The following table identifies the attributes associated with a policy request that the System for Cross-domain Identity Management (SCIM) service generates.

Policy request attribute Description Type
action Identifies the SCIM request as one of the following types:
  • create
  • modify
  • retrieve
  • delete
  • search
  • search-request
attributes Additional attributes that do not correspond to a specific entity type in the PingAuthorize Trust Framework. For more information, see the following table. Object
domain Unused. String
identityProvider Name of the access token validator that evaluates the bearer token used in an incoming request. String

Identifies the SCIM service and resource type using a value of the form SCIM2.<resource type>.

For example, for a request using the "Users" resource type, the service value would be SCIM2.Users.


The following table identifies the additional attributes that are included in attributes.

Attribute Description Type
HttpRequest.AccessToken Parsed access token. For more information, see the following table. Object
HttpRequest.ClientCertificate Properties of the client certificate, if one is used. Object
HttpRequest.CorrelationId A unique value that identifies the request and response, if available. String
HttpRequest.IPAddress The client IP address. String
HttpRequest.QueryParameters Request URI query parameters. Object
HttpRequest.RequestBody The request body, if available. This attribute is available for POST, PUT, and PATCH requests. Object
HttpRequest.RequestHeaders The HTTP request headers. Object
HttpRequest.RequestURI The request URI. String
HttpRequest.ResourcePath Uniquely identifies the SCIM resource that is being requested, in the format <Resource Type>/<SCIM ID>, as the following example shows:


HttpRequest.ResponseBody The response body, if available. This attribute is provided only for outbound policy requests. Object
HttpRequest.ResponseHeaders The HTTP response headers, if available. Object
HttpRequest.ResponseStatus The HTTP response status code, if available. Number
impactedAttributes Provides the set of attributes that the request modifies. Collection
SCIM2 Provides additional, SCIM2-specific information about the request. Object
TokenOwner Access token subject as a SCIM resource, as obtained by the access token validator. Object

The access token validator populates the HttpRequest.AccessToken attribute, which contains the fields in the following table. These fields correspond approximately to the fields that the IETF Token Introspection specification (RFC 7662) defines.

Attribute Description Type
access_token The actual access token from the client request. String
active Indicates whether this access token is currently active, as determined by the access token validator. Boolean
audience Identifies the recipients for whom the access token is intended. Typically, the authorization server sets this field to indicate the resource servers that might accept the token. Array
client_id The client ID of the application that was granted the access token. String
expiration Date and time at which the access token expires. DateTime
issued_at Date and time at which the access token was issued. DateTime
issuer Token issuer. This attribute is usually a URI that identifies the authorization server. String
not_before Date and time before which a resource server does not accept the access token. DateTime
scope Identifies the list of scopes granted to this token. Collection
subject Token subject. This attribute is a user identifier that the authorization server sets. String
token_owner User identifier that was resolved by the access token validator's token resource lookup method. This attribute is always a SCIM ID of the form <resource type>/<resource ID>. String
token_type The token type, as set by the authorization server. This value is typically set to bearer. String
user_token Flag that the access token validator sets to indicate that the token was issued originally to a subject. If this flag is false, the token does not have a subject and was issued directly to a client. Boolean
username Subject's user name. This attribute is a user identifier that the authorization server sets. String

The following table identifies the fields that the HttpRequest.ClientCertificate attribute contains.

Attribute Description Type
algorithm Name of the certificate signature algorithm, such as SHA256withRSA. String
algorithmOID Signature algorithm OID. String
issuer Distinguished name (DN) of the certificate issuer. String
notAfter Expiration date and time of the certificate. DateTime
notBefore Earliest date on which the certificate is considered valid. DateTime
subject DN of the certificate subject. String
subjectRegex Regular expression that must be matched by the subject field of the certificate to ensure that the certificate belongs to the requesting client. String
valid Indicates whether the certificate is valid. Boolean

The following table identifies the fields that the SCIM2 attribute contains.

Attribute Description Type
modifications Contains a normalized SCIM 2 PATCH request object that represents all of the changes to apply. This attribute is available for PUT and PATCH requests. Object
resource Complete SCIM resource that the request targets. This attribute is available for GET, PUT, PATCH, and DELETE requests.

The resource attribute is also available in the policy requests that are performed for each matching SCIM resource in a search result. For more information, see About SCIM searches.