This topic focuses on the relationship between the PingAuthorize Server SCIM subsystem and its backend data stores, particularly LDAP directory servers.
For general information about SCIM configuration, see SCIM configuration basics.
The PingAuthorize Server SCIM 2.0 REST API and SCIM token resource lookup methods rely on external data stores, collectively called a user store, to locate user records. Typically, a user store is composed of a set of PingDirectory Servers, optionally fronted by a set of PingDirectoryProxy Servers. The SCIM subsystem manages communication with the user store through a store adapter, which translates SCIM requests into requests native to the data stores. The following diagram shows an example setup.
PingAuthorize Server includes a store adapter type for use with LDAP data stores, the LDAP store adapter. The LDAP store adapter manages communications to a pool of LDAP servers using a load-balancing algorithm. PingAuthorize Server supports two types of load-balancing algorithms.
|Load-balancing algorithm type
|Failover load-balancing algorithm
|Attempts to always send requests to the same backend LDAP server. If the preferred server is not available, then it fails over to alternate servers.
|Fewest operations load-balancing algorithm
Forwards requests to the backend LDAP server with the fewest operations currently in progress.
You should only use this load-balancing algorithm when all backend servers are Directory Proxy Servers.
Typically, you connect a load-balancing algorithm to its backend LDAP servers by defining LDAP external servers in the configuration and attaching them to the load-balancing algorithm configuration. An LDAP external server configuration manages the actual LDAP connections to a backend LDAP server, such as PingDirectory Server.
Alternatively, if all backend LDAP servers are PingDirectory Servers (version 184.108.40.206 and later), you can configure a load-balancing algorithm to automatically discover the backend servers. See Automatic backend discovery.
LDAP external servers monitor and report the availability of backend LDAP servers using LDAP health checks. See LDAP health checks.