Configure SCIM Provisioning with PingFederate

Starting in Strategy One (January 2026), you can integrate Library SCIM with PingFederate provisioning.

Prerequisites

• Ensure Library SCIM 2.0 service is enabled and configured. For more information, see Configure the Library Server as SCIM 2.0 Service Provider.

• The document is tested on PingFederate 10.2.8. Options may vary in newer versions.

• SCIM 2.0 Provisioner is not included with PingFederate by default and requires installing an add-on. For more information on deploying integration files, see Deploying the Integration Files.

Create and Configure SCIM Connector

1. Login to your PingFederate Admin dashboard.

2. Go to Applications > SP Connections.

3. Click Create Connection.

   

4. In SC Connections, on the Connection Template tab, select Use a template for this connection.

5. Expand the Connection template drop-down list and choose SCIM connector.

   Ensure you have installed the SCIM 2.0 connector. If you have not installed the connector, the SCIM connector template will not be available.

6. Click Next.

7. In the Connection Type tab, ensure Outbound provisioning is selected and the SCIM Connector type.

8. Click Next.

9. In the General Info tab, enter information for the SCIM connection including Connection ID and Connection Name.

10. Click Next.

11. In the Outbound Provisioning tab, configure how user data is transmitted from the user store to the SCIM server.

12. To view the Configure Channels page, click Configure Provisioning.

13. In the Configure Channels page, click the Target tab.

14. Enter your SCIM server (Library Web) information from Workstation including the following:

    

    • SCIM URL: Enter the "Base URL" from Workstation.

    • SCIM Version: Choose 2.0.

    • Authentication Method: Choose OAuth 2 Bearer Token.

    • OAuth 2 Bearer Token - Access Token: Enter the generated Bearer Token from Workstation.

    • Provisioning Options - Group Name Source: Choose Common Name.

      Strategy does not currently support parsing group names as a distinguished name.

    • Provisioning Options - Custom Attribute Schema URNs: If you want to map attributes to the custom user schema, enter urn:ietf:params:scim:schemas:extension:strategy:2.0:User.

      You may need extra configurations under the SCIM Overrides and Provisioning Options sections. For more information, see SCIM Provisioner Settings Reference.

15. In the Manage Channels tab, click Create.

16. In the Channel page, connect to an existing user data store in your Ping Federate server as the source of the SCIM connection. For more information, see Managing Channels.

    See the following example that uses Active Directory as a user data store and configurations on the Source Settings and Source Location tab:

    Source Settings

    

    Source Location

    

17. To map available attributes from the user data store as SCIM attributes, use the Attribute Mapping tab. For a list of supported SCIM attributes in PingFederate, see Supported Attributes Reference.

    If you configured custom attribute schema URNs in Configure Channels - Target, custom attribute mapping is also available, such as strategy:distinguishedName.

    

18. Activate the channel and click Done to return to the Configure Channels page.

19. Click Done to return to the SP Connections page.

20. In the Outbound Provisioning tab, click Next.

21. In the Activation & Summary tab, review your settings and to enable SCIM provisioning, click Enable.

22. Click Save.

Troubleshooting

Handle User List Inconsistency

User lists between PingFederate and the Intelligence Server may become inconsistent due to incorrect configurations or manual changes by the Administrator in the Library. PingFederate performs a full sync only once, then incremental syncs thereafter. Therefore, PingFederate cannot automatically recover from inconsistencies and you must perform a full sync. PingFederate does not have the option to rerun a full sync but you can use the following workaround to trigger a full sync on an existing SCIM connector:

1. Disable the SCIM connector.

2. Go to Outbound Provisioning > Configure Provisioning and select the channel configuration in use.

3. Set the channel's status to Inactive.

4. Copy the channel configuration for the channel you selected in step 2 or create a new configuration with identical settings.

5. Set the channel to Active and Save.

6. Enable the SCIM connector.

Inspect PingFederate SCIM Provisioner Log

In addition to Library server logs, you can troubleshoot using logs from the PingFederate SCIM provisioner. For on-premises PingFederate, after enabling the SCIM connector, provisioning logs appear in the PingFederate log folder as provisioner.log or provisioner.{timestamp}.log. These logs contain detailed information about PingFederate as a SCIM client.

Additional Information

For more information on PingFederate configuration, see SCIM Provisioner.