SCIM 2.0 inbound provisioning endpoints
PingFederate supports a System for Cross-domain Identity Management (SCIM) 2.0 inbound provisioning and provides five endpoints.
The five endpoints are:
-
/pf-scim/v2/Users -
/pf-scim/v2/Schemas -
/pf-scim/v2/ServiceProviderConfig -
/pf-scim/v2/ResourceTypes -
/pf-scim/v2/.search
These endpoints are defined in the following SCIM 2.0 specifications:
Begin each endpoint with the fully-qualified server name and port number of your PingFederate server, for example, https://pingidentity.com:9031/pf-scim/v2/Users.
/pf-scim/v2/Users
The users endpoint is where client applications make HTTP requests to create, retrieve, update, and delete or deactivate users. This REST-based endpoint accepts POST, GET, PUT, and DELETE requests, as described in the following table.
|
HTTP requests must be made using either Basic or client-certificate application authentication. JSON is currently the only supported format for the HTTP message body. |
| HTTP method | Description | ||
|---|---|---|---|
POST |
|
||
GET |
|
||
PUT |
|
||
DELETE |
|
/pf-scim/v2/Schemas
The schemas endpoint is where a client can retrieve a resource’s schema. This REST-based endpoint accepts the GET method as described in the following table.
|
HTTP requests must be made using Basic or client-certificate application authentication. JSON is currently the only supported format for the HTTP message body. |
| HTTP method | Description |
|---|---|
GET |
|
Example
$ curl -u basicUser 'https://localhost:9031/pf-scim/v2/Schemas' | python -m json.tool
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 3,
"Resources": [
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Schema"
],
"id": "urn:ietf:params:scim:schemas:core:2.0:User",
"name": "User",
"description": "User Account",
"attributes": [
{
"name": "active",
"type": "boolean",
"multiValued": false,
"description": "A Boolean value indicating the User's administrative status.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
}
}/pf-scim/v2/ServiceProviderConfigs
This service provider (SP) configuration endpoint is where developers can retrieve detailed information on the PingFederate SCIM 2.0 implementation. When you enable inbound provisioning for an SP PingFederate server, an HTTP GET request to this endpoint returns a JSON response outlining SCIM 2.0 compliance details.
Example
$ curl https://localhost:9031/pf-scim/v2/ServiceProviderConfig
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
],
"patch": {
"supported": true
},
"bulk": {
"supported": false,
"maxOperations": 0,
"maxPayloadSize": 0
},
"filter": {
"supported": true,
"maxResults": 200
},
"changePassword": {
"supported": false
},
"sort": {
"supported": true
},
"etag": {
"supported": false
},
"authenticationSchemes": [
{
"name": "HTTP Basic",
"description": "The HTTP Basic Access Authentication scheme. This scheme is not considered to be a secure method of user authentication (unless used in conjunction with some external secure system such as SSL), as the user name and password are passed over the network as cleartext.",
"specUri": "http://www.ietf.org/rfc/rfc2617.txt",
"type": "httpbasic",
"primary": false
}
]
}/pf-scim/v2/.search
The search endpoint is used to query for resources using HTTP POST. Learn more in 3.4.3. Querying Resources Using HTTP POST in the SCIM specification.
Example
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:SearchRequest"],
"attributes": ["displayName", "userName"],
"filter":
"displayName sw \"smith\"",
"startIndex": 1,
"count": 10
}This sample POST body retrieves a list of the displayName and userName attributes for all users with a displayName that starts with "smith".