Direct-mapped Users

A direct-mapped user is a type of SCIM user that does not rely on a traditional SCIM resource mapping. No central set of definitions explains how to convert SCIM attributes, such as emails (an array), to PingOne attributes, such as email (a single-valued string), or the reverse. Instead, direct-mapped users perform a direct mapping (or "pass-through") of the attribute data as provided. This is in contrast to SCIM Users, where the attribute data of the user relies on the SCIM resource mapping defined in the response to Read SCIM2 Schemas.

This endpoint is not part of the SCIM specification. The advantage to direct-mapped users is that it allows clients to use SCIM without worrying about mapping resource definitions between their SCIM data and PingOne. This is especially useful when it comes to data stored in custom attributes.

In the previous example, instead of constructing a SCIM emails array, a direct-mapped user can be created with a single-valued email attribute by the SCIM client. Direct-mapped users follow the attribute convention of the PingOne API. Because this is a custom PingOne SCIM resource, it is defined under the /ResourceTypes and /Schemas endpoints.

Direct-mapped user data model

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`account.canAuthenticate`	Boolean	N/A	Read-only	Whether the user can authenticate at this time.
`account.lockedAt`	String	N/A	Read-only	Date and time at which the account was locked, if any.
`account.secondsUntilUnlock`	Integer	N/A	Read-only	Number of seconds remaining until the account will be unlocked.
`account.status`	String	N/A	Read-only	Status of the account. Can be `OK` or `LOCKED`.
`account.unlockAt`	String	N/A	Read-only	Date and time at which the account will be unlocked.
`accountId`	String	Optional	Mutable	Identifier (UUID) of the user’s account. Can be explicitly set to null when updating a user to unset it. Is organization-specific and has no special meaning within the platform.
`address.countryCode`	String	Optional	Mutable	Country name of the address. When specified, the value must be in ISO 3166-1 Alpha-2 code format; such as: `US` (United States) or `SE` (Sweden).
`address.locality`	String	Optional	Mutable	City or locality of the address.
`address.postalCode`	String	Optional	Mutable	ZIP Code or postal code of the address.
`address.region`	String	Optional	Mutable	State or region of the address.
`address.streetAddress`	String	Optional	Mutable	Full street address, which may include house number, street name, P.O. box, and multi-line extended street address information. Can contain newlines.
`createdAt`	String	N/A	Read-only	Date and time at which the user was created.
`email`	String	Optional	Mutable	User’s email address.
`emailVerified`	Boolean	N/A	Read-only	Whether the email is verified.
`enabled`	Boolean	N/A	Read-only	Whether the user is enabled. Set to `true` by default when the user is created.
`environment.id`	String	N/A	Read-only	Identifier (UUID) of the environment with which the direct-mapped user is associated.
`externalId`	String	Optional	Mutable	Identifier (UUID) for the user as defined by the provisioning client. Can be explicitly set to null when updating a user to unset it. Can simplify the correlation of the user in PingOne with the user’s account in another system of record. The platform does not use this directly in any way, but it is used by Ping Identity’s Data Sync product.
`id`	String	N/A	Read-only	Identifier (UUID) of the user.
`identityProvider.id`	String	N/A	Read-only	Identifier (UUID) of the trusted identity provider that is used as the authentication authority for the user. If present, the user must authenticate via this identity provider.
`identityProvider.type`	String	N/A	Read-only	Type of the trusted identity provider where the user account is managed. If the type is `PING_ONE`, PingOne is the authentication authority.
`lastSignOn.at`	String	N/A	Read-only	Date and time of the last successful login of the user.
`lastSignOn.remoteIp`	String	N/A	Read-only	IP address of the last successful login of the user.
`lifecycle.status`	String	N/A	Read-only	Lifecycle status for this account. Can be `ACCOUNT_OK` or `VERIFICATION_REQUIRED`. This attribute can only be set when importing a user to set the initial account status. If the initial status is set to `VERIFICATION_REQUIRED` and an email address is provided, a verification email is sent.
`locale`	String	Optional	Mutable	User’s default location. Can be explicitly set to null when updating a user to unset it. This is used for purposes of localizing such items as currency, date time format, or numerical representations. If provided, a valid value is a language tag as defined in RFC 5646. For example: fr, `en-US`, `es-419`, `az-Arab`, `man-Nkoo-GN`.
`location`	String	N/A	Read-only	URL that returns thethis user object.
`memberOfGroupIDs`	String[]	N/A	Read-only	Array of identifiers (UUID) of groups that a user is a member of.
`memberOfGroupNames`	String[]	N/A	Read-only	Array of names of groups that a user is a member of.
`meta`	Object	N/A	Read-only	This information is assembled by the PingOne SCIM API itself. All sub-attributes have a mutability of Read-only. This attribute should be ignored when it is provided by clients.
`meta.created`	String	N/A	Read-only	Date and time the user was created.
`meta.lastModified`	String	N/A	Read-only	Date and time the user was last modified. Can be null.
