User Provisioning Using SCIM API

You can use SCIM API to create a user (POST) in the Unified Directory, search for users (GET) in the Unified Directory, replace users (PUT) in the Unified Directory, modify users (PATCH) in the Unified Directory, and remove users (DELETE) from the Unified Directory. You can search for users by the SCIM attributes userName, emails, or id.

Note: Managing user groups is not supported through SCIM API.

Procedure

  1. In the Cloud Administration Console, click Users > Identity Sources.
    The Identity Sources list displays the enabled Unified Directory.

  2. Click Edit corresponding to the Unified Directory.

  3. Copy the Base URI and use it in the configuration in SCIM client. This is the SCIM Base URI where all the SCIM resources are hosted.

  4. Copy the Client Secret key that can be used for SCIM API authentication.

    Note: You can click Generate to get a new client secret key. Click Save Settings and Publish Changes before you use the new secret key.

SCIM API Authentication

SCIM API uses OAuth2 bearer token as an authentication scheme. Use the preceding procedure to generate the bearer token (client secret).

SCIM Attribute Mapping

SCIM Attribute Field on Users > Management
name.givenName

First Name
name.familyName Last Name
userName Username
emails[type eq "work"].value Email Address
active User Status
phoneNumbers[type eq "mobile"].value SMS Phone
phoneNumbers[type eq "mobile"].value Voice Phone

SCIM Attributes

The following table describes properties used in the requests and responses.

Request/Response Parameter Description Type
id UUID of a user String
userName Unique identifier for the user, could be used as loginId by the users String
name Components of user's name Complex
displayName The name of the user, suitable for display String
nickName Nick name of the user String
title Title of the user String
userType Type of user String
preferredLanguage Preferred language String
active Indicates user's status Boolean
locale Indicates the user's default location for localizing String
password Password String
emails Unique identifier for the user (email of type "work" is used as primary identifier for the user. It can be used as login Id by the user.) List<email>
phoneNumbers Phone numbers of a user (phoneNumber of type "mobile" is used for SMS/VOICE authentication) List<Phone number>
addresses Physical mailing address of a user List<Address>
externalId Identifier of a User, defined by the provisioning client String
emails
value Email address String
type Types of email: home, work, or other String
primary Indicates primary/preferred email Boolean
phoneNumber
value Phone number String
type Types of phone number: home, work, mobile, pager, fax, or other String
primary Indicates primary/preferred phone number Boolean
name
formatted The full name, including all middle names, titles, and suffixes as appropriate, formatted for display String
familyName Last name or family name of the user String
givenName First name of the user String
Address
formatted The full mailing address, formatted for display or use with a mailing label String
streetAddress Full street address , which may include house number, street name, P.O. box, and multi-line extended street address information String
locality City or locality String
region State or region String
postalCode Zip code or postal code String
country Country name String
type Type of address. Valid values work, home and other. String

Note: userName and emails are required parameters.

For more details on SCIM attributes, refer to https://www.rfc-editor.org/rfc/rfc7643.

SCIM APIs and Discovery Endpoints

SCIM API for User Creation

SCIM API for User Search

SCIM API for User Replacement

SCIM API for User Modification

SCIM API for User Deletion

Discovery Endpoints

Integrating SCIM with Azure AD

Azure AD can be configured to automatically provision assigned users to applications that implement a specific profile of the SCIM 2.0 protocol.

Procedure

  1. Create non-gallery app in Azure AD.

  2. Configure SCIM connection details in Azure from Unified Directory using Base URI and Client Secret.

    Note: SCIM patch request accepts add, replace, and remove operations. However, Azure sends the patch request with operations in title case (Add/Replace/Remove). To make it compatible with SCIM standards, add the aadOptscim062020 flag to the tenant URL of the application when configuring the SCIM provisioning in Azure. Refer to SCIM 2.0 compliance issues and status.

  3. Configure user attribute mapping. Cloud mandates two SCIM attributes to be present in SCIM User provisioning request - userName and email [type eq 'work'].value. Use this default mapping.

  4. Ensure that the users are assigned to non-gallery app created for provisioning.

  5. Start provisioning.

Attribute mappings define how attributes are synchronized between Azure Active Directory and customappsso. The following table shows an example mapping that can be used for Azure AD integration.

Azure Active Directory Attribute customappsso Attribute
userPrincipalName userName
Switch([IsSoftDeleted], "False", "True", "True", "False")

active
displayName

displayName
mail or userPrincipalName emails[type eq "work"].value
givenName name.givenName
surname name.familyName
mobile phoneNumbers[type eq "mobile"].value
mailNickname externalId

For details on Azure AD integration, refer to Integrate your SCIM endpoint with the Azure AD Provisioning Service.

Rate Limit

Rate limiting is applied to all SCIM API requests. When the rate limit is exceeded, a 429 HTTP error message is returned with a Retry-After response in the header. For example:

"Retry-After": "2 seconds"

Response Code

The following table shows response code for this API.

Code Description
429 Too many requests.