The server, server, and server support an extension to the SCIM 1.1 standard called the Identity Access API. The Identity Access API provides an alternative to LDAP by supporting CRUD (create, read, update, and delete) operations to access server data over an HTTP connection.

SCIM 1.1 and the Identity Access API are provided as a unified service through the SCIM HTTP Servlet Extension. The SCIM HTTP Servlet Extension can be configured to only enable core SCIM resources (for example, 'Users' and 'Groups'), only LDAP object classes (for example, top, domain, inetOrgPerson, or groupOfUniqueNames), or both. Because SCIM and the Identity Access API have different schemas, if both are enabled, there can be two representations with different schemas for any resources defined in the scim-resources.xml file: the SCIM representation and the raw LDAP representation. Likewise, because resources are exposed by an LDAP object class, and because these are hierarchical (e.g., top --> person --> organizationalPerson --> inetOrgPerson, etc.), a client application can access an entry in multiple ways due to the different paths/URIs to a given resource.

This chapter provides information on configuring the SCIM and the Identity Access API services on the server.