Each resource has an identifier. The resource type name (Users) is combined with the identifier (25d0af58-a93b-4ba4-a49c-ab0fe35783c4) to uniquely identify the resource to the PingDirectory or PingDirectoryProxy Server. For example:

/scim/v2/Users/25d0af58-a93b-4ba4-a49c-ab0fe35783c4

All requests and responses use UTF-8 character encoding and are formatted as JSON.

HTTP request headers

Updating resources

SCIM resources are modified using the PUT and PATCH methods, described in sections 3.5.1 and 3.5.2 of RFC 7644. For examples, see User profile endpoints.

HTTP method Description
PUT Updates a resource by completely replacing it.
PATCH Updates a resource by modifying only the changes to be made.

Because access controls enforced by the PingDirectory server policies and scopes can limit your view of a resource, the server must assume that you may not have access to all attributes of a resource. This is important for PUT requests, because the server needs to distinguish between a case in which you explicitly wish to remove an attribute and a case in which you do not know about an attribute. The general rule is that the server ignores an attribute that is omitted from a PUT request, rather than deleting it. If you explicitly wish to delete an attribute, then you should set its value to null.

When you request a modification, the server computes the difference between the current state of the resource and the state specified by the modification request, applying a minimal set of changes when passing the modification request to the user store. In effect, this means that a PUT request is ultimately treated as if it were a PATCH request. This prevents unnecessary modifications from being sent to the user store and, more importantly, also prevents you from inadvertently removing attributes that you did not specify because you did not have access to them.

The server performs this diffing logic at the attribute and sub-attribute level, comparing each attribute in a modification request against the corresponding attribute in the current resource. For multivalued, complex attributes, the server iterates through the values in the modification request and tries to find the corresponding value in the current resource to determine a match. If it is found, it then diffs at the sub-attribute level.

This behavior is summarized by the following table.

Operation Result
PUT request omitting a simple single-valued attribute (such as userName). No change.
PUT or PATCH request setting a simple single-valued attribute to null. The attribute is deleted.
PUT or PATCH request replacing the value of a multi-valued attribute, omitting an existing member of the array. The omitted member is deleted.
PUT or PATCH request replacing the value of a complex attribute, omitting an existing sub-attribute from the object. No change to the omitted sub-attribute.

For example, if the current value of a resource’s phoneNumbers attribute is:

"phoneNumbers": [
   {
      "value": "054-757-2291",
      "type": "work",
      "primary":"true"
   }
]

And a modification request includes:

"phoneNumbers": [
   {
      "value": "054-757-2291",
      "primary": "false"
   }
]

Then the final result is:

"phoneNumbers": [
   {
      "value": "054-757-2291",
      "type": "work",
      "primary": "false"
   }
]

When finding a matching value in a complex attribute, matches of the value, $ref, type, and display sub-attribute values are given more weight when compared to values of other sub-attributes. This is done because the above sub-attribute values are typically unique for any given complex attribute.

Specifying attributes to return

By default, all attributes that you are authorized to read are returned when a resource is requested. Your application can provide special query parameters to override this behavior.

Parameter Description
attributes Indicates the set of attributes to include in the response. Takes a comma-separated list of attribute names. Extension schema attribute names must be prefixed with the extension schema URN.
excludedAttributes Indicates a set of attributes to exclude from the response. Takes a comma-separated list of attribute names. Extension schema attribute names must be prefixed with the extension schema URN.

Filtering searches

Some endpoints support an optional filter parameter for filtering responses containing multiple resources. In general, if a SCIM path returns a single resource, it does not support filtering. If it returns multiple resources, then it generally supports filtering. For example, /scim/v2/Users supports filtering, but /scim/v2/Users/{userId} does not.

SCIM filtering is described in detail by RFC 7644, section 3.4.2.2. The following discussion should not be considered exhaustive.

The value of the filter parameter is a search filter, which typically takes the form <attribute> <operator> <value>. For example:

filter=userName eq "pkd"

Search responses are always list responses, except in the case of an error.

The following attribute operators are supported:

Operator Description
eq equal
ne not equal
co contains
sw starts with
ew ends with
pr present
gt greater than
ge greater than or equal to
lt less than
le less than or equal to

The following logical operators are supported:

Operator
and
or
not

The following grouping operators are supported:

Operator Description
() Groups expressions to alter precedence.
[] Contains a filter expression to be applied to a complex attribute. See example below.

The following is a sample of filtering by a core attribute:

filter=userName eq "pkd"

The following is a sample of filtering by an extended attribute using the ‘starts with’ operator:

filter=urn:pingidentity:schemas:sample:profile:1.0:birthDate sw "1939"

The following is a sample of a complex filter:

filter=emails[value eq "glen@runciter.com"]

The following is a sample of a complex filter with two expressions:

filter=emails[value eq "glen@runciter.com" and type eq "work"]

Pagination

The client can provide pagination parameters to page through search result sets.

Parameter Description
startIndex The index of the first query result. Indexing starts at 1.
count A non-negative integer specifying the maximum number of matching resources to return per page. If 0 is specified, then no resources will be returned, but the totalResults field will still indicate the number of matching resources.