User Provisioning Using SCIM APIUser Provisioning Using SCIM API
You can use SCIM API to create a user (POST) in the Unified Directory, search for users (GET) in the Unified Directory, replace users (PUT) in the Unified Directory, modify users (PATCH) in the Unified Directory, and remove users (DELETE) from the Unified Directory. You can search for users by the SCIM attributes userName, emails, or id.
Note: Managing user groups is not supported through SCIM API.
In the Cloud Administration Console, click Users > Identity Sources.
The Identity Sources list displays the enabled Unified Directory.
Click Edit corresponding to the Unified Directory.
Copy the Base URI and use it in the configuration in SCIM client. This is the SCIM Base URI where all the SCIM resources are hosted.
Copy the Client Secret key that can be used for SCIM API authentication.
Note: You can click Generate to get a new client secret key. Click Save Settings and Publish Changes before you use the new secret key.
SCIM API AuthenticationSCIM API Authentication
SCIM API uses OAuth2 bearer token as an authentication scheme. Use the preceding procedure to generate the bearer token (client secret).
SCIM Attribute MappingSCIM Attribute Mapping
|SCIM Attribute||Field on Users > Management|
|emails[type eq "work"].value||Email Address|
|phoneNumbers[type eq "mobile"].value||SMS Phone|
|phoneNumbers[type eq "mobile"].value||Voice Phone|
SCIM AttributesSCIM Attributes
The following table describes properties used in the requests and responses.
|id||UUID of a user||String|
|userName||Unique identifier for the user, could be used as loginId by the users||String|
|name||Components of user's name||Complex|
|displayName||The name of the user, suitable for display||String|
|nickName||Nick name of the user||String|
|title||Title of the user||String|
|userType||Type of user||String|
|active||Indicates user's status||Boolean|
|locale||Indicates the user's default location for localizing||String|
|emails||Unique identifier for the user (email of type "work" is used as primary identifier for the user. It can be used as login Id by the user.)||List<email>|
|phoneNumbers||Phone numbers of a user (phoneNumber of type "mobile" is used for SMS/VOICE authentication)||List<Phone number>|
|addresses||Physical mailing address of a user||List<Address>|
|externalId||Identifier of a User, defined by the provisioning client||String|
|type||Types of email: home, work, or other||String|
|primary||Indicates primary/preferred email||Boolean|
|type||Types of phone number: home, work, mobile, pager, fax, or other||String|
|primary||Indicates primary/preferred phone number||Boolean|
|formatted||The full name, including all middle names, titles, and suffixes as appropriate, formatted for display||String|
|familyName||Last name or family name of the user||String|
|givenName||First name of the user||String|
|formatted||The full mailing address, formatted for display or use with a mailing label||String|
|streetAddress||Full street address , which may include house number, street name, P.O. box, and multi-line extended street address information||String|
|locality||City or locality||String|
|region||State or region||String|
|postalCode||Zip code or postal code||String|
|type||Type of address. Valid values work, home and other.||String|
Note: userName and emails are required parameters.
For more details on SCIM attributes, refer to https://www.rfc-editor.org/rfc/rfc7643.
SCIM APIs and Discovery EndpointsSCIM APIs and Discovery Endpoints
Integrating SCIM with Azure ADIntegrating SCIM with Azure AD
Azure AD can be configured to automatically provision assigned users to applications that implement a specific profile of the SCIM 2.0 protocol.
Create non-gallery app in Azure AD.
Configure SCIM connection details in Azure from Unified Directory using Base URI and Client Secret.
Note: SCIM patch request accepts add, replace, and remove operations. However, Azure sends the patch request with operations in title case (Add/Replace/Remove). To make it compatible with SCIM standards, add the aadOptscim062020 flag to the tenant URL of the application when configuring the SCIM provisioning in Azure. Refer to SCIM 2.0 compliance issues and status.
Configure user attribute mapping. Cloud mandates two SCIM attributes to be present in SCIM User provisioning request - userName and email [type eq 'work'].value. Use this default mapping.
Ensure that the users are assigned to non-gallery app created for provisioning.
Attribute mappings define how attributes are synchronized between Azure Active Directory and customappsso. The following table shows an example mapping that can be used for Azure AD integration.
|Azure Active Directory Attribute||customappsso Attribute|
|Switch([IsSoftDeleted], "False", "True", "True", "False")||
|mail or userPrincipalName||emails[type eq "work"].value|
|mobile||phoneNumbers[type eq "mobile"].value|
For details on Azure AD integration, refer to Integrate your SCIM endpoint with the Azure AD Provisioning Service.
Rate LimitRate Limit
Rate limiting is applied to all SCIM API requests. When the rate limit is exceeded, a 429 HTTP error message is returned with a Retry-After response in the header. For example:
"Retry-After": "2 seconds"
Response CodeResponse Code
The following table shows response code for this API.
|429||Too many requests.|