Define a permitted access token scope to retrieve email attributes.
- Sign on to the PingAuthorize Policy Editor using the URL and credentials from Accessing the GUIs.
- Click Policies.
- Expand Global Decision Point, SCIM Policy Set, Token Policies, and Scope Policies.
-
Select Permitted Scopes.
- Click Components.
- From the Rules list, drag Permitted SCIM scope for user to the Rules section.
- To the right of the copied rule, click the hamburger menu.
- Click Replace with clone.
- Change the name to Scope: email.
- To expand the rule, click +.
- Change the description to Rule that permits a SCIM user to access its own mail attribute if the access token contains the email scope.
- In the HttpRequest.AccessToken.scope row of the Condition section, type email in the CHANGEME field.
- Within the rule, click Show "Applies to".
-
From the Actions section, drag
retrieve to the Add definitions and targets, or
drag from Components box.
Note:
This task uses different actions from the previous gateway example.
- Within the rule, click Show Statements.
- Click + next to Statements.
-
From the Statements list, drag Include email
attributes to the Statements section of the
rule.
Note:
This predefined statement includes a payload. If the condition for this rule is satisfied, the response includes the
mail
attribute. - Click Save changes.
You now have a new email scope, which should look like the following.