Creating a SCIM connection
You can set up provisioning to or from a (System for Cross-domain Identity Management (SCIM) identity store. You can also use the PingOne API to set up inbound SCIM for user provisioning. For more information, see SCIM in the PingOne API Reference.
Steps
-
Go to Integrations → Provisioning.
-
Click and then click New connection.
-
On the Identity Store row, click Select.
-
Click SCIM Outbound, click Select, and then click Next.
-
Enter a name and description for this provisioning connection.
The connection name appears in the provisioning list after you’ve saved the connection.
-
Click Next.
-
On the Configure authentication panel, enter the following
-
SCIM base URL: The fully qualified URL to use for the SCIM resources, such as
https://scim-example.com/v2/
. -
Users resource: The endpoint for the SCIM
User
resource. -
SCIM version: The SCIM version to use for the connection.
-
Groups Resource: The endpoint for the SCIM
Groups
-
Authentication method: The SCIM authentication method to use for the connection.
You can choose to use no authentication (None). For all other methods, additional entry fields are displayed, depending on the selected authentication method.
Basic Authentication provides limited security:
-
The identity store configuration will have the provided Basic Auth credentials.
-
The authentication scope is exactly that of the Basic Auth user, rather than some subset of the user data.
If possible, you should use the OAuth 2 Bearer Token or OAuth 2 Client Credentials authentication methods.
-
-
Basic Authentication
-
Basic Auth User: Enter the Basic Auth user for the identity store.
-
Basic Auth Password: Enter the Basic Auth user password for the identity store.
-
Auth Type Header: Select Basic, Bearer, OAuth Client Credentials, or Custom (to supply your own header configuration).
If you select Custom, the Custom Header entry field is displayed. Enter the custom header configuration.
Custom headers added here will be added only as authorization headers in the request.
-
-
OAuth 2 Bearer Token
-
OAuth Access Token: Enter the OAuth access token value supplied by the authorization server for the identity store.
-
Auth Type Header: Select Basic, Bearer, OAuth Client Credentials, or Custom (to supply your own header configuration).
If you select Custom, the Custom Header entry field is displayed. Enter the custom header configuration.
Custom headers added here will be added only as authorization headers in the request.
-
-
OAuth 2 Client Credentials
-
OAuth Token Request: Enter the endpoint URL used to obtain an access token, such as
https://scim-example.com/as/token.oauth2
. -
OAuth Client ID: Enter the client ID registered with the OAuth server for the provisioning identity store.
-
OAuth Client Secret: Enter the client secret value associated with the OAuth client ID.
-
Auth Type Header: Select Basic, Bearer, OAuth Client Credentials, or Custom (to supply your own header configuration).
If you select Custom, the Custom Header entry field is displayed. Enter the custom header configuration.
Custom headers added here will be added only as authorization headers in the request.
-
-
-
Click Test connection to verify that PingOne can establish a connection to the SCIM resource.
Result:
If there are any issues with the connection, a Test Connection Failed dialog box opens. Click Continue to resume the setup with an invalid connection.
You cannot use the connection for provisioning until you have established a valid connection to SCIM. To retry, click Cancel in the Test Connection Failed dialog box and repeat step 7.
Troubleshooting:
Learn more about troubleshooting your connection in Troubleshooting Test Connections Failure.
-
In the Configure preferences and Actions sections, enter the user filter and the action to take when deprovisioning users.
The filtering parameters are optional.
Option Description User filter expression
Determines how the connection uses the specified User Identifier to match existing users in the target identity store to the users being provisioned from the source identity store. Learn more in SCIM filter expressions.
User identifier
The identifier for the user filter expression.
Custom Attribute Schema URNs (optional)
A comma-delimited list of schema URNs to define a location for custom attributes. Use this option if the SCIM provider does not follow the standard naming convention for schema extensions in which custom attributes are defined. That is, URNs of the form
urn:ietf:params:scim:schemas:extension:<Organization Name>:2.0:User
.Group membership handling
Determines whether to update or replace target groups with PingOne memberships. Select Merge or Overwrite.
Merging or overwriting memberships only applies to SCIM, Slack, and GitHub EMU provisioning connections.
There is a limitation when syncing groups and group memberships to AWS Identity Centre and Atlassian Cloud. Learn more in SCIM provisioning known limitations.
Allow users to be created
Determines whether to create a user in the target identity store when the user is created in the source identity store.
Allow users to be updated
Determines whether to update user attributes in the target identity store when the user is updated in the source identity store.
Allow users to be disabled
Determines whether to disable a user in the target identity store when the user is disabled in the source identity store.
Allow users to be deprovisioned
Determines whether to deprovision a user in the target identity store when the user is deprovisioned in the source identity store.
Remove action
The action to take when removing a user from the target identity store.
Deprovision on rule deletion
Determines whether to deprovision users if the associated provisioning rule is deleted.
-
Click Save.
Result
The SCIM provisioning profile is complete and is added to the list of provisioning profiles on the Provisioning page.
Next steps
To sync group members out of PingOne into a software as a service (SaaS) application, follow the instructions in Configuring outbound group provisioning.