Access token validator identity mapping ties a local user account to an operation performed in the SCIM 2.0 servlet in PingDirectory server.

The default configuration for the PingDirectory server for the SCIM 2.0 servlet doesn't require an access token to map to a local user, and operations are recorded in the logs as the SCIM2 Servlet user. For more detailed logging and auditing, enable the map-access-tokens-to-local-users property to require access tokens to map to a local user.

Note:

The users that are being mapped to the access tokens must have the necessary access control rights required to perform the operations that the SCIM 2.0 servlet will invoke on their behalf.

You should update the authorization server to issue tokens that include the scim2 scope alongside any other scopes you need for access control purposes.

The map-access-tokens-to-local-users property is an optional configuration with the three settings shown in the following table.

Setting Definition

Disabled (default)

The server doesn't attempt to map SCIM 2.0 access tokens to local users and operations are processed under the authority of the SCIM2 Servlet user.

Optional

The server attempts to map SCIM 2.0 access tokens to local users and, if successful, the operations are processed under the authority of that user. The distinguished name (DN) of the mapped user appears in the access logs. If unsuccessful, the server falls back to the default behavior.

Required

The server must map the SCIM 2.0 access token to one local user or the operation is rejected.

To set the map-access-tokens-to-local-users property:

  • Run dsconfig with the set-http-servlet-extension-prop option.
    • To set the property to required, run the following command.

      dsconfig set-http-servlet-extension-prop \
        --extension-name SCIM2 \
        --set map-access-tokens-to-local-users:required
    • To set property to optional, run the following command.

      dsconfig set-http-servlet-extension-prop \
        --extension-name SCIM2 \
        --set map-access-tokens-to-local-users:optional
    • To reset the property to the default setting, disabled, run the following command.

      dsconfig set-http-servlet-extension-prop \
        --extension-name SCIM2 \
        --set map-access-tokens-to-local-users:disabled