Provision accounts with SCIM

This topic describes how to provision users to SAML applications using SCIM (System for Cross-domain Identity Management). SCIM support varies by service provider. Always consult your service provider's documentation for details regarding their SCIM implementation.

SCIM is an open standard for automating the exchange of user identity information between identity domains, or IT systems. It can be used to automatically provision and deprovision accounts for users in external systems such as SAML apps. For more information about SCIM, see https://scim.cloud/ and https://datatracker.ietf.org/doc/html/rfc7644.

Before configuring your application for provisioning, you must:

  • Deploy the app in the Identity Administration portal
  • Get an Access Token with appropriate scopes for the app

    The Access Token is only displayed once when you create it. It is important to store the Access Token in a secure location.

Enable SCIM provisioning for your app in the Identity Administration portal

  1. In the Identity Administration portal, go to the Provisioning page of your deployed application.
  2. Select Enable provisioning for this application.
  3. Select either Preview Mode or Live Mode.

    Mode Description

    Preview Mode

    Use Preview Mode when you’re initially testing the application provisioning or making configuration changes. The identity platform does a test run to show you what changes it would make but the changes aren’t saved.

    Live Mode

    Use Live mode when you want to use application provisioning in your production system. The identity platform does the provisioning run and saves the changes to both the identity platform and the application’s account information.

  4. SCIM spec doesn't enforce any particular way to authenticate with the service provider; however, you typically use a SCIM URL and an access token. Refer to the service provider's documentation for specifics on where to find the SCIM URL and instructions for generating an access token with appropriate scopes.

  5. Enter the service provider's SCIM URL for the SCIM Service URL.
  6. Select either OAuth 2.0 or Authorization Header as your Authorization Type.

    OAuth 2.0 uses a workflow to authorize access, while Authorization Header directly provides the credentials.

    Refer to your service provider's documentation for the appropriate authorization type.

    If you select OAuth 2.0, fill in these fields:

    OAuth 2.0 fields

    Required action

    Authorize URL

    Copy the URL the admin will use to authorize access to the application, and paste it here.

    Access Token URL

    Copy the URL where the admin can get an access token for the app after authorization, and paste it here.

    Client ID

    Copy the ID generated when you create the client app entry, and paste it here.

    Client Secret

    Copy the password or access token generated when you create the client app entry, and paste it here.

    Scope

    Copy the statement of permissions to be granted to CyberArk and paste it here. In order to enable provisioning, CyberArk needs read and write permission to users and groups.

    If you select Authorization Header, you have a choice of Header Type.

    Header type Description
    Bearer Token

    Select Bearer Token if your app requires the header in the format: Bearer <your_access_token>. If you select Bearer Token, paste your access token into the Bearer Token field.

    Basic

    Select Basic if your app requires authentication in the format: HTTP BASIC. If you select basic, you need to enter the admin credentials for the app.

    Direct

    Select Direct if your app uses some other format.

    If you select Direct, copy the exact value of the header and paste it in the Header Value field.

    The header value typically takes the following form:

    <Token_Type> <Actual Token>

    For example:

    Example_Token xyztoken122

    For more information about other types of headers that can be used, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization

  7. Click Verify to have CyberArk Identity verify the connection and save the provisioning details.

    If you later want to make changes to any of the fields on the Provisioning page in the Identity Administration portal, you will have a choice of options when you Verify. You can either choose Verify Credentials, which only checks the fields above the Sync Options section. If you select Verify and re-detect settings then the entire page is refreshed, including overwriting any changes you have made to the Sync options, Deprovisioning options, and Provisioning Script.

Provision users with SCIM

You can map the Identity Administration portal roles (and the users in those roles) to existing or new accounts in your app. When you change role mappings or update a user account, CyberArk Identity synchronizes the changes automatically.

Provisioning assigns users access and assignments based on the top-most role mapping. The role at the top of the list has priority when provisioning users. For example, if a user is in multiple roles that you’ve mapped for provisioning, CyberArk Identity provisions the user based on the role nearer the top of the list. For more details, see Set up app-specific provisioning.

