This guide provides information on how to:
- Configure PingFederate as a SCIM server (inbound provisioning) for synchronization of the Beyond Identity registration status data to Active Directory or generic LDAP directory.
- Test SCIM functionality using Postman
- Ensure that you have a PingFederate 9.0 or higher instance. For inbound SCIM 1.1 provisioning there is no prerequisite to install the SCIM 2.0 connector.
- Ensure that a data store is configured in PingFederate for your Active Directory or LDAP, and that the connection is using LDAPS. This requires an SSL certificate installed on your domain controller(s) or LDAP server(s) that this instance of PingFederate will be connected to.
- An LDAP directory attribute must be extended on the schema for storing the boolean registration status. All of the examples in this guide will refer to this attribute as byndidRegistered.
NOTE: LDAP schema extension for the byndidRegistered attribute type is not reviewed in this guide. Please refer to your LDAP server documentation on schema extensions. The only requirement is that the attribute type value is boolean and that it is applied to your subordinate user object class (e.g. inetOrgPerson on generic LDAP or user on Active Directory). See the Appendix for a sample LDIF.
- The service account used to connect the data store should, at a minimum, have read/write access to the byndidRegistered attribute on all descendant user objects in the container or OU where the users are stored.
Beyond Identity Configuration
The following steps and screenshots apply to the PingFederate 10.1 or higher administrative user interface. For versions below 10.1, please refer to the PingFederate documentation for your respective configuration.
Step 1: Setup PingFederate for Inbound Provisioning
- Click on Authentication -> IdP Connections -> click Create Connection
- On the Connection Type screen, tick the Inbound Provisioning box and ensure the User Support radio button is selected, and click Next
- On General Info, assign a connection ID in the Partner’s Entity ID text box, and a friendly name in Connection Name and click Next. Note - the Partner’s Entity ID must be unique on this instance of PingFederate, and preferably be globally unique.
- On Inbound Provisioning, click the Configure Inbound Provisioning button
- On the Repository tab, choose the Active Directory Data Store that corresponds to your directory, and click Next
- On the Location tab, type in the Base DN of the container or OU where your user records reside, e.g. CN=Users,DC=beyondidentity,DC=us and click Next
- On Unique User ID, create an LDAP filter that will result in one unique user entry, when combined with the DN. A common example is:
but may differ based on your schema and standards. Click Next.
- On Custom SCIM Attributes, under Custom Attributes enter byndidRegistered, click Add, then click Next.
- On Write Users, click the Configure Write Users button.
- On the Attributes screen, choose <Show All Attributes> from the drop-down menu under Root Object Class. Choose byndidRegistered from the Attribute drop-down menu, and click the Add Attribute button. Do the same for the userPrincipalName attribute. Click Next
- On Attribute Fulfillment, choose SCIM User from the Source drop-down menu, then map byndidRegistered from the Value drop-down menu. Then map the userPrincipalName to userName as shown. Click Next
- On the Summary screen click Done.
- Back on the Write Users screen, click Next.
- On the Read Users screen, click the Configure Read Users button.
- On Attribute Contract, verify that byndidRegistered and userName is already part of the core attribute contract. Click Next.
- On Attributes, choose <Show All Attributes> from the Root Object Class drop-down menu, and choose byndidRegistered from the Attribute drop-down menu and click the Add Attribute button. Repeat for the userPrincipalName attribute. Click Next.
- On Attribute Fulfillment, choose LDAP from the Source drop-down menu, and choose msDS-KeyCredentialLink from the Value drop-down menu. Repeat the mapping for the userName to userPrincipalName. Click Next.
- On the Summary screen, click Done.
- Back on the Read Users screen, click Next.
- On the Delete/Disable Users screen, choose either the Disable User or Permanently Delete User radio button depending on whether you would like to disable or delete the user when it becomes deprovisioned from the source repository. Click Next.
- On the Summary screen, review your settings, then click Done.
- Back on the Inbound Provisioning screen, click Next.
- On the Credentials screen, click the Configure Credentials button.
- On Back-Channel Authentication, click the Configure hyperlink.
- On Inbound Authentication Type, choose either or both the HTTP Basic or SSL Client Certificate check boxes, depending on how you want the SCIM client to authenticate. When HTTP Basic is chosen, it will add a Basic Authentication (Inbound) tab to the menu. If SSL Client Certificate is chosen, it will add Certificate Verification Method and SSL Verification Certificate tabs to the menu. It is recommended to enable the Require SSL checkbox. For the purpose of this document, HTTP Basic will be used. Click Next.
- On Basic Authentication (Inbound), input a username and password which will be used by the SCIM client. Click Next.
- On the Summary screen, click Done.
- Back on the Back-Channel Authentication tab, click Next.
- On the Summary screen, click Done.
- Back on the Credentials screen, click Next.
- On the Activation & Summary screen, review your settings and ensure the slider bar at the top right is enabled (green), and click Save.
A reference Postman collection can be downloaded here (Beyond Identity internal only):
There are two tests in this collection:
1) The first test obtains reads the user via user_name variable value;
2) The second test writes the byndidRegistered SCIM attribute to TRUE. These tests are provided solely as an example of how the Beyond Identity cloud will act as a SCIM client for setting this attribute on an on-premises AD environment, via the SCIM connection on PingFederate.
The only environment variables required:
scim_base_url - The base URL and port for PingFederate without the protocol identifier (HTTPS://) or relative path (/pf-scim/…). Example: pingfed.byndid.me:9031
scim_client_id - The username specified in step 26 above.
scim_client_secret - The password specified in step 26 above.
user_name - A user name in the target directory, in our example we used userPrincipalName. Example: firstname.lastname@example.org
- Import the Postman collection
- Set the above variables with values in whatever environment you want (or whichever is currently selected).
- Run test 1. BI - PingFederate SCIM Provisioner - READ which will set a number of other environment variables in the Pre-request Script and Tests. Hit the Send button, and you should get a response such as:
- Run the second test 2. BI - PingFederate SCIM Provisioner - UPDATE byndidRegistered flag. This will set the byndidRegistered attribute to TRUE:
The LDAP schema must be extended with a byndidRegistered attribute. The following LDIF example is for extending Active Directory with this attribute.
adminDescription: Beyond Identity Registration Status
To apply this objectClass to user objects, review the following LDIF example.