- /pf-scim/v1/Users
- /pf-scim/v1/Groups
- /pf-scim/v1/Schemas
- /pf-scim/v1/ServiceProviderConfigs
- SCIM Core Schema (www.simplecloud.info/specs/draft-scim-core-schema-01.html)
- SCIM Specification (www.simplecloud.info/specs/draft-scim-api-01.html)
Begin each endpoint with the fully qualified server name and port number of your PingFederate server, for example:
https://pingidentity.com:9031/pf-scim/v1/Users
/pf-scim/v1/Users
HTTP requests must be made using either Basic or client-certificate application authentication. JSON is currently the only supported format for the HTTP message body.
HTTP method | Description |
---|---|
POST |
/pf-scim/v1/Users
For an existing user, you can also use the POST method to either
update or delete (or disable) a user record by appending the user ID
to the path (in the format of
/pf-scim/v1/Users/user_id
) and setting the request header
X-HTTP-Method-Override value to
|
GET |
/pf-scim/v1/Users
/pf-scim/v1/Users/user_id
/pf-scim/v1/Users?attributes=attribute
/pf-scim/v1/Users?filter=filter
/pf-scim/v1/Users?sortBy=attribute&sortOrder=ascending|descending
/pf-scim/v1/Users?startIndex=x[&count=y]
Tip:
You may use a combination of the aforementioned parameters in one query to narrow your search results. |
PUT |
/pf-scim/v1/Users/user_id
|
DELETE |
/pf-scim/v1/Users/user_id
|
For a list of HTTP error codes that may be returned, see 3.9 HTTP Response Codes in SCIM Specification (www.simplecloud.info/specs/draft-scim-api-01.html#anchor6).
/pf-scim/v1/Groups
Inbound provisioning for groups is a per-connection, optional feature. To enable group provisioning, select the User and Group Support option on the Connection Type screen when configuring the applicable IdP connection.
HTTP requests must be made using either Basic or client-certificate application authentication. JSON is currently the only supported format for the HTTP message body.
HTTP method | Description |
---|---|
POST |
/pf-scim/v1/Groups
For an existing group, you can also use the POST method to either
update or delete the group by appending the group ID to the path (in the
format of /pf-scim/v1/Groups/group_id
) and setting the request header
X-HTTP-Method-Override value to
|
GET |
/pf-scim/v1/Groups
/pf-scim/v1/Groups/group_id
/pf-scim/v1/Groups?attributes=attribute
/pf-scim/v1/Groups?filter=filter
/pf-scim/v1/Groups?sortBy=attribute&sortOrder=ascending|descending
/pf-scim/v1/Groups?startIndex=x[&count=y]
Tip:
You may use a combination of the aforementioned parameters in one query to narrow your search results. |
PUT |
/pf-scim/v1/Groups/group_id
|
DELETE |
/pf-scim/v1/Groups/group_id
|
For a list of HTTP error codes that may be returned, see 3.9 HTTP Response Codes in SCIM Specification (www.simplecloud.info/specs/draft-scim-api-01.html#anchor6).
/pf-scim/v1/Schemas
HTTP requests must be made using either Basic or client-certificate application authentication. JSON is currently the only supported format for the HTTP message body.
HTTP method | Description |
---|---|
GET | Retrieves the resource's schema for an IdP
connection based on the authentication
information. A successful response is indicated by an HTTP 200 status code and the results in the message body. |
Sample output
$ curl -u basicUser 'https://localhost:9031/pf-scim/v1/Schemas' | python -m json.tool
{
"attributes": [
{
"caseExact": false,
"description": "Unique identifier for the SCIM resource as defined by the Service Provider. Each representation of the resource MUST include a non-empty id value. This identifier MUST be unique across the Service Provider's entire set of resources. It MUST be a stable, non-reassignable identifier that does not change when the same resource is returned in subsequent requests. The value of the id attribute is always issued by the Service Provider and MUST never be specified by the Service Consumer. REQUIRED.",
"multiValued": false,
"name": "id",
"readOnly": true,
"required": true,
"schema": "urn:scim:schemas:core:1.0",
"type": "string"
},
...
],
"description": "Core User",
"endpoint": "/Users",
"id": "urn:scim:schemas:core:1.0:User",
"name": "User",
"schema": "urn:scim:schemas:core:1.0"
}
/pf-scim/v1/ServiceProviderConfigs
This SP configuration endpoint is where developers can retrieve detailed information on the PingFederate SCIM 1.1 implementation. When inbound provisioning is enabled for an SP PingFederate server, an HTTP GET request to this endpoint returns a JSON response outlining SCIM 1.1 compliance details.
The /pf-scim/v1/ServiceProviderConfigs endpoint does not require authentication. JSON is currently the only supported format for the HTTP message body.
Sample output
$ curl https://localhost:9031/pf-scim/v1/ServiceProviderConfigs
{
"schemas": ["urn:scim:schemas:core:1.0"],
...
"patch": {
"supported":false
},
"bulk": {
"supported":false
},
"filter": {
"supported":true
},
"changePassword" : {
"supported":true
},
"sort": {
"supported":false
},
"etag": {
"supported":false
},
"xmlDataFormat": {
"supported":false
},
"authenticationSchemes": [
{
"name": "HTTP Basic",
"description": "Authentication using HTTP Basic",
...
"type":"httpbasic"
},
{
"name": "TLS Client Certificate",
"description": "Authentication via TLS Client Certificate",
...
"type":"tls"
}
]
}