  1. In the Provisioning page, go to the Role Mappings section.

  2. Click Add to open the Role Mapping dialog box.

  3. Select a Role.

  4. Click Add and select a Destination Group from the drop-down list.

  5. A Destination Group named for the selected CyberArk role automatically populates in the list of groups available from the drop-down list. If that Destination Group is selected, a group with that name is created in the target application. If you select a Destination Group that already exists in the application, provisioned users that are members of the selected role are added as members of the existing Destination Group.

    Alternatively, you can type in a new group name to map to the selected role; the newly created Destination Group is also created in the application.

    If the role is removed from the role mapping after a provisioning job runs, the Destination Group remains in the target application without any membership changes. Changing the role or role name does not affect Destination Group creation or membership, unless the Destination Group name in the role mapping is also changed.

    For AWS, when you delete a role from Role Mapping, the Destination Group is also removed from the target application. The role in the target application is deleted automatically if the Delete roles in this application when mapped roles are deleted in source directory check box is selected. When you modify the name of the Destination Group in Role Mapping, the Destination Group name is updated in the target application.

  6. (Optional) Add more Destination Groups, if desired, by repeating the previous two steps.
  7. Click Done to save the role mapping and return to the Provisioning page.
  8. Continue adding role mappings, as desired.

    • To change a mapping, select the role mapping and click Modify from the Actions list.
    • To remove a mapping, select the role mapping and click Delete from the Actions list.
    • The provisioning script is intended for advanced users who are familiar with editing server-side JavaScript code.
  9. When you’re done, click Save to save the provisioning details.

    Anytime that you make changes to the provisioning role mapping, CyberArk Identity runs a synchronization automatically. You can also run a preview synchronization or a real synchronization, if desired.

Provision Active Directory Groups with SCIM

If you already organized your users into AD groups, it might be more efficient to provision AD groups to the application rather than creating the groups individually in the application.

  • If an AD group has the same name as an existing group , CyberArk Identity recognizes the same name in the existing group during provisioning and updates it with the AD group’s attributes.

  • If you use the option to provision AD groups, CyberArk Identity ignores the Destination Group setting in Role Mappings. Provisioning AD groups and provisioning users to existing groups using role mapping are mutually exclusive.

  • You can not deprovision the groups by disabling or deleting them in Active Directory.

  • If you want to provision AD groups, you need to deploy a new application in the Identity Administration portal; the feature is not backwards compatible with previously deployed applications.

  1. Open the SAML application in the Identity Administration portal.

  2. Click the Provisioning tab.

  3. Select Sync groups from local directory to target application, then click Save.

    When you start the provisioning job, CyberArk Identity provisions all AD groups to the application.

    This option overrides the Destination Group setting in Role Mappings.
  4. Add roles to Role Mappings as necessary, then click Save.

    There is no need to specify Destination Groups, since this settings is ignored in favor of AD groups when Sync groups from local directory to target application is selected.

    All users that belong to your AD groups should also belong to a role in Role Mappings. In addition, an email address is required for all users that you want to provision.

  5. (Optional) Filter any AD groups that you do not want to provision using the provisioning script reject() method.

    Directions and an example script are provided in the Provisioning Script box. Uncomment and modify the script as necessary.

  6. Manually sync the AD objects.

    Refer to Provisioned account synchronization options for more detail.

    CyberArk Identity provisions all AD groups not filtered by the reject() method to the application. Any user objects in a mapped role are synced to a destination group in the application that matches the object’s AD group (the Destination Group setting in Role Mappings is ignored).

Provision users with custom attributes with SCIM

Once your application is configured for SCIM provisioning, SCIM provisioning can discover the target application's schema and populate the provisioning script with the attributes that it discovers. This includes any custom attributes that you have added to the target application. Attributes discovered by SCIM are commented out; you only have to remove the comment syntax and enter a source attribute to map your source attribute to the custom attribute in your application.

  1. Configure your app to use SCIM, as described in previous steps.

  2. Expand the Provisioning Script section and find the commented attributes discovered using SCIM that you want to map to source directory attributes.

