Typically, a SCIM resource is a view of the attributes for a particular user (or other resource type) at the user store. With the Ping Identity Data Governance Broker, a SCIM resource may also have a number of child SCIM sub-resources. These provide extended capabilities related to the resource that cannot be expressed solely using CRUD operations against the resource’s attributes. For example, the
password sub-resource provides a rich password change API supporting generated passwords, password update failure details, and other features that cannot be expressed in a standard SCIM response.
The path to a SCIM sub-resource is always a sub-path of the parent SCIM resource. For example, the user at the path
/scim/v2/Users/25d0af58-a93b-4ba4-a49c-ab0fe35783c4 might have the following SCIM sub-resources.
The Data Governance Broker provides the following SCIM sub-resources:
- Session Management
- OAuth 2 Consent
- Validated Email Addresses
- Validated Phone Numbers
- TOTP Shared Secret
- External Identity
Searching SCIM sub-resources
Any SCIM sub-resource endpoint that exposes multiple sub-resources may be searched. For example, the session sub-resource may be searched, because a user may have multiple sessions. On the other hand, a user’s account sub-resource may not be searched, because a user only has a single account.
A client may only search for sub-resources rooted under a particular SCIM resources. For example, a client can search a single user’s consent records using the consent sub-resource, but a user may not search all users’ consent records.