Lists the configuration settings and provisioning options for the SCIM Provisioner.
Field Name | Description |
---|---|
SCIM URL |
The SCIM base URL for the target service. For example:
|
SCIM Version |
The SCIM version supported by the target service. Options are 2.0 (default) or 1.1. |
Authentication Methods |
The authentication method expected by the target service. The options are None (default), Basic Authentication, OAuth 2 Bearer Token or OAuth 2 Client Credentials. Note:
When an authentication method is selected, only the data required for that method will be processed. Entries in fields for other authentication methods will be ignored. |
Basic Authentication |
|
Basic Authentication Username |
The username of the administrator account on the target service. |
Basic Authentication Password |
The password of the administrator account on the target service. |
OAuth 2 Bearer Token |
|
Access Token |
The OAuth access token for the target service. |
OAuth 2 Client Credentials |
|
Token Request Endpoint |
The endpoint that the connector uses to get an access token. For example:
|
Client ID |
The client ID for the target service. |
Client Secret |
The client secret the target service. |
Scope |
An optional field that allows an admin to specify a comma-delimited list of OAuth scopes that access tokens requested from the SCIM provider should contain. |
SCIM Overrides |
|
Unique User Identifier |
The attribute that uniquely identifies a user when PingFederate does not have access to the unique user ID that the target application assigns to a user.
To override a default filter, use the Filter Expression field. Important:
To change the unique user identifier:
|
Filter Expression |
A rule that determines how the connector uses the unique user identifier to match existing users in the target application to users in the data store. This expression overrides the default filter expression that is set by the Unique User Identifier field. The filter expression contains three parts:
The <attribute_value> is represented by
Example filter expressions:
Note:
Check the target service documentation and the SCIM Filtering specification to see which filter expressions are supported. |
Authorization Header Type |
The type of HTTP authorization header used. For example,
|
Users API Path |
The users API path is used when the users endpoint deviates from the SCIM specification (“/Users” is used by default when left blank). |
Groups Path API |
The groups API path is used when the groups endpoint deviates from the SCIM specification (“/Groups” is used by default when left blank). |
Results Per Page |
Determines the number of groups that PingFederate requests per GET request when searching all groups for a match. If the target service has a limit, change this value to match. A value of The default value is |
Provisioning Options |
|
User Create |
|
User Update |
|
User Disable / Delete |
|
Provision Disabled Users |
|
Note:
If any of the above options are cleared, PingFederate logs a warning in the user workflow section of provisioner.log when the related action fails. |
|
Remove User Action |
This option applies when:
Note:
Some target applications do not support hard deleting users through external interfaces. For those services, users are disabled. |
Group Name Source |
|
Use PATCH for Group Updates |
|
Custom Attribute Schema URNs |
An optional field that allows an admin to explicitly specify a comma-delimited list of schema URNS for which to look for custom attributes. This only is required in the case where the SCIM provider does not follow the standard naming convention for schema extensions where custom attributes are defined, such as URNs of the form urn:ietf:params:scim:schemas:extension:<Organization Name>:2.0:User. |