SCIM Provisioning with PingFederate

This article describes how to configure SCIM user provisioning with PingFederate as the identity provider. This will allow Axis to continuously synchronize user identity and group information from a user datastore configured in PingFederate.

Before you begin, you must configure an PingFederate as an Identity Provider.

Prerequisites

Step 1: Enabling User Auto Provisioning with PingFederate in the Axis Management Console

  1. In the Management Console, go to Settings -> Identity Providers.
1932
  1. Hover over the PingFederate Identity Provider and select Edit.
2202
  1. Navigate to Advanced Settings.
1576
  1. Go to User Auto-Provisioning (SCIM).
  2. Click Generate new token.
1540
  1. Copy the SCIM Service Provider Endpoint and SCIM Provisioning Token and paste them into a text editor. You will need these details for Step 2: Creating a PingFederate SCIM Connector.
1592

Step 2: Creating a PingFederate SCIM Connector

  1. Log in as an administrator to your PingFederate instance. Select Applications -> SP Connections.
2328
  1. Select Create Connection.
2314
  1. In the Connection Template section, select Use a Template for this Connection. From the dropdown list, select SCIM Connector and click Next.
2452

📘

If you do not see the SCIM Connector option, please refer to the prerequisite section.

  1. In the Connection Type section, ensure that Outbound Provisioning is selected and Type is set to SCIM Connector. Click Next.
2440
  1. In the General Info section, provide a descriptive name for Partner’s Entity ID and Connection Name. Click Next.
1908
  1. In the Outbound Provisioning section, select the Configure Provisioning button.
2196
  1. In the Target section, we will leverage the User Auto-Provisioning (SCIM) values obtained in Step 1:
  • Paste the SCIM Service Provider Endpoint in the SCIM URL field.
  • Paste the SCIM Provisioning Token in the Access Token field.
  • Ensure the SCIM Version is set as 2.0 and the Authentication Method is set as OAuth 2 Bearer Token.
  • Check USE PATCH FOR GROUP UPDATES.
  • Click Next.
993
  1. Go to the Manage Channels table and select Create.
1930
  1. In the Channel Info section, add a descriptive name at the Channel Name and click Next.
2038
  1. In the Source section:
  • Select an Active Data Store from the dropdown menu. The selected datastore is where the identity and group information will be synced from.
  • Note: The data store must be enabled for provisioning and single sign-on, as described in the Prerequisites.
  • Click Next.
1760
  1. In the Source Settings section, keep the default values. Click Next.
  2. In the Source Location section, select the location of the users/groups you want to sync from your active data store:
  • Set a Base DN.
  • Set either a Group DN or Filter for the Users and for the Groups.

Note: The setup may vary depending on the datastore type. The example below is based on an LDAP datastore. For further information, refer to the PingFederate documentation.

The following values are recommended

Users

Field NameField Value
GROUP DN(empty)
FILTER(&(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Note: The following expression MUST be included in the Users FILTER: !(userAccountControl:1.2.840.113556.1.4.803:=2)

Groups

Field NameField Value
GROUP DN(empty)
FILTER(objectClass=Group)
  • Click Next.
1880
  1. In the Attribute Mapping section, the attribute mapping should be as follows. Note this will require to delete some of the mappings, see the instructions below the image.
1481

In order to delete an attribute mapping, click on Edit next to the attribute.

1198

Then click on Remove. Make sure the DEFAULT VALUE is empty.

1225

Make sure this is the final attributes mapping.

1726
  1. In the Activation & Summary section, review the configured settings. Set the Channel Status as Active, and click Done.
2206
  1. You will be redirected to the Manage Channels page. Click Done.
2346
  1. You will be redirected to the Outbound Provisioning section. Click Next.
  2. In the Activation & Summary section, activate the SP Connection in PingFederate by toggling the connection status. Click Save.
2158
  1. Upon successful completion, the SCIM connector will be listed in the SP Connections page

Step 3: Verifying the SCIM Provisioning Integration

Provisioning will begin shortly after the SP connection has been activated. Note that the provisioning process can take several minutes to complete.

Log into the Axis Management console and follow the steps below to verify if the SCIM integration working:

  1. Go to Settings -> Identity Providers. In the Identity Providers table, the configured PingFederate IdP will now show the number of synchronized users and groups.
2144
  1. Go to Settings -> Provisioned Users. On the Users tab, verify that the configured users have been synced from your PingFederate Identity Provider.
2360
  1. Select the User Groups tab. Verify the configured groups have been synced from your PingFederate Identity Provider.
2242