Setting Up PingFederate SCIM

This article shows how to retrieve key pieces of information from PingFederate to complete the SCIM provisioning process. For the rest of the SCIM setup process, see our article Setting up SCIM provisioning.

In this article:

• Before you begin
• Setting Up SCIM
• Finish the SCIM provisioning process

Before you begin

• Set up SAML SSO before you begin SCIM provisioning.
• Collect key data from Writer to share with PingFederate, as explained here.
• Download, install, and deploy the SCIM Connector following the setup guide from PingFederate.

Setting Up SCIM

Log in as an admin to your PingFederate instance, and select “Applications” → “SP Connections”. Once there, select the existing SAML SSO connection that you had previously created.

This will take you to the "Summary" page of the existing connection. Once there, select "Connection Type" at the top of the summary.

This will take you to the "Connection Type". To begin the SCIM setup, click the checkbox next to "Outbound Provisioning" and then select "SCIM Connector" in the "Type" field that appears.

No changes need to be made on the "General Info" page.

Configuring Outbound Provisioning

Since you'd already set up other pages on this workflow during SAML setup, the one page you'll need to go to is "Outbound Provisioning". On the "Outbound Provisioning" page, select the “Configure Provisioning” button.

Set up the connection name on the "Target" page.

Once setup, paste your endpoint URL from Writer (step 1 here) into the SCIM Base URL field. The SCIM Base URL should always be https://app.writer.com/api/scim/v2 .

Next, change the Authentication Method to OAuth 2 Bearer Token and paste the bearer token from Writer (step 1 here) into the OAuth Access Token field. No other changes need to be made on this page, so click "Next" to continue.

On the Manage Channels page, select “Create”.

On the Channel Info page, add a descriptive name and click “Next”.

Select an “Active Data Store” from the dropdown menu. The below example uses an ad.acrolix.io LDAP instance, but this may be different depending on the type of data store used in each case. Please refer to the PingFederate documentation for specific settings on your type of data store. Click “Next”.

On the "Source Settings" page, make any modifications needed for your data store. In this example, the default values for the LDAP data store did not need to be modified, so the default settings were used. After configuring the source settings specific to your use case, click “Next” to go to the "Source Location" page.

On the Source Location page, input a Base DN and either a Group DB or Filter for the Users. This tells your application where to look for the users to sync from your active data store. The setup used in each case may be different depending on the type of data store being used and which users and groups are to be provisioned. Please reference PingFederate documentation for specific steps. When this is complete, click “Next”. In the example below, "scim_group" is a group of multiple user groups in AD.

Configure attribute mapping in PingFederate

On the Attribute Mapping page, configure the mapping of attributes in the data store to the SCIM attributes. The exact configuration will depend on the specific setup in each unique situation. For this ad.acrolix.io LDAP example, the default settings are used. When finished, Click “Next”.

On the Activation & Summary page, check that the settings are complete, then toggle the “Channel Status” to “Active” and select “Done”.

You are directed back to the Manage Channels page, where you can select “Done”.

You’re then directed to the Outbound Provisioning page, where you can select “Next”.

The toggle on the "Summary" page should already be green from the previous SAML setup, so click "Save" at the bottom of the page to complete the setup.

Finish the SCIM provisioning process

Return to Setting up SCIM provisioning to complete this process.