`mfaEnabled`	Boolean	N/A	Read-only	Whether multi-factor authentication is enabled. Set to `true` by default when the user is created, unless otherwise specified for `user.mfaEnabled` in MFA Settings.
`mobilePhone`	String	Optional	Mutable	User’s mobile phone number. This might also match `primaryPhone`. Can be explicitly set to null when updating a user to unset it. If provided, it must consist of at least one digit and must contain no more than 32 characters.
`name.familyName`	String	Optional	Mutable	Family name of the user, or last in most Western languages (for example, 'Jensen' given the full name 'Ms. Barbara J Jensen, III'). Can be explicitly set to null when updating a name to unset it. Valid characters consists of any Unicode letter, mark (such as accent, umlaut), math symbol, numeric character, or punctuation. Can contain no more than 256 characters.
`name.formatted`	String	Optional	Mutable	Fully formatted name of the user (for example 'Ms. Barbara J Jensen, III'). Can be explicitly set to null when updating a name to unset it.
`name.givenName`	String	Optional	Mutable	Given name of the user, or first name in most Western languages (for example, 'Barbara' given the full name 'Ms. Barbara J Jensen, III'). Can be explicitly set to null when updating a name to unset it. Valid characters consists of any Unicode letter, mark (such as accent, umlaut), math symbol, numeric character, or punctuation. Can contain no more than 256 characters.
`name.honorificPrefix`	String	Optional	Mutable	Honorific prefix of the user (can contain more than one), or title in most Western languages (such as, 'Ms.' given the full name 'Ms. Barbara Jane Jensen, III'). Can be explicitly set to null when updating a name to unset it.
`name.honorificSuffix`	String	Optional	Mutable	Honorific suffix (can contain more than one) of the user, or suffix in most Western languages (such as, 'III' given the full name 'Ms. Barbara Jane Jensen, III'). Can be explicitly set to null when updating a name to unset it.
`name.middleName`	String	Optional	Mutable	Middle name (can contain more than one) of the user (such as 'Jane' given the full name 'Ms. Barbara Jane Jensen, III'). Can be explicitly set to null when updating a name to unset it. Valid characters consists of any Unicode letter, mark (such as accent, umlaut), math symbol, numeric character, or punctuation. Can contain no more than 256 characters.
`nickname`	String	Optional	Mutable	User’s nickname. Can be explicitly set to null when updating a user to unset it. Valid characters consists of any Unicode letter, mark (such as accent, umlaut), math symbol, numeric character, or punctuation. Can contain no more than 256 characters.
`password`	String	Optional	Mutable	The password of the user. The PingOne SCIM API will never return this attribute under any circumstances or in any form, hashed or otherwise.
`photo.href`	String	Optional	Mutable	URL that points to a resource location representing the user’s image. Can be removed from a user by setting the photo attribute to null. If provided, the resource must be a file (such as a GIF, JPEG, or PNG image file) rather than a web page containing an image and must have a scheme (protocol) of `http` or `https`.
`population.id`	String	Required/Optional	Immutable	Identifier (UUID) for the population in which the user’s identity exists. Optional if the PingOne environment defines a default population, otherwise required.
`preferredLanguage`	String	Optional	Mutable	User’s preferred written or spoken languages. Can be explicitly set to null when updating a user to unset it. If provided, the format of the value is the same as the HTTP Accept-Language header field (not including 'Accept-Language:') as specified in Section 5.3.5 of RFC 7231.
`primaryPhone`	String	Optional	Mutable	User’s primary phone number. This might also match `mobilePhone`. Can be explicitly set to null when updating a user to unset it. If provided, it must consist of at least one digit and must not contain more than 32 characters.
`resourceType`	String	Required	Immutable	Type of the resource. Must be `DirectMappedUser` for a direct-mapped user.
`schemas`	String[]	N/A	Read-only	Array of URNs of schemas used.
`timezone`	String	Optional	Mutable	User’s time zone. Can be explicitly set to null when updating a user to unset it. If provided, it must conform with the IANA Time Zone database format RFC 6557, for example: 'America/Los_Angeles'.
`title`	String	Optional	Mutable	User’s title, such as 'Vice President'. Can be explicitly set to null when updating a user to unset it.
`type`	String	Optional	Mutable	User’s type. Can be explicitly set to null when updating a user to unset it. This attribute is organization-specific and has no special meaning within the platform. It could have values of `Contractor`, `Employee`, `Intern`, `Temp`, `External`, or `Unknown`.
`updatedAt`	String	N/A	Read-only	Date and time at which the user was updated.
`username`	String	Required	Immutable	Username, which must be provided and must be unique within an environment. The username must be a string of any Unicode letter, mark (such as accent, umlaut), math symbol, numeric character, or punctuation. Can contain no more than 128 characters.
`verifyStatus`	String	N/A	Read-only	Whether ID Validation authentication is enabled. Can be `ENABLED`, `DISABLED`, or `NOT_INITIATED`. Set to `NOT_INITIATED` by default when the user is created.

