The following example shows how to add a correlated LDAP data view to a LDAP Mapping SCIM Resource Type on a PingDirectory Server. The SCIM Resource Type will be a user, and the correlated LDAP data view will allow access to a document that matches their user ID.

For this examplel, we will use custom sample data, and then set up a new PingDirectory Server using this sample data.

  1. Copy the following text and save it as entries.ldif.template.
    define suffix=dc=example,dc=com
    define maildomain=example.com
    define numusers=101
    
    branch: [suffix]
    subordinateTemplate: admin:1
    aci: (targetattr="*")(version 3.0; acl "Grant full access for the scim2allaccess OAuth 2 scope"; allow (all) oauthscope="scim2allaccess";)
    
    branch: ou=People,[suffix]
    subordinateTemplate: person:[numusers]
    
    branch: ou=Documents,[suffix]
    subordinateTemplate: document:[numusers]
    
    template: admin
    rdnAttr: uid
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    uid: admin
    givenName: Admin
    sn: User
    cn: Admin User
    userPassword: password
    
    template: person
    rdnAttr: uid
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    employeeNumber: <sequential:0>
    uid: user.{employeeNumber}
    sn: {uid}
    cn: {uid}
    userPassword: password
    
    template: document
    rdnAttr: documentIdentifier
    objectClass: top
    objectClass: document
    documentIdentifier: user.<sequential:0>
    description: This is the description for the document {documentIdentifier} under ou=Documents,dc=example,dc=com.
  2. Run the following command:
    $ bin/make-ldif --templateFile entries.ldif.template --ldifFile entries.ldif
  3. Run setup for the PingDirectory Server. Make sure to import the created entries.ldif file, as well as set up encryption settings. After this is done, we will set up the SCIM resource type and the Correlated LDAP Data View.
  4. Run the following command to define the SCIM schema:
    "dsconfig create-scim-schema --schema-name urn:example:Users \
      --set "description:Users schema" --set display-name:Users
    dsconfig create-scim-attribute --schema-name urn:example:Users \
      --attribute-name email --set required:true --set multi-valued:true
    dsconfig create-scim-attribute --schema-name urn:example:Users \
      --attribute-name uid --set required:true --set mutability:read-only
    dsconfig create-scim-attribute --schema-name urn:example:Users \
      --attribute-name documentId 
    dsconfig create-scim-attribute --schema-name urn:example:Users \
      --attribute-name documentDescription"
  5. Run the following command to create the SCIM resource type:
    dsconfig create-scim-resource-type \
      --type-name Users \
      --type ldap-mapping \
      --set core-schema:urn:example:Users \
      --set enabled:true \
      --set endpoint:Users \
      --set structural-ldap-objectclass:inetOrgPerson \
      --set include-base-dn:ou=people,dc=example,dc=com \
      --set create-dn-pattern:entryUUID=generated,ou=people,dc=example,dc=com
  6. Run the following command to create the Correlated LDAP Data View:
    dsconfig create-correlated-ldap-data-view \
      --type-name Users \
      --view-name Document \
      --set structural-ldap-objectclass:document \
      --set include-base-dn:ou=documents,dc=example,dc=com \
      --set create-dn-pattern:entryUUID=generated,ou=documents,dc=example,dc=com \
      --set primary-correlation-attribute:uid \
      --set secondary-correlation-attribute:documentIdentifier
  7. Run the following command to create the attribute mappings for the SCIM resource type attributes. Note that the correlated-ldap-data-view property is not set.
    # The uid attribute, provided by the base SCIM Resource Type
    dsconfig create-scim-attribute-mapping --type-name Users \
      --mapping-name uid \
      --set scim-resource-type-attribute:uid --set ldap-attribute:uid \
      --set writable:false --set searchable:true
    
    # The email attribute, provided by the base SCIM Resource Type
    dsconfig create-scim-attribute-mapping --type-name Users \
      --mapping-name email \
      --set scim-resource-type-attribute:email --set ldap-attribute:mail \
      --set searchable:true
  8. Run the following command to create the DocumentId attribute mapping for the correlated LDAP data view attributes. The only real difference between mappings for SCIM resource type attributes and correlated LDAP data view attributes is the value of the correlated-ldap-data-view property.
    # The documentId attribute
    dsconfig create-scim-attribute-mapping --type-name Users \
      --mapping-name document.id \
      --set correlated-ldap-data-view:Document \
      --set scim-resource-type-attribute:documentId --set ldap-attribute:documentIdentifier
    
    # The documentDescription attribute
    dsconfig create-scim-attribute-mapping --type-name Users \
      --mapping-name description \
      --set correlated-ldap-data-view:Document \
      --set scim-resource-type-attribute:documentDescription \
      --set ldap-attribute:description
  9. This example uses a Mock Access Token Validator. This should not be done for production environments.
    # Create a Mock Access Token Validator
    dsconfig create-access-token-validator --validator-name "Mock ATV" \
      --type mock --set enabled:true --set evaluation-order-index:1000
    # Configure SCIM 2 HTTP Servlet Extension to use Mock Access Token Val.
    dsconfig set-http-servlet-extension-prop --extension-name SCIM2 \
      --set "access-token-validator:Mock ATV"
  10. Run the following command to send a SCIM request
    curl -k -X GET \
      https://localhost:8443/scim/v2/Users \
      -H 'Authorization: Bearer {"active":true, "scope":"scim2allaccess"}'
    The response should look similar to the following. Notice that 'uid' and 'documentId' have the same value, since they are in a correlation attribute pair.
    {
        "schemas": [
            "urn:ietf:params:scim:api:messages:2.0:ListResponse"
        ],
        "totalResults": 101,
        "Resources": [
            {
                "uid": "user.8",
                "id": "3715c022-1f34-36d9-bebc-7e74912106ec",
                "documentDescription": "This is the description \
                for the document user.8 under ou=Documents,dc=example,dc=com.,
                "documentId": "user.8",
                "meta": {
                    "resourceType": "Users",
                    "location": "https://localhost:8443/scim/v2/Users/3715c022-1f34-36d9-bebc-7e74912106ec"
                },
                "schemas": [
                    "urn:example:Users"
                ]
            },
        ... 
    }