This example shows how to add a simple mapping SCIM 2.0 resource type to a PingDirectory server, backed by the inetOrgPerson LDAP objectclass. This example assumes that the server has been configured using the default settings, meaning that sample data has been imported into the server and that data encryption has been set up.
-
Create the SCIM schema that the resource type will use:
dsconfig create-scim-schema \ --schema-name urn:pingidentity:schemas:User:1.0 \ --set display-name:User
-
Under this schema, add the following SCIM attributes.
dsconfig create-scim-attribute \ --schema-name urn:pingidentity:schemas:User:1.0 \ --attribute-name displayName dsconfig create-scim-attribute \ --schema-name urn:pingidentity:schemas:User:1.0 \ --attribute-name name \ --set type:complex dsconfig create-scim-subattribute \ --schema-name urn:pingidentity:schemas:User:1.0 \ --attribute-name name \ --subattribute-name familyName dsconfig create-scim-subattribute \ --schema-name urn:pingidentity:schemas:User:1.0 \ --attribute-name name \ --subattribute-name formatted dsconfig create-scim-attribute \ --schema-name urn:pingidentity:schemas:User:1.0 \ --attribute-name userName
-
Create the LDAP mapping SCIM resource type on the PingDirectory server.
dsconfig create-scim-resource-type \ --type-name Users \ --type ldap-mapping \ --set enabled:true \ --set endpoint:Users \ --set structural-ldap-objectclass:inetOrgPerson \ --set include-base-dn:ou=People,dc=example,dc=com \ --set lookthrough-limit:500 \ --set core-schema:urn:pingidentity:schemas:User:1.0
-
Run the following commands to create the SCIM attribute mappings.
dsconfig create-scim-attribute-mapping \ --type-name Users \ --mapping-name displayName \ --set scim-resource-type-attribute:displayName \ --set ldap-attribute:displayName dsconfig create-scim-attribute-mapping \ --type-name Users \ --mapping-name name.formatted \ --set scim-resource-type-attribute:name.formatted \ --set ldap-attribute:cn \ --set searchable:true dsconfig create-scim-attribute-mapping \ --type-name Users \ --mapping-name name.familyName \ --set scim-resource-type-attribute:name.familyName \ --set ldap-attribute:sn \ --set searchable:true dsconfig create-scim-attribute-mapping \ --type-name Users \ --mapping-name userName \ --set scim-resource-type-attribute:userName \ --set ldap-attribute:uid \ --set searchable:true
-
Configure the SCIM2 HTTP Servlet Extension to use a Mock Access Token
Validator. Note that Mock Access Token Validators should never be used in
production environments or with sensitive data.
dsconfig create-access-token-validator \ --validator-name "SCIM2 Mock Validator" \ --type mock \ --set enabled:true dsconfig set-http-servlet-extension-prop \ --extension-name SCIM2 \ --set "access-token-validator:SCIM2 Mock Validator"
-
Send the following request to the SCIM /ResourceTypes endpoint to confirm that
the new resource type has been added.
curl -k -X GET \ https://localhost:8443/scim/v2/ResourceTypes \ -H 'Authorization: Bearer {"active":true}'
-
The following JSON object should appear in the response in the “Resources”
array:
{ ... "Resources": [{ "schemas":["urn:ietf:params:scim:schemas:core:2.0:ResourceType"], "id":"Users", "name":"Users", "endpoint":"Users", "schema":"urn:pingidentity:schemas:Users:1.0", "meta":{ "resourceType":"ResourceType", "location":"https://localhost:8443/scim/v2/ResourceTypes/Users" } }] ... }