    For example, the following image shows the custom attribute Last_4_Digits_of_SSN_c__c discovered using SCIM.

  3. Remove the comment syntax and enter the source attribute as needed.

    Provisioning is done with the SCIM PUT operation (https://tools.ietf.org/html/rfc7644#section-3.5.1); the payload includes only the attributes that are explicitly set.

    For example, if you have a custom AD user attribute last4SSN, the provisioning script would look like the following:

  4. Save your changes, then start a provisioning job for your application.

    The value for the specified AD attribute will be synced to the custom attribute in your application.

    See Synchronize user accounts with provisioned applications for more information.

Troubleshooting

If you encounter problems during integration, make sure your SCIM server endpoints contain the responses provided in this section.

The attribute values in the body vary depending on the service provider's specification.

Sample responses for applications that implement SCIM version 1

Application responses SCIM version 1

ServiceProviderConfig

Value

Request URL

https://<mytenant.my.idaptive.app.com>/scim/ServiceProviderConfigs

Action type

GET

Response status code

200 OK

Headers

key: Authorization

val: Bearer {{ Token }}

Response body

The SCIM client uses this information to automatically identify which SCIM version (version 1 or version 2, the default) is implemented by the target app's SCIM server.

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
  ],
  "documentationUri": "https://sample.serviceprovider.baseurl.com/samplescimdoc.htm",
  "patch": {
    "supported": true
  },
  "bulk": {
    "supported": false,
    "maxOperations": 0,
    "maxPayloadSize": 0
  },
  "filter": {
    "supported": true,
    "maxResults": 200
  },
  "changePassword": {
    "supported": true
  },
  "sort": {
    "supported": false
  },
  "etag": {
    "supported": false
  },
  "authenticationSchemes": [
    {
      "type": "oauth2",
      "name": "OAuth v2.0",
      "description": "Authentication Scheme using the OAuth Standard",
      "specUri": "http://tools.ietf.org/html/rfc6749",
      "documentationUri": "https://sample.serviceprovider.baseurl.com/samplescimdoc.htm",
      "primary": true
    }
  ],
  "meta": {
    "location": "https://sample.serviceprovider.baseurl.com/scim/v2/ServiceProviderConfig/",
    "resourceType": "ServiceProviderConfig",
    "version": "1"
  }
}

 

Application responses SCIM version 1

Individual schemas

Value

Request URL

https://<sample.serviceprovider>.<baseurl>.com/scim/Schemas/Users

or

https://<sample.serviceprovider>.<baseurl>.com/scim/Schemas/urn%3Ascim%3Aschemas%3Acore%3A1%2E0%3AUser

or

https://<sample.serviceprovider>.<baseurl>.com/scim/Schemas/urn:scim:schemas:core:1.0:User

Action type

GET

Response status code

200 OK

Headers

key: Authorization

val: Bearer {{ Token }}

Response body

The SCIM client uses this information to automatically identify optional SCIM-specified attributes that are supported by the target app's SCIM server. The mandatory attributes specified by SCIM are predefined in the SCIM ietf spec.

