1. Sign on to the PingAuthorize Policy Editor using the URL and credentials from Accessing the GUIs.
  2. Click Policies.
  3. Expand Global Decision Point, SCIM Policy Set, Token Policies, and Scope Policies.
  4. Highlight Permitted Scopes.
    1. Click Components.
  5. From the Rules list, drag Permitted SCIM scope for user to the Rules section.
  6. To the right of the copied rule, click the hamburger menu.
  7. Click Replace with clone.
  8. Change the name to Scope: email.
  9. To expand the rule, click +.
  10. Change the description to Rule that permits a SCIM user to access its own mail attribute if the access token contains the email scope.
  11. In the HttpRequest.AccessToken.scope row of the Condition section, type email in the CHANGEME field.
  12. Within the rule, click Show "Applies to".
  13. From the Actions section, drag retrieve to the Add definitions and targets, or drag from Components box.
    Note:

    This task uses different actions from the previous gateway example.

  14. Within the rule, click Show Advice and Obligations.
  15. Click + next to Advice and Obligations.
  16. From the Advice section, drag Include email attributes to the Advice and Obligations section.
    Note:

    This predefined advice includes a payload. If the condition for this rule is satisfied, the response includes the mail attribute.

  17. Click Save changes.

After completing the configuration, you will have a new email scope, which should look like the following.

Screen capture of the Scope: email rule with a permit effect, configured as specified with an Applies To target, two comparison Conditions, and an Include email attributes advice, flagged as Obligatory