When a System for Cross-domain Identity Management (SCIM) Sync Destination needs to synchronize a change to a SCIM resource on the destination SCIM server, it must first fetch the destination resource. If the destination resource ID is known, the resource will be retrieved by its ID. If not, a search is performed using the mapped destination correlation attributes. Configuring this requires coordination between the Sync Class and the scim-resources.xml mapping file.
The scim-resources.xml mapping file treats the value of the
attribute as the SCIM ID of the source entry. If this value is also listed as a value of
the Sync Class's
destination-correlation-attributes property, then the
value of this LDAP attribute is used as the SCIM ID of the
If no value of
destination-correlation-attributes matches the
attribute, the SCIM ID of the destination resource is considered unknown. In this case, the
SCIM Sync Destination treats the values of
correlation-attributes as search terms, using them to construct a filter for
finding the destination resource. Each value of
destination-correlation-attributes will be mapped to a corresponding
SCIM attribute name, and equality matches will be used in the resulting filter.
ldapAttribute value is not listed as a destination correlation
attribute, this setting is not used by PingDataSync.
The following table illustrates an
LDAPSearch element that contains a
|Method for retrieving SCIM resource
|Retrieve resource directly
Used if a
ldapAttribute="mail" createdBy= "directory"/>
GET scim/Users/ email@example.com
|Retrieve resource using search
Used if no
The unique ID of a destination SCIM resource will most likely be unknown, and the search method will need to be used. However, not all SCIM service providers support the use of filters. Therefore, not all SCIM service providers may be usable as SCIM Sync Destinations.