Rate this page

Obtaining a User ID

To interact with a specific SCIM resource, such as a user, the resource ID must be known. This can be obtained by a few different means.

If the currently authenticated user authenticated through the same Data Governance Broker:

  • The user’s identifier will be available as the sub claim of the access token.
  • If you have an ID token, then the identifier will also be available as the sub claim of the ID token.

In other cases, the user may have authenticated with a third-party authentication service, and the access token may not contain a sub field with a user ID understood by the Broker, or the access token may not be a JWT at all. In those cases:

  • Use the access token to retrieve the user’s profile via the /scim/v2/Me endpoint; the user’s identifier will be available through the id attribute.
  • If your client is authorized to perform searches, perform a search using a known attribute and value, such as an email address. The user’s identifier will be available through the id attribute.

The resource ID format

Access tokens and ID tokens issued by the Data Governance Broker use the combination of a resource type endpoint name and an identifier to uniquely identify a resource. For example, given the resource ID Users/25d0af58-a93b-4ba4-a49c-ab0fe35783c4, “Users” is the resource type and “25d0af58-a93b-4ba4-a49c-ab0fe35783c4” is the resource’s SCIM ID.

When a resource is retrieved via a SCIM endpoint, however, its id field will consist of the resource’s SCIM ID only. For example:

{
    "schemas": [
        "urn:pingidentity:schemas:sample:profile:1.0",
        "urn:pingidentity:schemas:User:1.0"
    ],
    "meta": {
        "created": "2016-07-30T00:01:23.824Z",
        "lastModified": "2016-07-30T00:01:23.824Z",
        "location": "https://example.com:443/scim/v2/Users/25d0af58-a93b-4ba4-a49c-ab0fe35783c4",
        "resourceType": "Users"
    },
    "id": "25d0af58-a93b-4ba4-a49c-ab0fe35783c4",
    "userName": "pconley"
}

Note how the resource’s URL (the value of meta.location) can be derived from a combination resource ID like Users/25d0af58-a93b-4ba4-a49c-ab0fe35783c4 if the SCIM service’s base URL is known.