The paged SCIM searches feature is not available for entry-balanced data sets.

To use paged SCIM searches, your SCIM service's backend servers must be LDAP directory servers and you must use the LDAP store adapter.

Complete the following one-time operations. For either command, you only need to run the command one time per backend server. If you are not sure whether you have run the command, you can run it again safely.

  • Set the service account’s permissions by running the prepare-external-store command on the PingAuthorize server for each backend server.

    If you have run this command with PingDataGovernance or earlier, run it again using the command from a PingDataGovernance or a PingAuthorize or later release.

    For example:
    $ prepare-external-store --hostname --port 1389 \
    --bindDN "cn=Directory Manager" --bindPassword <password1> \
    --governanceBindDN "cn=Authorize User,cn=Root DNs,cn=config" \
    --governanceBindPassword <password2> \
    --userStoreBaseDN ou=people,dc=example,dc=com
  • If your LDAP store adapter points to a PingDirectoryProxy server, run the following command on that server:
    $ dsconfig set-request-processor-prop \
    --processor-name <proxying-request-processor> \
    --set supported-control-oid:2.16.840.1.113730.3.4.9 \
    --set supported-control-oid:1.2.840.113556.1.4.473
    <proxying-request-processor> is the request processor handling the entries targeted by the search.

PingAuthorize performs SCIM searches using LDAP requests. After you complete the steps below, PingAuthorize creates LDAP requests that include request controls asking the backend servers to sort and page the search results before returning the results. These request controls are marked noncritical, meaning that if the backend server cannot page the results, the backend server still returns the results. In this case, PingAuthorize handles the sorting and paging itself.

If your SCIM searches result in an error because the request matched too many results, as discussed in Lookthrough limit for SCIM searches, you can avoid the error by using paged searches.

Complete the following steps for each search:

  1. Decide your SCIM search.
    Note: To get paged results, your search must include at least one of these parameters: startIndex, count, or sortBy.
    For example, your search might look like the following:
    https://<pingauthorize-hostname>:<pingauthorize-port>/scim/v2/Users/?filter=st eq "TX"&sortBy=sn&sortOrder=ascending
    Here is the corresponding encoded version:

    On your PingAuthorize Server, collect some information to use later.

    1. Given a SCIM resource type that you want to search for, find the primary LDAP store adapter that the SCIM resource type uses by looking at its primary-store-adapter property.
    2. Find the corresponding adapter by running the following command:
      $ dsconfig list-store-adapters
    3. Find the structural-ldap-objectclass, include-base-dn, and include-filter values for the adapter by running the following command:
      $ dsconfig get-store-adapter-prop --adapter-name <name-of-store-adapter> \
      --property structural-ldap-objectclass \
      --property include-base-dn \
      --property include-filter
  2. On each backend server, complete the following steps:
    1. Create a Virtual List View (VLV) index for your search.

      Each SCIM search that you want to produce paged results must have its own VLV index.

      Create this index using dsconfig create-local-db-vlv-index with the following options.

      Option Description


      Names the index.


      Specifies the name of the local database backend in which to place the index.

      The default database backend for PingDirectory is userRoot.

      --set base-dn

      Specifies the desired base dn. This value must match the value of the include-base-dn property that you found in the previous step.

      --set scope

      Is always whole-subtree.

      --set filter

      Specifies the filter.



      where <name-of-store-adapter-objectclass> is the name of the objectclass used by the adapter, which you found in the previous step.

      If the primary LDAP store adapter has the include-filter property set, also specify that property value in the filter. For example, if the filter for the adapter objectclass is (objectclass=inetorgperson) and the include-filter value is (st=CA), specify the --set filter argument as "(&(objectclass=inetorgperson)(st=CA))".

      Specify the LDAP attributes for all the components of your SCIM search filter.

      For example, if a mapping SCIM resource type maps the LDAP attribute st to the SCIM attribute address.region and the SCIM search filter requires that address.region eq TX, then this filter must include (st = TX) instead of (address.region = TX).

      --set sort-order

      Specifies whether to sort ascending (+) or descending (-) and the LDAP attribute to sort by.

      If the SCIM search does not specify the sortBy parameter, specify the sort order as +entryUUID.
      Recall the original, decoded SCIM search, shown here:
      https://<pingauthorize-hostname>:<pingauthorize-port>/scim/v2/Users/?filter=st eq "TX"&sortBy=sn&sortOrder=ascending
      For example, to create a VLV index for that search, run the following command:
      $ dsconfig create-local-db-vlv-index --index-name sn \
      --backend-name userRoot --set base-dn:ou=people,dc=example,dc=com \ 
      --set scope:whole-subtree \
      --set filter:"(&(objectclass=inetorgperson)(st=TX))" --set sort-order:+sn
    2. Stop the server. Rebuild the index. Start the server. Run the rebuild-index command specifying the baseDN and the name of the index.
      $ rebuild-index --baseDN <baseDN-value> --index <name-of-index>
      For example, run these commands:
      $ stop-server
      $ rebuild-index --baseDN dc=example,dc=com --index
      $ start-server
  3. Run your SCIM search filter.

    The search can include only the filter you specified with --set filter in the earlier step without the "(objectclass=<name-of-store-adapter-objectclass>)" portion.

    In addition to the Virtual List View request control, PingAuthorize adds a Server Side request control to the LDAP request. These request controls require certain parameters be set. To satisfy this requirement, PingAuthorize uses the following parameters. If the client does not provide values for one of the parameters, the search uses the corresponding default value shown in the following table.

    Parameter Default




    The value of the lookthrough-limit property of the SCIM resource type being searched. That default is 500.



    With this default, the results appear unsorted.