{
  "id":"urn:scim:schemas:core:1.0:User",
  "name":"User",
  "description":"Core User",
  "schema":"urn:scim:schemas:core:1.0",
  "endpoint":"/Users",
  "attributes":[
    {
      "name":"id",
      "type":"string",
      "multiValued":false,
      "description":"Unique identifier for the SCIM resource as defined by the Service Provider. Each representation of the resource MUST include a non-empty id value. This identifier MUST be unique across the Service Provider's entire set of resources. It MUST be a stable, non-reassignable identifier that does not change when the same resource is returned in subsequent requests. The value of the id attribute is always issued by the Service Provider and MUST never be specified by the Service Consumer. REQUIRED.",
      "schema":"urn:scim:schemas:core:1.0",
      "readOnly":true,
      "required":true,
      "caseExact":false
    },
    {
      "name":"name",
      "type":"complex",
      "multiValued":false,
      "description":"The components of the user's real name. Providers MAY return just the full name as a single string in the formatted sub-attribute, or they MAY return just the individual component attributes using the other sub-attributes, or they MAY return both. If both variants are returned, they SHOULD be describing the same name, with the formatted name indicating how the component attributes should be combined.",
      "schema":"urn:scim:schemas:core:1.0",
      "readOnly":false,
      "required":false,
      "caseExact":false,
      "subAttributes":[
        {
          "name":"formatted",
          "type":"string",
          "multiValued":false,
          "description":"The full name, including all middle names, titles, and suffixes as appropriate, formatted for display (e.g. Ms. Barbara J Jensen, III.)." ,
          "readOnly":false,
          "required":false,
          "caseExact":false
        },
        {
          "name":"familyName",
          "type":"string",
          "multiValued":false,
          "description":"The family name of the User, or Last Name in most Western languages (e.g. Jensen given the full name Ms. Barbara J Jensen, III.).",
          "readOnly":false,
          "required":false,
          "caseExact":false
        },
        {
          "name":"givenName",
          "type":"string",
          "multiValued":false,
          "description":"The given name of the User, or First Name in most Western languages (e.g. Barbara given the full name Ms. Barbara J Jensen, III.).",
          "readOnly":false,
          "required":false,
          "caseExact":false
        },
        {
          "name":"middleName",
          "type":"string",
          "multiValued":false,
          "description":"The middle name(s) of the User (e.g. Robert given the full name Ms. Barbara J Jensen, III.).",
          "readOnly":false,
          "required":false,
          "caseExact":false
        },
        {
          "name":"honorificPrefix",
          "type":"string",
          "multiValued":false,
          "description":"The honorific prefix(es) of the User, or Title in most Western languages (e.g. Ms. given the full name Ms. Barbara J Jensen, III.).",
          "readOnly":false,
          "required":false,
          "caseExact":false
        },
        {
          "name":"honorificSuffix",
          "type":"string",
          "multiValued":false,
          "description":"The honorific suffix(es) of the User, or Suffix in most Western languages (e.g. III. given the full name Ms. Barbara J Jensen, III.).",
          "readOnly":false,
          "required":false,
          "caseExact":false
        }
      ]
     },
     {
       "name":"emails",
       "type":"complex",
       "multiValued":true,
       "multiValuedAttributeChildName":"email",
       "description":"E-mail addresses for the user. The value SHOULD be canonicalized by the Service Provider, e.g. bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and other.",
       "schema":"urn:scim:schemas:core:1.0",
       "readOnly":false,
       "required":false,
       "caseExact":false,
       "subAttributes":[
         {
           "name":"value",
           "type":"string",
           "multiValued":false,
           "description":"E-mail addresses for the user. The value SHOULD be canonicalized by the Service Provider, e.g. bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and other.",
           "readOnly":false,
           "required":false,
           "caseExact":false
         },
         {
           "name":"display",
           "type":"string",
           "multiValued":false,
           "description":"A human readable name, primarily used for display purposes. READ-ONLY.",
           "readOnly":true,
           "required":false,
           "caseExact":false
         },
         {
           "name":"type",
           "type":"string",
           "multiValued":false,
           "description":"A label indicating the attribute's function; e.g., 'work' or 'home'.",
           "readOnly":false,
           "required":false,
           "caseExact":false,
           "canonicalValues":["work","home","other"]
         },
         {
           "name":"primary",
           "type":"boolean",
           "multiValued":false,
           "description":"A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g. the preferred mailing address or primary e-mail address. The primary attribute value 'true' MUST appear no more than once.",
           "readOnly":false,
           "required":false,
           "caseExact":false
         }
     },
     {
       "name":"addresses",
       "type":"complex",
       "multiValued":true,
       "multiValuedAttributeChildName":"address",
       "description":"A physical mailing address for this User, as described in (address Element). Canonical Type Values of work, home, and other. The value attribute is a complex type with the following sub-attributes.",
       "schema":"urn:scim:schemas:core:1.0",
       "readOnly":false,
       "required":false,
       "caseExact":false,
       "subAttributes":[
         {
           "name":"formatted",
           "type":"string",
           "multiValued":false,
           "description":"The full mailing address, formatted for display or use with a mailing label. This attribute MAY contain newlines.",
           "readOnly":false,
           "required":false,
           "caseExact":false 
         },
         {
           "name":"streetAddress",
           "type":"string",
           "multiValued":false,
           "description":"The full street address component, which may include house number, street name, PO BOX, and multi-line extended street address information. This attribute MAY contain newlines.",
           "readOnly":false,
           "required":false,
           "caseExact":false
         },
         {
           "name":"locality",
           "type":"string",
           "multiValued":false,
           "description":"The city or locality component.",
           "readOnly":false,
           "required":false,
           "caseExact":false
         },
         {
           "name":"region",
           "type":"string",
           "multiValued":false,
           "description":"The state or region component.",
           "readOnly":false,
           "required":false,
           "caseExact":false
         },
         {
           "name":"postalCode",
           "type":"string",
           "multiValued":false,
           "description":"The zipcode or postal code component.",
           "readOnly":false,
           "required":false,
           "caseExact":false
         },
         {
           "name":"country",
           "type":"string",
           "multiValued":false,
           "description":"The country name component.",
           "readOnly":false,
           "required":false,
           "caseExact":false
         },
         {
           "name":"type",
           "type":"string",
           "multiValued":false,
           "description":"A label indicating the attribute's function; e.g., 'work' or 'home'.",
           "readOnly":false,
           "required":false,
           "caseExact":false,
           "canonicalValues":["work","home","other"]
         },
       ]
     },
     {
       "name":"employeeNumber",
       "type":"string",
       "multiValued":false,
       "description":"Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization.",
       "schema":"urn:scim:schemas:extension:enterprise:1.0",
       "readOnly":false,
       "required":false,
       "caseExact":false
     }
   ]
}

