Page created: 16 May 2023
|
Page updated: 16 May 2023
| 4 min read
PingOne Cloud Platform PingOne Product Product documentation Content Type IDaaS Deployment Method Administrator Audience Developer SCIM Standards, specifications, and protocols User Management Directory Capability
You can set up provisioning to or from a SCIM (System for Cross-domain Identity Management) identity store. You can also use the PingOne API to set up inbound SCIM for user provisioning. For more information, see SCIM in the PingOne API Reference.
- Go to Connections > Provisioning.
- Click + and then click New connection.
- For Identity Store, click the Select button.
- Under SCIM, click Select and then click Next.
- Enter a name and description for this provisioning connection. The connection name will appear in the list when you've completed and saved the connection.
- Click Next.
-
On the Configure authentication screen, enter the
following
- SCIM base URL. The fully qualified URL to use for
the SCIM resources, such as
http://scim-example.com/v2/. - Users resource. The endpoint for the SCIM
Userresource. - SCIM version. The SCIM version to use for the connection.
- Authentication method. The SCIM authentication method to use for the connection.
You can choose to use no authentication (None). For all other methods, additional entry fields are displayed, depending on the selected authentication method.Note: Basic Auth provides limited security.- The identity store configuration will have the provided Basic Auth credentials.
- The authentication scope is exactly that of the Basic Auth user, rather than some subset of the user data.
- Basic Authentication
- Basic Auth User. Enter the Basic Auth user for the identity store.
- Basic Auth Password. Enter the Basic Auth user password for the identity store.
- Auth Type Header. Select either the standard Basic or Custom auth type.
- OAuth 2 Bearer Token
- OAuth Access Token. Enter the OAuth access token value supplied by the authorization server for the identity store.
- Auth Type Header. Select either Bearer or
Custom to supply your own header
configuration. If you select Custom, the Custom Header entry box is displayed. Enter the custom header configuration.Note:
Custom headers added here will be added only as Authorization headers in the request.
- OAuth 2 Client Credentials
- OAuth Token Request. Enter the endpoint
URL used to obtain an access token, such as
https://scim-example.com/as/token.oauth2. - OAuth Client ID. Enter the client ID registered with the OAuth server for the provisioning identity store.
- OAuth Client Secret. Enter the client secret value associated with the OAuth client ID.
- Auth Type Header. Select Basic,
Bearer, OAuth Client
Credentials, or Custom
(to supply your own header configuration). If you select Custom, the Custom Header entry box is displayed. Enter the custom header configuration.Note:
Custom headers added here will be added only as Authorization headers in the request.
- OAuth Token Request. Enter the endpoint
URL used to obtain an access token, such as
- SCIM base URL. The fully qualified URL to use for
the SCIM resources, such as
-
Click Test connection to verify that PingOne can
establish a connection to the SCIM resource.
If there are any issues with the connection, a Test connection failed message will appear. Click Continue to resume the setup with an invalid connection. You will not be able to use the connection for provisioning until you have established a valid connection to the SCIM resource. Click Cancel to modify the settings and try again.
-
On the Configure preferences screen, enter the user
filter and the action to take when deprovisioning users.
The filtering parameters are optional.
- User filter expression. Determines how the connection uses the specified User Identifier to match existing users in the target identity store to the users being provisioned from the source identity store. For more information, see SCIM filter expressions.
- User identifier. The identifier for the user filter expression.
- Custom Attribute Schema URNs (optional). A
comma-delimited list of schema URNs to define a location for custom
attributes. Use this option if the SCIM provider does not follow the
standard naming convention for schema extensions in which custom
attributes are defined. That is, URNs of the form
urn:ietf:params:scim:schemas:extension:<Organization Name>:2.0:User. - Allow users to be created. Determines whether to create a user in the target identity store when the user is created in the source identity store.
- Allow users to be updated. Determines whether to update user attributes in the target identity store when the user is updated in the source identity store.
- Allow users to be disabled. Determines whether to disable a user in the target identity store when the user is disabled in the source identity store.
- Allow users to be deprovisioned. Determines whether to deprovision a user in the target identity store when the user is deprovisioned in the source identity store.
- Remove action. The action to take when removing a user from the target identity store.
- Deprovision on rule deletion. Determines whether to deprovision users if the associated provisioning rule is deleted.
- Click Finish.