Creating a SCIM connection - PingOne - PingOne Cloud Platform

PingOne Cloud Platform
bundle
pingone
ft:publication_title
PingOne Cloud Platform
Product_Version_ce
PingOne
PingOne Cloud Platform
category
Administratorguide
ContentType
Guide
Product
Productdocumentation
p1
p1cloudplatform
ContentType_ce
Product documentation
Guide > Administrator Guide
Guide

You can set up provisioning to or from a SCIM (System for Cross-domain Identity Management) identity store. You can also use the PingOne API to set up inbound SCIM for user provisioning. For more information, see SCIM in the PingOne API Reference.

  1. Go to Integrations > Provisioning.
  2. Click + and then click New connection.
  3. For Identity Store, click the Select button.
  4. Under SCIM, click Select and then click Next.
  5. Enter a name and description for this provisioning connection. The connection name will appear in the list when you've completed and saved the connection.
  6. Click Next.
  7. On the Configure authentication screen, enter the following
    • SCIM base URL. The fully qualified URL to use for the SCIM resources, such as http://scim-example.com/v2/.
    • Users resource. The endpoint for the SCIM User resource.
    • SCIM version. The SCIM version to use for the connection.
    • Authentication method. The SCIM authentication method to use for the connection.
    You can choose to use no authentication (None). For all other methods, additional entry fields are displayed, depending on the selected authentication method.
    Note:

    Basic Auth provides limited security.

    • The identity store configuration will have the provided Basic Auth credentials.
    • The authentication scope is exactly that of the Basic Auth user, rather than some subset of the user data.

    For these reasons, we recommend using the Bearer Token or Client Creds authentication method, if possible.

    • Basic Authentication
      • Basic Auth User. Enter the Basic Auth user for the identity store.
      • Basic Auth Password. Enter the Basic Auth user password for the identity store.
      • Auth Type Header. Select either the standard Basic or Custom auth type.
    • OAuth 2 Bearer Token
      • OAuth Access Token. Enter the OAuth access token value supplied by the authorization server for the identity store.
      • Auth Type Header. Select either Bearer or Custom to supply your own header configuration.
        If you select Custom, the Custom Header entry box is displayed. Enter the custom header configuration.
        Note:

        Custom headers added here will be added only as Authorization headers in the request.

    • OAuth 2 Client Credentials
      • OAuth Token Request. Enter the endpoint URL used to obtain an access token, such as https://scim-example.com/as/token.oauth2.
      • OAuth Client ID. Enter the client ID registered with the OAuth server for the provisioning identity store.
      • OAuth Client Secret. Enter the client secret value associated with the OAuth client ID.
      • Auth Type Header. Select Basic, Bearer, OAuth Client Credentials, or Custom (to supply your own header configuration).
        If you select Custom, the Custom Header entry box is displayed. Enter the custom header configuration.
        Note:

        Custom headers added here will be added only as Authorization headers in the request.

  8. Click Test connection to verify that PingOne can establish a connection to the SCIM resource.

    If there are any issues with the connection, a Test connection failed message will appear. Click Continue to resume the setup with an invalid connection. You will not be able to use the connection for provisioning until you have established a valid connection to the SCIM resource. Click Cancel to modify the settings and try again.

  9. On the Configure preferences screen, enter the user filter and the action to take when deprovisioning users.

    The filtering parameters are optional.

    • User filter expression. Determines how the connection uses the specified User Identifier to match existing users in the target identity store to the users being provisioned from the source identity store. For more information, see SCIM filter expressions.
    • User identifier. The identifier for the user filter expression.
    • Custom Attribute Schema URNs (optional). A comma-delimited list of schema URNs to define a location for custom attributes. Use this option if the SCIM provider does not follow the standard naming convention for schema extensions in which custom attributes are defined. That is, URNs of the form urn:ietf:params:scim:schemas:extension:<Organization Name>:2.0:User.
    • Allow users to be created. Determines whether to create a user in the target identity store when the user is created in the source identity store.
    • Allow users to be updated. Determines whether to update user attributes in the target identity store when the user is updated in the source identity store.
    • Allow users to be disabled. Determines whether to disable a user in the target identity store when the user is disabled in the source identity store.
    • Allow users to be deprovisioned. Determines whether to deprovision a user in the target identity store when the user is deprovisioned in the source identity store.
    • Remove action. The action to take when removing a user from the target identity store.
    • Deprovision on rule deletion. Determines whether to deprovision users if the associated provisioning rule is deleted.
  10. Click Finish.

The SCIM provisioning profile is complete and is added to the list of provisioning profiles on the Provisioning page.

Creating an outbound rule