PingFederate supports system for cross-domain identity management (SCIM) inbound provisioning and provides four endpoints.
- /pf-scim/v1/Users
- /pf-scim/v1/Groups
- /pf-scim/v1/Schemas
- /pf-scim/v1/ServiceProviderConfigs
Begin each endpoint with the fully-qualified server name and port number of your PingFederate server, for example: https://pingidentity.com:9031/pf-scim/v1/Users.
/pf-scim/v1/Users
HTTP requests must be made using either Basic or client-certificate application authentication. JSON is currently the only supported format for the HTTP message body.
HTTP method | Description |
---|---|
POST |
/pf-scim/v1/Users
For an existing user, you can also use the POST method to either update or delete or disable a user record by appending the user ID to the path in the format of /pf-scim/v1/Users/user_id and setting the request header X-HTTP-Method-Override value to PUT or DELETE, respectively. For more information, see the PUT and DELETE method descriptions at the end of this topic. |
GET |
/pf-scim/v1/Users
/pf-scim/v1/Users/user_id
/pf-scim/v1/Users?attributes=attribute
/pf-scim/v1/Users?filter=filter
/pf-scim/v1/Users?sortBy=attribute&sortOrder=ascending|descending
/pf-scim/v1/Users?startIndex=x[&count=y]
Tip:
You can use a combination of the aforementioned parameters in one query to narrow your search results. |
PUT |
/pf-scim/v1/Users/user_id
|
DELETE |
/pf-scim/v1/Users/user_id
|
For a list of HTTP error codes that might be returned, see 3.9 HTTP Response Codes in SCIM Specification.
/pf-scim/v1/Groups
Inbound provisioning for groups is a per-connection, optional feature. To enable group provisioning, select the User and Group Support option on the Connection Type tab when configuring the applicable IdP connection.
HTTP requests must be made using either Basic or client-certificate application authentication. JSON is currently the only supported format for the HTTP message body.
HTTP method | Description |
---|---|
POST |
/pf-scim/v1/Groups
For an existing group, you can also use the POST method to either update or delete the group by appending the group ID to the path, in the format of /pf-scim/v1/Groups/group_id, and setting the request header X-HTTP-Method-Override value to PUT or DELETE, respectively. For more information, see the PUT and DELETE method descriptions at the end of this topic. |
GET |
/pf-scim/v1/Groups
/pf-scim/v1/Groups/group_id
/pf-scim/v1/Groups?attributes=attribute
/pf-scim/v1/Groups?filter=filter
/pf-scim/v1/Groups?sortBy=attribute&sortOrder=ascending|descending
/pf-scim/v1/Groups?startIndex=x[&count=y]
Tip:
You can use a combination of the aforementioned parameters in one query to narrow your search results. |
PUT |
/pf-scim/v1/Groups/group_id
|
DELETE |
/pf-scim/v1/Groups/group_id
|
For a list of HTTP error codes that might be returned, see 3.9 HTTP Response Codes in SCIM Specification.
/pf-scim/v1/Schemas
HTTP requests must be made using either Basic or client-certificate application authentication. JSON is currently the only supported format for the HTTP message body.
HTTP method | Description |
---|---|
GET | Retrieves the resource's schema for an IdP connection based on the
authentication information. A successful response is indicated by an HTTP 200 status code and the results in the message body. |
$ curl -u basicUser 'https://localhost:9031/pf-scim/v1/Schemas' | python -m json.tool
{
"attributes": [
{
"caseExact": false,
"description": "Unique identifier for the SCIM resource as defined by the Service Provider. Each representation of the resource MUST include a non-empty id value. This identifier MUST be unique across the Service Provider's entire set of resources. It MUST be a stable, non-reassignable identifier that does not change when the same resource is returned in subsequent requests. The value of the id attribute is always issued by the Service Provider and MUST never be specified by the Service Consumer. REQUIRED.",
"multiValued": false,
"name": "id",
"readOnly": true,
"required": true,
"schema": "urn:scim:schemas:core:1.0",
"type": "string"
},
...
],
"description": "Core User",
"endpoint": "/Users",
"id": "urn:scim:schemas:core:1.0:User",
"name": "User",
"schema": "urn:scim:schemas:core:1.0"
}
/pf-scim/v1/ServiceProviderConfigs
This service provider (SP) configuration endpoint is where developers can retrieve detailed information on the PingFederate SCIM 1.1 implementation. When you enable inbound provisioning for an SP PingFederate server, an HTTP GET request to this endpoint returns a JSON response outlining SCIM 1.1 compliance details.
The /pf-scim/v1/ServiceProviderConfigs endpoint does not require authentication. JSON is currently the only supported format for the HTTP message body.
$ curl https://localhost:9031/pf-scim/v1/ServiceProviderConfigs
{
"schemas": ["urn:scim:schemas:core:1.0"],
...
"patch": {
"supported":false
},
"bulk": {
"supported":false
},
"filter": {
"supported":true
},
"changePassword" : {
"supported":true
},
"sort": {
"supported":false
},
"etag": {
"supported":false
},
"xmlDataFormat": {
"supported":false
},
"authenticationSchemes": [
{
"name": "HTTP Basic",
"description": "Authentication using HTTP Basic",
...
"type":"httpbasic"
},
{
"name": "TLS Client Certificate",
"description": "Authentication via TLS Client Certificate",
...
"type":"tls"
}
]
}