PingAuthorize Server's System for Cross-domain Identity Management (SCIM) subsystem consists of the following components.
- SCIM resource types
- SCIM resource types define a class of resources, such as users or devices. Every
SCIM resource type features at least one SCIM schema, which defines the attributes
and subattributes that are available to each resource, and at least one store
adapter, which handles datastore interactions.
The following SCIM resource types differ according to the definitions of the SCIM schema:
- Mapping SCIM resource type – Requires an explicitly defined SCIM schema, with explicitly defined mappings of SCIM attributes to store adapter attributes. Use a mapping SCIM resource type to exercise detailed control over the SCIM schema, its attributes, and its mappings.
- Pass-through SCIM resource type – Does not use an explicitly defined SCIM schema. Instead, an implicit schema is generated dynamically, based on the schema that is reported by the store adapter. Use a pass-through SCIM resource type when you need to get started quickly.
- SCIM schemas
- SCIM schemas define a collection of SCIM attributes, grouped under an identifier
called a schema URN. Each SCIM resource type possesses a single core schema and can
feature schema extensions, which act as secondary attribute groupings that the schema
URN namespaces. SCIM schemas are defined independently of SCIM resource types, and
multiple SCIM resource types can use a single SCIM schema as a core schema or schema
extension.Note:
A SCIM attribute defines an attribute that is available under a SCIM schema. The configuration for a SCIM attribute defines its data type, regardless of whether it is required, single-valued, or multi-valued. Because it consists of SCIM subattributes, a SCIM attribute can be defined as a complex attribute.
- Store adapters
- Store adapters act as a bridge between PingAuthorize Server's
SCIM system and an external datastore. PingAuthorize Server
provides a built-in LDAP store adapter to support LDAP datastores, including PingDirectory Server and PingDirectoryProxy Server. The LDAP store adapter uses a configurable
load-balancing algorithm to spread the load among multiple directory servers. Use the
Server SDK to create store adapters for arbitrary datastore types.
Each SCIM resource type features a primary store adapter and can also define multiple secondary store adapters. Secondary store adapters allow a single SCIM resource to consist of attributes retrieved from multiple datastores.
Store adapter mappings define the manner in which a SCIM resource type maps the attributes in its SCIM schemas to native attributes of the datastore.