This example shows how to add a simple mapping SCIM 2.0 resource type to a PingDirectory Server, backed by the device LDAP objectclass. This example assumes that you have already created an encryption-settings definition for the current server using the encryption-settings command-line tool.

  1. Configure the SCIM2 HTTP Servlet Extension to use a Mock Access Token Validator. Remember that Mock Access Token Validators should never be used in production environments or with sensitive data.
    dsconfig create-access-token-validator \
        --validator-name "SCIM2 Mock Validator"  \
        --type mock  \
        --set enabled:true
    dsconfig set-http-servlet-extension-prop \
        --extension-name SCIM2  \
        --set "access-token-validator:SCIM2 Mock Validator"
    
  2. Add the LDAP entries that will be mapped to the SCIM resource type to the PingDirectory Server. Create a file named devices.ldif with the following contents.
    dn: ou=Devices,dc=example,dc=com
    objectClass: top
    objectClass: organizationalUnit
    ou: Devices
    
    dn: cn=device.0,ou=Devices,dc=example,dc=com
    objectClass: top
    objectClass: device
    cn: device.0
    description: Description for device.0
    
    dn: cn=device.1,ou=Devices,dc=example,dc=com
    objectClass: top
    objectClass: device
    cn: device.1
    description: Description for device.1
    
  3. Use the ldapmodify tool to load the devices.ldif file.
    ldapmodify --defaultAdd --filename devices.ldif
  4. Before creating the SCIM resource type, create the SCIM schema that the resource type will use.
    dsconfig create-scim-schema \
      --schema-name urn:pingidentity:schemas:Device:1.0 \
      --set display-name:Device
    
  5. Under this schema, add the string attribute's name and description.
    dsconfig create-scim-attribute \
      --schema-name urn:pingidentity:schemas:Device:1.0 \
      --attribute-name name \
      --set required:true            
    dsconfig create-scim-attribute \
      --schema-name urn:pingidentity:schemas:Device:1.0 \
      --attribute-name description
    
  6. Create the LDAP mapping SCIM resource type on the PingDirectory Server.
    dsconfig create-scim-resource-type \
      --type-name Devices \
      --type ldap-mapping \
      --set enabled:true \
      --set endpoint:Devices \
      --set structural-ldap-objectclass:device \
      --set include-base-dn: ou=Devices,dc=example,dc=com \
      --set lookthrough-limit:500 \
      --set core-schema:urn:pingidentity:schemas:Device:1.0
    
  7. Map the two SCIM attributes to the corresponding LDAP attributes. The following commands map the SCIM name attribute to the LDAP cn attribute, and map the SCIM description attribute to the LDAP description attribute.
dsconfig create-scim-attribute-mapping \
  --type-name Devices \
  --mapping-name name \
  --set scim-resource-type-attribute:name \
  --set ldap-attribute:cn \
  --set searchable:true                    
dsconfig create-scim-attribute-mapping \
  --type-name Devices \
  --mapping-name description \
  --set scim-resource-type-attribute:description \
  --set ldap-attribute:description
  1. Send the following request to the SCIM /ResourceTypes endpoint to confirm that the new resource type has been added..
    curl -k -X GET \
      https://localhost:8443/scim/v2/ResourceTypes \
      -H 'Authorization: Bearer {"active":true}' \
    
  2. The following JSON object should appear in the response in the “Resources” array:
      ...
      "Resources": [{  
        "schemas":["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
        "id":"Devices",
        "name":"Devices",
        "endpoint":"Devices",
        "schema":"urn:pingidentity:schemas:Device:1.0",
        "meta":{
          "resourceType":"ResourceType",
          "location":"https://localhost:8443/scim/v2/ResourceTypes/Devices" 
        }
      }]
      ...
    }