The proxy Read Transformation is used when the external client application (for example, SAP Identity Management) makes initial load, that is, executing GET requests to the resource endpoints (/Users or /Groups) to retrieve the corresponding entities of the particular type. The external client application can also execute GET requests to a single resource endpoint (querying a single resource is supported). In this case, the proxy system acts as a source one.
The proxy Write Transformation is used when the external application manages the entities in the proxy system – creates new entities, updates existing ones, or deletes existing ones. In this case, the proxy system acts as a target one.
However, after a Create or Update operation is performed on the proxy system, the Read Transformation is applied to the result, so that the created or updated entity is sent back to the external application. This behavior demonstrates that the proxy, Read Transformation, is also used for write cases.
Example - Conditions in Proxy Scenarios
Using conditions is supported for both the proxy, Read Transformation, and the proxy, Write Transformation. However, when conditions are applied to users or groups in the proxy, Read Transformation, the number of returned resources may be "0" or less than the actual number of read entities. This is because some of the entities are filtered out as they do not match the applied condition.
In the following example, the returned resources are "0" because all 5 users (items) returned per page are filtered out as they do not match a condition.
12345678910
SCIM proxy client request: GET /Users?startIndex=6&count=5
SCIM proxy application response:
{
"startIndex": 6,
"itemsPerPage": 5,
"totalResults": 11,
"Resources": [],
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"]
}
How to Call a Proxy System
As proxy operations cannot be maintained by the Identity Provisioning UI, you need to manage resources (users, groups, and schemas) by sending SCIM 2.0 API requests to certain endpoints. The following contains a list of all endpoints and operations available in the Identity Provisioning service. Each provisioning system, however, supports only a specific set of operations.
Note
The ID of each proxy system (system_ID in the table below) is a dash-separated string. You can see it at the end of the system URL in the Identity Provisioning UI.
Depending on the infrastructure/environment your Identity Provisioning tenant (bundle or standalone) runs on, use the relevant URI patterns to call an endpoint:
Endpoints and Operations Available
Resource Operation | HTTP Method | Endpoint |
---|---|---|
Read users | GET | SAP BTP, Neo Environment
|
Infrastructure of SAP Cloud Identity Services
| ||
Read a user | GET | SAP BTP, Neo Environment
|
Infrastructure of SAP Cloud Identity Services:
| ||
Create a user | POST | SAP BTP, Neo Environment
|
Infrastructure of SAP Cloud Identity Services
| ||
Update a user (full) | PUT | SAP BTP, Neo Environment
|
Infrastructure of SAP Cloud Identity Services
| ||
Update a user (partial) | PATCH | SAP BTP, Neo Environment
|
Infrastructure of SAP Cloud Identity Services
| ||
Delete a user | DELETE | SAP BTP, Neo Environment
|
Infrastructure of SAP Cloud Identity Services
| ||
Read groups | GET | SAP BTP, Neo Environment
|
Infrastructure of SAP Cloud Identity Services
| ||
Read a group | GET | SAP BTP, Neo Environment
|
Infrastructure of SAP Cloud Identity Services
| ||
Create a group | POST | SAP BTP, Neo Environment
|
Infrastructure of SAP Cloud Identity Services
| ||
Update a group (full) | PUT | SAP BTP, Neo Environment
|
Infrastructure of SAP Cloud Identity Services
| ||
Update a group (partial) | PATCH | SAP BTP, Neo Environment
|
Infrastructure of SAP Cloud Identity Services
| ||
Delete a group | DELETE | SAP BTP, Neo Environment
|
Infrastructure of SAP Cloud Identity Services
|