The default scim-resources.xml
configuration maps the SCIM resource ID to
the LDAP entryUUID
attribute. The entryUUID
attribute,
whose read-only value is assigned by the server, meets the requirements of the SCIM
specification regarding resource ID immutability. However, configuring a mapping to the
attribute can result in inefficient group processing, since LDAP groups use the entry DN as
the basis of group membership. The resource configuration allows the SCIM resource ID to be
mapped to the LDAP entry DN. However, the entry DN does not meet the requirements of the
SCIM specification regarding resource ID immutability. LDAP permits entries to be renamed
or moved, thus modifying the DN. Likewise, you can use the Identity Access API to change
the value of an entry's RDN attribute, thereby triggering a MODDN operation.
A resource can also be configured such that its SCIM resource ID is provided by an arbitrary attribute in the request body during POST operations. This SCIM attribute must be mapped to an LDAP attribute so that the SCIM resource ID can be stored in the server. By default, it is the responsibility of the SCIM client to guarantee ID uniqueness. However, the UID Unique Attribute Plugin can be used by the server to enforce attribute value uniqueness. For information about the UID Unique Attribute Plugin, see "Working with the UID Unique Attribute plugin" in the PingDirectory Server Administration Guide.
<resourceIDMapping>
Element".