1. Sign on to the PingAuthorize Policy Editor using the URL and credentials from Accessing the GUIs.
  2. Click Policies.
  3. Expand Global Decision Point, SCIM Policy Set, Token Policies, and Scope Policies.
  4. Select Permitted Scopes.
  5. Click Components.
  6. From the Rules list, drag Permitted SCIM scope for user to the Rules section.
  7. To the right of the copied rule, click the hamburger menu.
  8. Click Replace with clone.
  9. Change the name to Scope: profile.
  10. To expand the rule, click +.
  11. Change the description to Rule that permits a SCIM user to access a subset of its own profile attributes if the access token contains the profile scope.
  12. In the HttpRequest.AccessToken.scope row of the Condition section, type profile in the CHANGEME field.
  13. Within the rule, click Show "Applies to".
  14. From the Actions section, drag retrieve to the Add definitions and targets, or drag from Components box.
  15. Within the rule, click Show Statements.
  16. Next to Statements, click +.
  17. From the Statements list, drag Include profile attributes to the Statements section of the rule.

    This predefined statement includes a payload. If the condition for this rule is satisfied, the response includes the uid, sn, givenName, and description attributes.

  18. Click Save changes.

You now have a new profile scope, which should look like the following.

Screen capture of the Scope: profile rule with a permit effect, configured as specified with an Applies To target, two comparison Conditions, and an Include profile attributes statement, flagged as Obligatory