SCIM Connector settings reference

Lists the configuration settings and provisioning options for the SCIM Provisioner.

Field Name	Description
SCIM URL	The SCIM base URL for the target service. For example, http://scim-example.com/v2/
SCIM Version	The SCIM version supported by the target service. Options are 2.0 (default) or 1.1.
Authentication Methods	The authentication method expected by the target service. The options are None (default), Basic Authentication, OAuth 2 Bearer Token or OAuth 2 Client Credentials. Note: When an authentication method is selected, only the data required for that method will be processed. Entries in fields for other authentication methods will be ignored.
Basic Authentication
Basic Authentication Username	The username of the administrator account on the target service.
Basic Authentication Password	The password of the administrator account on the target service.
OAuth 2 Bearer Token
Access Token	The OAuth access token for the target service.
OAuth 2 Client Credentials
OAuth 2 Token Request Endpoint	The endpoint that the connector uses to get an access token. For example, https://scim-example.com/as/token.oauth2
OAuth 2 Client ID	The client ID for the target service.
OAuth 2 Client Secret	The client secret the target service.
SCIM Overrides
Unique User Identifier	The attribute that uniquely identifies a user when PingFederate does not have access to the unique user ID that the target application assigns to a user. userName (default) The value of the user name attribute. This sets the following filter expression: `userName eq <userName_value>` workEmail The value of the work email attribute. Use when synchronization based on the user name is not desirable. This sets the following filter expression: `emails eq <workEmail_value>` To override a default filter, use the Filter Expression field. Important: To change the unique user identifier: Delete the existing SP connection. Restart PingFederate. Create an SP Connection with the new Unique User Identifier setting.
Filter Expression	A rule that determines how the connector uses the unique user identifier to match existing users in the target application to users in the data store. This expression overrides the default filter expression that is set by the Unique User Identifier field. The filter expression contains three parts: `<attribute_name> <operation> <attribute_value>` The `<attribute_value>` is represented by `"%s"` in the expression. It is populated by the value of the Unique User Identifier. Example filter expressions: `username eq "%s"` `email co "%s"` Note: Check the target service documentation and the SCIM Filtering specification to see which filter expressions are supported.
Authorization Header Type	The type of HTTP authorization header used. For example, "oauth2".
Users API Path	The users API path is used when the users endpoint deviates from the SCIM specification (“/Users” is used by default when left blank).
Groups Path API	The groups API path is used when the groups endpoint deviates from the SCIM specification (“/Groups” is used by default when left blank).
Results Per Page	Determines the number of groups that PingFederate requests per GET request when searching all groups for a match. If the target service has a limit, change this value to match. A value of `-1` retrieves the largest page size allowed by the target service. The default value is `1000`.
Provisioning Options
User Create	Selected (default) PingFederate creates users in the target service. Cleared PingFederate does not create users in the target service.
User Update	Selected (default) PingFederate updates existing users in the target service. Cleared PingFederate does not update existing users in the target service.
User Disable / Delete	Selected (default) PingFederate removes users from the target service according to the Remove User Action setting. Note: You might need to enable User Update for this to work with some services. Cleared PingFederate does not remove users from the target service.
Provision Disabled Users	Selected PingFederate creates users in the target service with a "disabled" status. Cleared (default) If a user has a "disabled" status, PingFederate does not create the user in the target service.
	Note: If any of the above options are cleared, PingFederate logs a warning in the user workflow section of provisioner.log when the related action fails.
Remove User Action	This option applies when: User Disable / Delete is selected, and a previously-provisioned user no longer meets the condition set on the Source Location tab, or a user has been disabled or deleted from the data store. Delete PingFederate deletes the user from the target service. Disable (default) PingFederate disables the user in the target service. Note: Some target applications do not support hard deleting users through external interfaces. For those services, users are disabled.
Group Name Source	Common Name (CN) (default) PingFederate provisions groups to the target service with a name equal to the common name (CN) of the group in the datastore. Distinguished Name (DN) PingFederate provisions groups with a name equal to the distinguished name (DN) of the group in the datastore.
Use PATCH for Group Updates	Selected PingFederate uses the "PATCH" method to update groups in the target service. Select this option if the target service supports PATCH updates to use lighter API calls. Cleared (default) PingFederate uses the "PUT" method to update groups in the target service.
Custom Attribute Schema URNs	An optional field that allows an admin to explicitly specify a comma-delimited list of schema URNS for which to look for custom attributes. This only is required in the case where the SCIM provider does not follow the standard naming convention for schema extensions where custom attributes are defined, such as URNs of the form urn:ietf:params:scim:schemas:extension:<Organization Name>:2.0:User.