account.canAuthenticate

Boolean

N/A

Read-only

Whether the user can authenticate at this time.

account.lockedAt

String

N/A

Read-only

Date and time at which the account was locked, if any.

account.secondsUntilUnlock

Integer

N/A

Read-only

Number of seconds remaining until the account will be unlocked.

account.status

String

N/A

Read-only

Status of the account. Can be OK or LOCKED.

account.unlockAt

String

N/A

Read-only

Date and time at which the account will be unlocked.

accountId

String

Optional

Mutable

Identifier (UUID) of the user’s account. Can be explicitly set to null when updating a user to unset it. Is organization-specific and has no special meaning within the platform.

address.countryCode

String

Optional

Mutable

Country name of the address. When specified, the value must be in ISO 3166-1 Alpha-2 code format; such as: US (United States) or SE (Sweden).

address.locality

String

Optional

Mutable

City or locality of the address.

address.postalCode

String

Optional

Mutable

ZIP Code or postal code of the address.

address.region

String

Optional

Mutable

State or region of the address.

address.streetAddress

String

Optional

Mutable

Full street address, which may include house number, street name, P.O. box, and multi-line extended street address information. Can contain newlines.

createdAt

String

N/A

Read-only

Date and time at which the user was created.

email

String

Optional

Mutable

User’s email address.

emailVerified

Boolean

N/A

Read-only

Whether the email is verified.

enabled

Boolean

N/A

Read-only

Whether the user is enabled. Set to true by default when the user is created.

environment.id

String

N/A

Read-only

Identifier (UUID) of the environment with which the direct-mapped user is associated.

externalId

String

Optional

Mutable

Identifier (UUID) for the user as defined by the provisioning client. Can be explicitly set to null when updating a user to unset it. Can simplify the correlation of the user in PingOne with the user’s account in another system of record. The platform does not use this directly in any way, but it is used by Ping Identity’s Data Sync product.

id

String

N/A

Read-only

Identifier (UUID) of the user.

identityProvider.id

String

N/A

Read-only

Identifier (UUID) of the trusted identity provider that is used as the authentication authority for the user. If present, the user must authenticate via this identity provider.

identityProvider.type

String

N/A

Read-only

Type of the trusted identity provider where the user account is managed. If the type is PING_ONE, PingOne is the authentication authority.

lastSignOn.at

String

N/A

Read-only

Date and time of the last successful login of the user.

lastSignOn.remoteIp

String

N/A

Read-only

IP address of the last successful login of the user.

lifecycle.status

String

N/A

Read-only

Lifecycle status for this account. Can be ACCOUNT_OK or VERIFICATION_REQUIRED. This attribute can only be set when importing a user to set the initial account status. If the initial status is set to VERIFICATION_REQUIRED and an email address is provided, a verification email is sent.

locale

String

Optional

Mutable

User’s default location. Can be explicitly set to null when updating a user to unset it. This is used for purposes of localizing such items as currency, date time format, or numerical representations. If provided, a valid value is a language tag as defined in RFC 5646. For example: fr, en-US, es-419, az-Arab, man-Nkoo-GN.

location

String

N/A

Read-only

URL that returns thethis user object.

memberOfGroupIDs

String[]

N/A

Read-only

Array of identifiers (UUID) of groups that a user is a member of.

memberOfGroupNames

String[]

N/A

Read-only

Array of names of groups that a user is a member of.

meta

Object

N/A

Read-only

This information is assembled by the PingOne SCIM API itself. All sub-attributes have a mutability of Read-only. This attribute should be ignored when it is provided by clients.

meta.created

String

N/A

Read-only

Date and time the user was created.

meta.lastModified

String

N/A

Read-only

Date and time the user was last modified. Can be null.

mfaEnabled

Boolean

N/A

Read-only

Whether multi-factor authentication is enabled. Set to true by default when the user is created, unless otherwise specified for user.mfaEnabled in MFA Settings.

mobilePhone

String

Optional

Mutable

User’s mobile phone number. This might also match primaryPhone. Can be explicitly set to null when updating a user to unset it. If provided, it must consist of at least one digit and must contain no more than 32 characters.

