Supported Features

Using this connector, you can manage any SCIM 2.0 compliant target system. The SCIM 2.0 connector supports the following features:

Note
Before you can use any item marked with an asterisk (*), SailPoint must activate the feature for your site.

  • Load accounts

  • *Provisioning

  • *Password management

  • *Access certifications (certification of entitlements connected to accounts)

  • Addition of groups and entitlements

For more information on features, refer to IdentityNow Source Features.

The SCIM 2.0 connector supports multiple group objects such as, group. Depending on the managed system to which you are connecting, you can configure entitlements and roles. You must add a new group schema and update the existing account schema using APIs. For more information, refer to listSchema API and createSchema API.

Note
For more information on IdentityNow APIs, refer to Best Practices: IdentityNow REST API Authentication and IdentityNow REST API - Update Source (Partial) in the SailPoint Developer Community.

The following example adds the schema for a Role:

Copy 
Method: POST
Uri: beta/sources/<source-id>/schemas
JSON Payload:
{
    "name": "Role",
    "nativeObjectType": "Role",
    "identityAttribute": "Id",
    "displayAttribute": "Name",
    "hierarchyAttribute": null,
    "includePermissions": false,
    "features": [],
    "configuration": {},
    "attributes": [
{
    "name": "Id",
    "type": "STRING",
    "schema": null,
    "description": "Role Id.",
    "isMulti": false,
    "isEntitlement": false,
    "isGroup": false
},
{
    "name": "Name",
    "type": "STRING",
    "schema": null,
    "description": "Role name.",
    "isMulti": false,
    "isEntitlement": false,
    "isGroup": false
}


]
}

For example:

Copy 
<Schema displayAttribute="Name" identityAttribute="Id" nativeObjectType="Role" objectType="Role">
    <AttributeDefinition name="Id" type="string">
        <Description>Role Id.</Description>
    </AttributeDefinition>
    <AttributeDefinition name="Name" type="string">
        <Description>Role name.</Description>
    </AttributeDefinition>
</Schema>

When the new group schema for the role object type has been created, you need to update the relevant account schema attributes to point at the new group schema. This can be done by making changes in the account schema since IdentityNow enables you to add the new entitlement in the account schema via UI.

API Throttling

The SCIM 2.0 connector supports API throttling. The following headers are supported for throttling, per the SCIM standards:

  • x-rate-limit-remaining

  • x-rate-limit-limit

  • x-rate-limit-reset

  • x-rate-limit-retry-after-seconds

Note
For more information on IdentityNow APIs, refer to Best Practices: IdentityNow REST API Authentication and IdentityNow REST API - Update Source (Partial) in the SailPoint Developer Community.

To update the maximum API call threshold percentage, configure the following attribute to check the x-rate-limit-reset header after the threshold. The default value is 100.

<entry key="maxApiCallsThresholdPercentage" value="100"/>

For Relax and Non Relax Configuration

If any target system does not send the response headers in SCIM 2.0 specification, the following parameters can be used to update the entry.

Copy 
<entry key="rateLimitHeaders">
    <value>
        <Map>
            <entry key="limitHeader" value="rate-limit-limit"/>
            <entry key="remainingHeader" value="rate-limit-remaining"/>
            <entry key="limitResetHeader" value="rate-limit-reset"/>
            <entry key="retryAfterHeader" value="rate-limit-retry-after-seconds"/>
        </Map>
    </value>
</entry>