1. Sign on to the PingAuthorize Policy Editor using the URL and credentials from Accessing the GUIs.
  2. Click Policies.
  3. Expand Global Decision Point, SCIM Policy Set, Token Policies, and Scope Policies.
  4. Highlight Permitted Scopes.
  5. Click Components.
  6. From the Rules list, drag Permitted SCIM scope for user to the Rules section.
  7. To the right of the copied rule, click the hamburger menu.
  8. Click Replace with clone.
  9. Change the name to Scope: profile.
  10. To expand the rule, click +.
  11. Change the description to Rule that permits a SCIM user to access a subset of its own profile attributes if the access token contains the profile scope.
  12. In the HttpRequest.AccessToken.scope row of the Condition section, type profile in the CHANGEME field.
  13. Within the rule, click Show "Applies to".
  14. From the Actions section, drag retrieve to the Add definitions and targets, or drag from Components box.
  15. Within the rule, click Show Advice and Obligations.
  16. Next to Advice and Obligations, click +.
  17. From the Advice section, drag Include profile attributes to the Advice and Obligations section.
    Note:

    This predefined advice includes a payload. If the condition for this rule is satisfied, the response includes the uid, sn, givenName, and description attributes.

  18. Click Save changes.

After completing the configuration, you will have a new profile scope, which should look like the following.

Screen capture of a profile scope.