name.familyName

String

Optional

Mutable

Family name of the user, or last in most Western languages (for example, 'Jensen' given the full name 'Ms. Barbara J Jensen, III'). Can be explicitly set to null when updating a name to unset it. Valid characters consists of any Unicode letter, mark (such as accent, umlaut), math symbol, numeric character, or punctuation. Can contain no more than 256 characters.

name.formatted

String

Optional

Mutable

Fully formatted name of the user (for example 'Ms. Barbara J Jensen, III'). Can be explicitly set to null when updating a name to unset it.

name.givenName

String

Optional

Mutable

Given name of the user, or first name in most Western languages (for example, 'Barbara' given the full name 'Ms. Barbara J Jensen, III'). Can be explicitly set to null when updating a name to unset it. Valid characters consists of any Unicode letter, mark (such as accent, umlaut), math symbol, numeric character, or punctuation. Can contain no more than 256 characters.

name.honorificPrefix

String

Optional

Mutable

Honorific prefix of the user (can contain more than one), or title in most Western languages (such as, 'Ms.' given the full name 'Ms. Barbara Jane Jensen, III'). Can be explicitly set to null when updating a name to unset it.

name.honorificSuffix

String

Optional

Mutable

Honorific suffix (can contain more than one) of the user, or suffix in most Western languages (such as, 'III' given the full name 'Ms. Barbara Jane Jensen, III'). Can be explicitly set to null when updating a name to unset it.

name.middleName

String

Optional

Mutable

Middle name (can contain more than one) of the user (such as 'Jane' given the full name 'Ms. Barbara Jane Jensen, III'). Can be explicitly set to null when updating a name to unset it. Valid characters consists of any Unicode letter, mark (such as accent, umlaut), math symbol, numeric character, or punctuation. Can contain no more than 256 characters.

nickname

String

Optional

Mutable

User’s nickname. Can be explicitly set to null when updating a user to unset it. Valid characters consists of any Unicode letter, mark (such as accent, umlaut), math symbol, numeric character, or punctuation. Can contain no more than 256 characters.

password

String

Optional

Mutable

The password of the user. The PingOne SCIM API will never return this attribute under any circumstances or in any form, hashed or otherwise.

photo.href

String

Optional

Mutable

URL that points to a resource location representing the user’s image. Can be removed from a user by setting the photo attribute to null. If provided, the resource must be a file (such as a GIF, JPEG, or PNG image file) rather than a web page containing an image and must have a scheme (protocol) of http or https.

population.id

String

Required/Optional

Immutable

Identifier (UUID) for the population in which the user’s identity exists. Optional if the PingOne environment defines a default population, otherwise required.

preferredLanguage

String

Optional

Mutable

User’s preferred written or spoken languages. Can be explicitly set to null when updating a user to unset it. If provided, the format of the value is the same as the HTTP Accept-Language header field (not including 'Accept-Language:') as specified in Section 5.3.5 of RFC 7231.

primaryPhone

String

Optional

Mutable

User’s primary phone number. This might also match mobilePhone. Can be explicitly set to null when updating a user to unset it. If provided, it must consist of at least one digit and must not contain more than 32 characters.

resourceType

String

Required

Immutable

Type of the resource. Must be DirectMappedUser for a direct-mapped user.

schemas

String[]

N/A

Read-only

Array of URNs of schemas used.

timezone

String

Optional

Mutable

User’s time zone. Can be explicitly set to null when updating a user to unset it. If provided, it must conform with the IANA Time Zone database format RFC 6557, for example: 'America/Los_Angeles'.

title

String

Optional

Mutable

User’s title, such as 'Vice President'. Can be explicitly set to null when updating a user to unset it.

type

String

Optional

Mutable

User’s type. Can be explicitly set to null when updating a user to unset it. This attribute is organization-specific and has no special meaning within the platform. It could have values of Contractor, Employee, Intern, Temp, External, or Unknown.

updatedAt

String

N/A

Read-only

Date and time at which the user was updated.

username

String

Required

Immutable

Username, which must be provided and must be unique within an environment. The username must be a string of any Unicode letter, mark (such as accent, umlaut), math symbol, numeric character, or punctuation. Can contain no more than 128 characters.

verifyStatus

String

N/A

Read-only

Whether ID Validation authentication is enabled. Can be ENABLED, DISABLED, or NOT_INITIATED. Set to NOT_INITIATED by default when the user is created.

Direct-mapped search data model

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`filter`	String	Optional	Mutable	A SCIM query. For information about SCIM syntax and operators, refer to Filtering collections.
`count`	Integer	Optional	Mutable	Maximum number of users to return.

filter

String

Optional

Mutable

A SCIM query. For information about SCIM syntax and operators, refer to Filtering collections.

count

Integer

Optional

Mutable

Maximum number of users to return.

PingOne Platform APIs

Direct-mapped Users

Direct-mapped user data model

Direct-mapped search data model