This example shows how to add a simple mapping SCIM 2.0 resource type to a PingDirectory Server, backed by the inetOrgPerson LDAP objectclass. This example assumes that the PingDirectory Server has been configured using the default settings, meaning that sample data has been imported into the server and that data encryption has been set up.

  1. Create the SCIM schema that the resource type will use:
    dsconfig create-scim-schema \
    --schema-name urn:pingidentity:schemas:User:1.0 \
    --set display-name:User
  2. Under this schema, add the following SCIM attributes.
    dsconfig create-scim-attribute \
    --schema-name urn:pingidentity:schemas:User:1.0 \
    --attribute-name displayName
    dsconfig create-scim-attribute \
    --schema-name urn:pingidentity:schemas:User:1.0 \
    --attribute-name name \
    --set type:complex
    dsconfig create-scim-subattribute \
    --schema-name urn:pingidentity:schemas:User:1.0 \
    --attribute-name name \
    --subattribute-name familyName
    dsconfig create-scim-subattribute \
    --schema-name urn:pingidentity:schemas:User:1.0 \
    --attribute-name name \
    --subattribute-name formatted
    dsconfig create-scim-attribute \
    --schema-name urn:pingidentity:schemas:User:1.0 \
    --attribute-name userName
  3. Create the LDAP mapping SCIM resource type on the PingDirectory Server.
    dsconfig create-scim-resource-type \
    --type-name Users \
    --type ldap-mapping \
    --set enabled:true \
    --set endpoint:Users \
    --set structural-ldap-objectclass:inetOrgPerson \
    --set include-base-dn:ou=People,dc=example,dc=com \
    --set lookthrough-limit:500 \
    --set core-schema:urn:pingidentity:schemas:User:1.0
  4. Run the following commands to create the SCIM attribute mappings.
    dsconfig create-scim-attribute-mapping \
    --type-name Users \
    --mapping-name displayName \
    --set scim-resource-type-attribute:displayName \
    --set ldap-attribute:displayName
    dsconfig create-scim-attribute-mapping \
    --type-name Users \
    --mapping-name name.formatted \
    --set scim-resource-type-attribute:name.formatted \
    --set ldap-attribute:cn \
    --set searchable:true
    dsconfig create-scim-attribute-mapping \
    --type-name Users \
    --mapping-name name.familyName \
    --set scim-resource-type-attribute:name.familyName \
    --set ldap-attribute:sn \
    --set searchable:true
    dsconfig create-scim-attribute-mapping \
    --type-name Users \
    --mapping-name userName \
    --set scim-resource-type-attribute:userName \
    --set ldap-attribute:uid \
    --set searchable:true
  5. Configure the SCIM2 HTTP Servlet Extension to use a Mock Access Token Validator. Note that Mock Access Token Validators should never be used in production environments or with sensitive data.
    dsconfig create-access-token-validator \
    --validator-name "SCIM2 Mock Validator" \
    --type mock \
    --set enabled:true
    dsconfig set-http-servlet-extension-prop \
    --extension-name SCIM2 \
    --set "access-token-validator:SCIM2 Mock Validator"
  6. Send the following request to the SCIM /ResourceTypes endpoint to confirm that the new resource type has been added.
    curl -k -X GET \
    https://localhost:8443/scim/v2/ResourceTypes \
    -H 'Authorization: Bearer {"active":true}'
  7. The following JSON object should appear in the response in the “Resources” array:
    {
    ...
    "Resources": [{
    "schemas":["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
    "id":"Users",
    "name":"Users",
    "endpoint":"Users",
    "schema":"urn:pingidentity:schemas:Users:1.0",
    "meta":{
    "resourceType":"ResourceType",
    "location":"https://localhost:8443/scim/v2/ResourceTypes/Users"
    }
    }]
    ...
    }