JSON is currently the only supported format for the HTTP message body. |
HTTP method | Description |
---|---|
GET |
Retrieves the resource’s schema for an IdP connection based on the authentication information. A successful response is indicated by an HTTP 200 status code and the results in the message body. |
Example
$ curl -u basicUser 'https://localhost:9031/pf-scim/v1/Schemas' | python -m json.tool
{
"attributes": [
{
"caseExact": false,
"description": "Unique identifier for the SCIM resource as defined by the Service Provider. Each representation of the resource MUST include a non-empty id value. This identifier MUST be unique across the Service Provider's entire set of resources. It MUST be a stable, non-reassignable identifier that does not change when the same resource is returned in subsequent requests. The value of the id attribute is always issued by the Service Provider and MUST never be specified by the Service Consumer. REQUIRED.",
"multiValued": false,
"name": "id",
"readOnly": true,
"required": true,
"schema": "urn:scim:schemas:core:1.0",
"type": "string"
},
...
],
"description": "Core User",
"endpoint": "/Users",
"id": "urn:scim:schemas:core:1.0:User",
"name": "User",
"schema": "urn:scim:schemas:core:1.0"
}
/pf-scim/v1/ServiceProviderConfigs
This service provider (SP) configuration endpoint is where developers can retrieve detailed information on the PingFederate SCIM 1.1 implementation. When you enable inbound provisioning for an SP PingFederate server, an HTTP GET request to this endpoint returns a JSON response outlining SCIM 1.1 compliance details.
The |
Example
$ curl https://localhost:9031/pf-scim/v1/ServiceProviderConfigs
{
"schemas": ["urn:scim:schemas:core:1.0"],
...
"patch": {
"supported":false
},
"bulk": {
"supported":false
},
"filter": {
"supported":true
},
"changePassword" : {
"supported":true
},
"sort": {
"supported":false
},
"etag": {
"supported":false
},
"xmlDataFormat": {
"supported":false
},
"authenticationSchemes": [
{
"name": "HTTP Basic",
"description": "Authentication using HTTP Basic",
...
"type":"httpbasic"
},
{
"name": "TLS Client Certificate",
"description": "Authentication via TLS Client Certificate",
...
"type":"tls"
}
]
}