The PingDirectory Server, PingDirectoryProxy Server, and PingDataSync Server support an extension to the SCIM standard called the Identity Access API. The Identity Access API provides an alternative to LDAP by supporting CRUD (create, read, update, and delete) operations to access directory server data over an HTTP connection.
SCIM and the Identity Access API are provided as a unified service through the SCIM HTTP
Servlet Extension. The SCIM HTTP Servlet Extension can be configured to only enable core SCIM
resources (e.g., 'Users' and 'Groups'), only LDAP object classes (e.g., top
,
domain
, inetOrgPerson
, or
groupOfUniqueNames
), or both. Because SCIM and the Identity Access API have
different schemas, if both are enabled, there may be two representations with different schemas
for any resources defined in the scim-resources.xml file: the SCIM
representation and the raw LDAP representation. Likewise, because resources are exposed by an
LDAP object class, and because these are hierarchical (e.g., top
-->
person
--> organizationalPerson
-->
inetOrgPerson
, etc.), a client application can access an entry in multiple ways
due to the different paths/URIs to a given resource.
This chapter provides information on configuring the SCIM and the Identity Access API services on the PingDirectory Server.