Sample responses for applications that implement SCIM version 2

Application responses SCIM version 2
ServiceProviderConfig Value

Request URL

https://<mytenant.my.idaptive.app/>/scim/ServiceProviderConfig

Action type

GET

Response status code

200 OK

Headers

key: Authorization

val: Bearer {{ Token }}

Response body

The SCIM client uses this information to automatically identify the SCIM version (version 1 or version 2, the default) implemented by the target app's SCIM server.

{
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
    ],
    "patch": {
        "supported": true
    },
    "bulk": {
        "supported": false,
        "maxOperations": 1,
        "maxPayloadSize": 0
    },
    "filter": {
        "supported": true,
        "maxResults": 1000
    },
    "changePassword": {
        "supported": false
    },
    "sort": {
        "supported": false
    },
    "etag": {
        "supported": false
    },
    "authenticationSchemes": [
        {
            "type": "oauthbearertoken",
            "name": "OAuth Bearer Token",
            "description": "Authentication scheme using the OAuth Bearer Token Standard"
        }
    ],
    "meta": {
        "resourceType": "ServiceProviderConfig",
        "created": "2023-08-01T07:23:34.7548239Z",
        "lastModified": "2023-08-01T07:23:34.7548239Z",
        "location": "https://<mytenant.my.idaptive.app>.com/scim/v2/ServiceProviderConfig"
    }
}

 

Application responses SCIM version 2
User resource type Value

Request URL

https://<sample.serviceprovider>.<baseurl>.com/scim/ResourceTypes/User

Action type

GET

Response status code

200 OK

Headers

key: Authorization

val: Bearer {{ Token }}

Response body

The SCIM client uses this information to automatically identify the resources (such as users, enterprise users, and groups) and objects supported by the target app's SCIM server.

