When a System for Cross-domain Identity Management (SCIM) Sync Destination needs to synchronize a change to a SCIM resource on the destination SCIM server, it must first fetch the destination resource. If the destination resource ID is known, the resource will be retrieved by its ID. If not, a search is performed using the mapped destination correlation attributes. Configuring this requires coordination between the Sync Class and the scim-resources.xml mapping file.
The scim-resources.xml mapping file treats the value of the
<resourceIDMapping>
element's ldapAttribute
attribute as the SCIM ID of the source entry. If this value is also listed as a value of
the Sync Class's destination-correlation-attributes
property, then the
value of this LDAP attribute is used as the SCIM ID of the
destination resource.
If no value of destination-correlation-attributes
matches the
<resourceIDMapping>
element's ldapAttribute
attribute, the SCIM ID of the destination resource is considered unknown. In this case, the
SCIM Sync Destination treats the values of
destination-correlation-attributes
as search terms, using them to
construct a filter for finding the destination resource. Each value of
destination-correlation-attributes
will be mapped to a corresponding
SCIM attribute name, and equality matches will be used in the resulting filter.
If the ldapAttribute
value is not listed as a destination correlation
attribute, this setting is not used by PingDataSync.
The following table illustrates an LDAPSearch
element that contains a
resourceIDMapping
element:
Method for retrieving SCIM resource | Condition | Example condition | Example request |
---|---|---|---|
Retrieve resource directly |
Used if a |
ldapAttribute="mail" createdBy= "directory"/>
|
GET scim/Users/ person@example.com
|
Retrieve resource using search |
Used if no |
|
|
The unique ID of a destination SCIM resource will most likely be unknown, and the search method will need to be used. However, not all SCIM service providers support the use of filters. Therefore, not all SCIM service providers might be usable as SCIM Sync Destinations.