Supported Features
Using this connector, you can manage any SCIM 2.0 compliant target system. The SCIM 2.0 connector supports the following features:
Note
Before you can use any item marked with an asterisk (*), SailPoint must activate the feature for your site.
-
Load accounts
-
*Provisioning
-
*Password management
-
*Access certifications (certification of entitlements connected to accounts)
-
Addition of groups and entitlements
For more information on features, refer to Identity Security Cloud Source Features.
The SCIM 2.0 connector supports multiple group objects such as, group. Depending on the managed system to which you are connecting, you can configure entitlements and roles. You must add a new group schema and update the existing account schema using APIs. For more information, refer to listSchema API and createSchema API.
Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.
Add new group schema
The following example adds the schema for a Role:
Method: POST
Uri: beta/sources/<source-id>/schemas
JSON Payload:
{
"name": "Role",
"nativeObjectType": "Role",
"identityAttribute": "Id",
"displayAttribute": "Name",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [],
"configuration": {},
"attributes": [
{
"name": "Id",
"type": "STRING",
"schema": null,
"description": "Role Id.",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Name",
"type": "STRING",
"schema": null,
"description": "Role name.",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
}
…
…
]
}For example:
<Schema displayAttribute="Name" identityAttribute="Id" nativeObjectType="Role" objectType="Role">
<AttributeDefinition name="Id" type="string">
<Description>Role Id.</Description>
</AttributeDefinition>
<AttributeDefinition name="Name" type="string">
<Description>Role name.</Description>
</AttributeDefinition>
</Schema>When the new group schema for the role object type has been created, you need to update the relevant account schema attributes to point at the new group schema. This can be done by making changes in the account schema since Identity Security Cloud enables you to add the new entitlement in the account schema via UI.
API Throttling
The SCIM 2.0 connector supports API throttling. The following headers are supported for throttling, per the SCIM standards:
-
x-rate-limit-remaining -
x-rate-limit-limit -
x-rate-limit-reset -
x-rate-limit-retry-after-seconds
Note
For more information on SailPoint's REST APIs, refer to Best Practices: REST API Authentication and REST API - Update Source (Partial) in the SailPoint Developer Community.
To update the maximum API call threshold percentage, configure the following attribute to check the x-rate-limit-reset header after the threshold. The default value is 100.
<entry key="maxApiCallsThresholdPercentage" value="100"/>
For Relax and Non Relax Configuration
If any target system does not send the response headers in SCIM 2.0 specification, the following parameters can be used to update the entry.
<entry key="rateLimitHeaders">
<value>
<Map>
<entry key="limitHeader" value="rate-limit-limit"/>
<entry key="remainingHeader" value="rate-limit-remaining"/>
<entry key="limitResetHeader" value="rate-limit-reset"/>
<entry key="retryAfterHeader" value="rate-limit-retry-after-seconds"/>
</Map>
</value>
</entry>