In the previous section, you used PingAuthorize Server to filter data that an external REST API returned.

While PingAuthorize Server's API security gateway protects existing REST APIs, PingAuthorize Server's built-in SCIM service provides a REST API for accessing and protecting identity data that might be contained in datastoresdatastore A database or directory location containing user account records and associated user attributes. like LDAPLDAP (Lightweight Directory Access Protocol) An open, cross platform protocol used for interacting with directory services. and relational databases.

PingAuthorize Server uses SCIM in the following ways:

  • Internally, user identities are represented as SCIM identities by way of one or more SCIM resource types and schemas. This approach includes access tokenaccess token A data object by which a client authenticates to a resource server and lays claim to authorizations for accessing particular resources. subjectssubject A person, computer system, or application. In the SAML context, assertions make statements about subjects., which are always mapped to a SCIM identity.
  • A SCIM REST API service provides access to user identities through HTTP.

You will now design a set of policies to control access to the SCIM REST API by using OAuthOAuth A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server. 2 access token rules.

Before proceeding, make a test request to generate a SCIM REST API response using only the default policies. As in the previous section, send a mock access token in the request.

curl --insecure -X GET https://localhost:7443/scim/v2/Me -H 'Authorization: Bearer {"active": true, "sub": "user.1", "scope": "nonexistent.scope", "client_id": "nonexistent.client"}'

Although the precise attributeattributes Distinct characteristics that describe a subject. If the subject is a website user, attributes can include a name, group affiliation, email address, and attributes alike. values might vary, the response returns the SCIM resource that corresponds to user.1.

{"mail":[""],"initials":["RJV"],"homePhone":["+1 091 438 1890"],
"pager":["+1 472 824 8704"],"givenName":["Romina"],"employeeNumber":"1","telephoneNumber":["+1 319 624 9982"],
"mobile":["+1 650 622 7719"],"sn":["Valerio"],"cn":["Romina Valerio"],
"description":["This is the description for Romina Valerio."],"street":["84095 Maple Street"],
"st":["NE"],"postalAddress":["Romina Valerio$84095 Maple Street$Alexandria, NE  39160"],

This response is a success response, although it is preferred that it not be one, because it shows that any active access token referencing a valid user can be used to access any data.


In this tutorial, you limit the requester's access to profile data, returning only specific attributes of the profile that granted the access token. This is achieved using the OIDC-like scopesscope In OAuth, a parameter on an access request and resulting, issued access token that specifies a limitation or limitations on access to the protected resource or resources. email and profile.

Also, you create a scope scimAdmin that has full access to SCIM-based User resources.


This tutorial walks you through these tasks.

  1. Create a basic policy structure for scope-based access to SCIM resources.
  2. Create a policy for the email scope that only allows access to the subject's mail attributes.
  3. Create a policy for the profile scope that only allows access to a few other profile attributes.
  4. Create a policy for the scimAdmin scope that allows access to all attributes.

The following sections provide the details for completing these tasks.