Define a permitted access token scope to retrieve profile attributes.
- Sign on to the PingAuthorize Policy Editor using the URL and credentials from Accessing the GUIs.
- Click Policies.
- Expand Global Decision Point, SCIM Policy Set, Token Policies, and Scope Policies.
- Highlight Permitted Scopes.
- Click Components.
- From the Rules list, drag Permitted SCIM scope for user to the Rules section.
- To the right of the copied rule, click the hamburger menu.
- Click Replace with clone.
- Change the name to Scope: profile.
- To expand the rule, click +.
- Change the description to Rule that permits a SCIM user to access a subset of its own profile attributes if the access token contains the profile scope.
- In the HttpRequest.AccessToken.scope row of the Condition section, type profile in the CHANGEME field.
- Within the rule, click Show "Applies to".
- From the Actions section, drag retrieve to the Add definitions and targets, or drag from Components box.
- Within the rule, click Show Advice and Obligations.
- Next to Advice and Obligations, click +.
From the Advice section, drag Include profile
attributes to the Advice and Obligations
This predefined advice includes a payload. If the condition for this rule is satisfied, the response includes the uid, sn, givenName, and description attributes.
- Click Save changes.
After completing the configuration, you will have a new profile scope, which should look like the following.