This example demonstrates the addition of a simple mapped SCIM resource type, backed by
the standard device
object class of a PingDirectory Server.
To add data to PingDirectory Server, create a file named
devices.ldif
with the following contents:
dn: ou=Devices,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Devices
dn: cn=device.0,ou=Devices,dc=example,dc=com
objectClass: top
objectClass: device
cn: device.0
description: Description for device.0
dn: cn=device.1,ou=Devices,dc=example,dc=com
objectClass: top
objectClass: device
cn: device.1
description: Description for device.1
Use the ldapmodify
tool to load the data file.
PingDirectory/bin/ldapmodify --defaultAdd --filename devices.ldif
Start configuring PingAuthorize Server by adding a store adapter.
dsconfig create-store-adapter \
--adapter-name DeviceStoreAdapter \
--type ldap \
--set enabled:true \
--set "load-balancing-algorithm:User Store LBA" \
--set structural-ldap-objectclass:device \
--set include-base-dn:ou=devices,dc=example,dc=com \
--set include-operational-attribute:createTimestamp \
--set include-operational-attribute:modifyTimestamp \
--set create-dn-pattern:entryUUID=server-generated,ou=devices,dc=example,dc=com
The previous command creates a store adapter that handles LDAP entries found under the
base DN ou=devices,dc=example,dc=com
with the object class
device
. This example uses the user store load-balancing algorithm that is
created when you use the create-initial-config
tool to set up a
users
SCIM resource type.
The following command creates a SCIM schema for devices with the schema URN
urn:pingidentity:schemas:Device:1.0
:
dsconfig create-scim-schema \
--schema-name urn:pingidentity:schemas:Device:1.0 \
--set display-name:Device
Under this schema, add the string attributes name
and
description
.
dsconfig create-scim-attribute \
--schema-name urn:pingidentity:schemas:Device:1.0 \
--attribute-name name \
--set required:true
dsconfig create-scim-attribute \
--schema-name urn:pingidentity:schemas:Device:1.0 \
--attribute-name description
After you create a store adapter and schema, create the SCIM resource type.
dsconfig create-scim-resource-type \
--type-name Devices \
--type mapping \
--set enabled:true \
--set endpoint:Devices \
--set primary-store-adapter:DeviceStoreAdapter \
--set lookthrough-limit:500 \
--set core-schema:urn:pingidentity:schemas:Device:1.0
Map the two SCIM attributes to the corresponding LDAP attributes. The following commands
map the SCIM name
attribute to the LDAP cn
attribute, and
map the SCIM description
attribute to the LDAP description
attribute:
dsconfig create-store-adapter-mapping \
--type-name Devices \
--mapping-name name \
--set scim-resource-type-attribute:name \
--set store-adapter-attribute:cn \
--set searchable:true
dsconfig create-store-adapter-mapping \
--type-name Devices \
--mapping-name description \
--set scim-resource-type-attribute:description \
--set store-adapter-attribute:description
To confirm that the new resource type has been added, send the following request to the SCIM resource types endpoint:
curl -k https://localhost:8443/scim/v2/ResourceTypes/Devices
The response is:
{"schemas":["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],"id":"Devices","name":
"Devices","endpoint":"Devices","schema":"urn:pingidentity:schemas:Device:1.0",
"meta":{"resourceType":"ResourceType","location":"https://localhost:8443/scim/v2/ResourceTypes/Devices"}}
For a more advanced example of a mapped SCIM resource type, see the example User schema
in PingAuthorize/resource/starter-schemas
.