Create the SCIM Application (SP Connection)

Creating a System for Cross-domain Identity Management (SCIM) 2.0 application is required, so that you can specify which PingFederate users and groups to push to vCenter Server.

Prerequisites

Complete the following tasks:

Procedure

Add the vCenter Server Trusted Root Certificate to the PingFederate Server.
Before you begin, export the trusted root certificate(s) from vCenter Server. You can obtain the certificate from the file system of the vCenter Server at /var/lib/vmware/vmca/root.cer. Or, see the Knowledge Base article at https://kb.vmware.com/s/article/2108294.
1. Log in to the PingFederate Admin console with an Administrator Account.
2. Go to Security > Certificate & Key Management.
3. Select Trusted CAs then click Import to add the SSL certificate of the vCenter Server.
4. If your PingFederate server instance is running as a container image, you might need to restart the server to add the certificate to the trust store. For example:
  1. Connect to the PingFederate server using SSH.
  2. Change to the /root/ping directory.
  3. Run the following commands:
```
docker-compose down
docker-compose up
```
Create the SP Connection.
1. Log in to the PingFederate Admin console with an Administrator Account.
2. Go to Applications > Integration > SP Connections.
3. Click Create Connection.
4. Select Use a template for this connection then select SCIM Connector from the drop-down.
  If the SCIM Connector option does not appear in the drop-down, check that you placed the SCIM Connector .jar file in the correct folder (the /opt/out folder of your PingFederate server).
5. Click Next.
6. Select only Outbound Provisioning then click Next.
7. On the General Info tab:
  - Partner's Entity ID (Connection ID): Update SCIM Connector to a name of your choice.
  - Connection Name: Enter a name.
  - Base URL: Enter the HTTPS address of the vCenter Server where you are configuring the PingFederate external identity provider, for example: https://vcenter1.example.com.
8. Click Next.
9. Click Configure Provisioning.
  On the Target tab:
  - SCIM URL: Enter the Usergroup endpoint.
    This is the Tenant URL obtained under User Provisioning on the Configuration page of the vCenter Server. For example: https://vcenter1.example.com/usergroup/t/CUSTOMER/scim/v2
  - Authentication Method: Select OAuth 2 Bearer Token from the drop-down.
  - Access Token: Paste the Secret Token that was generated from vCenter Server, and that you should have saved previously. See Step 2 in Configure vCenter Server Identity Provider Federation for PingFederate.
  - Unique User Identifier: Select userName from the drop-down.
  - Filter Expression: Copy the following expression into the text box: externalId eq "%s"
10. Accept the rest of the default configuration setting values and click Next.
  - Provisioning Options: User Create, User Update, and User Disable/ Delete are checked.
  - Remove User Action: Disable is selected.
    Note: With Disable selected, when users are deleted from the Active Directory, they are not automatically shown as "disabled" in VMware Identity Services. This is expected behavior.
    
    In Active Directory, instead of deleting the user on the next provisioning cycle, the user's property becomes "active"="false".
    
    The user does not show as "disabled" in VMware Identity Services until another user is created or updated in Active Directory on the next provisioning cycle, and you follow the workaround at https://support.pingidentity.com/s/article/After-deleting-an-AD-user-account-SaaS-provisioner-does-not-remove-the-user-in-the-next-provisioning-cycle-when-Group-DN-is-specified.
  - Group Name Source: Common name is selected.
11. On the Manage Channels tab, click Create.
  - On the Channel Info tab:
    - Channel Name: Enter a name.
    - Accept the Max threads and Timeout (Secs) default values.
12. Click Next.
  - On the Source tab:
    - Active Data Store: Choose your Active Directory domain.
13. Click Next.
  - On the Source Location tab:
    - Base DN: Enter your base DN to find your users and groups.
    - Users: Customize to your environment. For example:
      
      Group DN: Do not use.
      
      Filter: Enter (|(objectClass=person)(objectClass=organizationalPerson)(objectClass=user)).
    - Groups: Customize to your environment. For example:
      
      Group DN: Do not use.
      
      Filter: Enter (objectClass=group).
14. Click Next.
15. Accept the defaults on the Attribute Mapping tab.
16. Click Next.
  On the Activation & Summary tab:
  - Channel Status: Select Active.
17. Click Done.
  The SP Connection is created and the SP Connections screen is displayed.
18. Click Done.
19. On the Outbound Provisioning tab, click Next.
20. Review the summary then click Save.
21. To make the connection active, toggle the Enabled slider.

Results

PingFederate now pushes users and groups from the configured data store to vCenter Server. Allow some time for the push to occur. You can view the pushed users and groups in the vSphere Client. Go to Administration > Single Sign On > Users and Groups, and select the PingFederate domain.

What to do next

Continue with Configure vCenter Server for PingFederate Authorization.