Add a simple mapping System for Cross-domain Identity Management (SCIM) 2.0 resource
type backed by the inetOrgPerson
LDAP objectclass to a PingDirectoryProxy deployment.
To configure an LDAP mapped SCIM resource type:
- Set up the PingDirectory backend server.
-
Export the
encryption-settings
definition with the tool's export subcommand.For this example, use the default settings to use sample data and configured data encryption.
encryption-settings export --output-file exported-key
-
Set up the PingDirectoryProxy and import the
encryption-settings
definition file that was created in the previous step. - To configure the LDAP external server, use the create-initial-proxy-config tool.
-
Create the SCIM schema for the resource type to use.
dsconfig create-scim-schema \ --schema-name urn:pingidentity:schemas:User:1.0 \ --set display-name:User
-
Under this schema, add the following SCIM attributes.
dsconfig create-scim-attribute \ --schema-name urn:pingidentity:schemas:User:1.0 \ --attribute-name displayName dsconfig create-scim-attribute \ --schema-name urn:pingidentity:schemas:User:1.0 \ --attribute-name name \ --set type:complex dsconfig create-scim-subattribute \ --schema-name urn:pingidentity:schemas:User:1.0 \ --attribute-name name \ --subattribute-name familyName dsconfig create-scim-subattribute \ --schema-name urn:pingidentity:schemas:User:1.0 \ --attribute-name name \ --subattribute-name formatted dsconfig create-scim-attribute \ --schema-name urn:pingidentity:schemas:User:1.0 \ --attribute-name userName
-
Create the LDAP mapping SCIM resource type on the PingDirectoryProxy.
dsconfig create-scim-resource-type \ --type-name Users \ --type ldap-mapping \ --set enabled:true \ --set endpoint:Users \ --set structural-ldap-objectclass:inetOrgPerson \ --set include-base-dn:ou=People,dc=example,dc=com \ --set lookthrough-limit:500 \ --set core-schema:urn:pingidentity:schemas:User:1.0
-
To create the SCIM attribute mappings, run the following commands.
dsconfig create-scim-attribute-mapping \ --type-name Users \ --mapping-name displayName \ --set scim-resource-type-attribute:displayName \ --set ldap-attribute:displayName dsconfig create-scim-attribute-mapping \ --type-name Users \ --mapping-name name.formatted \ --set scim-resource-type-attribute:name.formatted \ --set ldap-attribute:cn \ --set searchable:true dsconfig create-scim-attribute-mapping \ --type-name Users \ --mapping-name name.familyName \ --set scim-resource-type-attribute:name.familyName \ --set ldap-attribute:sn \ --set searchable:true dsconfig create-scim-attribute-mapping \ --type-name Users \ --mapping-name userName \ --set scim-resource-type-attribute:userName \ --set ldap-attribute:uid \ --set searchable:true
-
Configure the SCIM2 HTTP Servlet Extension to use a Mock Access Token
Validator.
Note:
Never use Mock Access Token Validators in production environments or with sensitive data.
dsconfig create-access-token-validator \ --validator-name "SCIM2 Mock Validator" \ --type mock \ --set enabled:true dsconfig set-http-servlet-extension-prop \ --extension-name SCIM2 \ --set "access-token-validator:SCIM2 Mock Validator"
-
To confirm that the new resource type is successfully added, send the following
request to the PingDirectoryProxy's SCIM
/ResourceTypes
endpoint.Note:The HTTP port can vary depending on the deployment configuration.
curl -k -X GET \ https://localhost:8443/scim/v2/ResourceTypes \ -H 'Authorization: Bearer {"active":true}'
The following JSON object is displayed in the response in the
“Resources”
array.{ ... "Resources": [{ "schemas":["urn:ietf:params:scim:schemas:core:2.0:ResourceType"], "id":"Users", "name":"Users", "endpoint":"Users", "schema":"urn:pingidentity:schemas:Users:1.0", "meta":{ "resourceType":"ResourceType", "location":"https://localhost:8443/scim/v2/ResourceTypes/Users" } }] ... }