{

"name": "User",

"endpoint": "/Users",

"schema": "urn:ietf:params:scim:schemas:core:2.0:User",

"schemaExtensions": [

{

"schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",

"required": false

},

{

"schema": "urn:scim:schemas:extension:custom:2.0",

"required": false

},

{

"schema": "urn:ietf:params:scim:schemas:pam:1.0:LinkedObject",

"required": false

}

],

"schemas": [

"urn:ietf:params:scim:schemas:core:2.0:ResourceType"

],

"id": "User",

"meta": {

"resourceType": "ResourceType",

"created": "2023-08-01T07:33:15.5629108Z",

"lastModified": "2023-08-01T07:33:15.5629108Z",

"location": "https://sample.serviceprovider.baseurl.com/scim/v2/ResourceTypes/User"

}

}

 

Application responses SCIM version 2

User schema endpoint

Values

Request URL

https://<mytenant.my.idaptive.app>.com/scim/Schemas/urn%3Aietf%3Aparams%3Ascim%3Aschemas%3Acore%3A2%2E0%3AUser

or

https://<http://<mytenant.my.idaptive.app>.com/scim/Schemas/urn:ietf:params:scim:schemas:core:2.0:User

Action type

GET

Response status code

200 OK

Headers

key: Authorization

val: Bearer {{ Token }}

Response body

The SCIM client uses this information to automatically identify optional SCIM-specified attributes that are supported by the target app's SCIM server. The mandatory attributes specified by SCIM are predefined in the SCIM ietf spec for version 2.

{
    "name": "User",
    "description": "User Account",
    "attributes": [
        {
            "name": "name",
            "type": "complex",
            "subAttributes": [
                {
                    "name": "formatted",
                    "type": "string",
                    "multiValued": false,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readOnly"
                },
                {
                    "name": "familyName",
                    "type": "string",
                    "multiValued": false,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readWrite"
                },
                {
                    "name": "givenName",
                    "type": "string",
                    "multiValued": false,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readWrite"
                }
            ],
            "multiValued": false,
            "required": false,
            "mutability": "readWrite"
        },
        {
            "name": "displayName",
            "type": "string",
            "multiValued": false,
            "required": false,
            "caseExact": false,
            "mutability": "readWrite"
        },
        {
            "name": "preferredLanguage",
            "type": "string",
            "multiValued": false,
            "required": false,
            "caseExact": false,
            "mutability": "readWrite"
        },
        {
            "name": "active",
            "type": "boolean",
            "multiValued": false,
            "required": false,
            "mutability": "readWrite"
        },
        {
            "name": "password",
            "type": "string",
            "multiValued": false,
            "required": false,
            "caseExact": false,
            "mutability": "writeOnly"
        },
        {
            "name": "emails",
            "type": "complex",
            "subAttributes": [
                {
                    "name": "type",
                    "type": "string",
                    "multiValued": false,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readOnly"
                },
                {
                    "name": "primary",
                    "type": "boolean",
                    "multiValued": false,
                    "required": false,
                    "mutability": "readOnly"
                },
                {
                    "name": "value",
                    "type": "string",
                    "multiValued": false,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readWrite"
                }
            ],
            "multiValued": true,
            "required": false,
            "mutability": "readWrite"
        },
        {
            "name": "phoneNumbers",
            "type": "complex",
            "subAttributes": [
                {
                    "name": "type",
                    "type": "string",
                    "multiValued": false,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readWrite"
                },
                {
                    "name": "value",
                    "type": "string",
                    "multiValued": false,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readWrite"
                }
            ],
            "multiValued": true,
            "required": false,
            "mutability": "readWrite"
        },
        {
            "name": "groups",
            "type": "complex",
            "subAttributes": [
                {
                    "name": "type",
                    "type": "string",
                    "multiValued": false,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readOnly"
                },
                {
                    "name": "display",
                    "type": "string",
                    "multiValued": false,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readOnly"
                },
                {
                    "name": "value",
                    "type": "string",
                    "multiValued": false,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readOnly"
                },
                {
                    "name": "$ref",
                    "type": "string",
                    "multiValued": false,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readOnly"
                }
            ],
            "multiValued": true,
            "required": false,
            "mutability": "readOnly"
        },
        {
            "name": "userName",
            "type": "string",
            "multiValued": false,
            "required": true,
            "caseExact": true,
            "mutability": "readWrite"
        },
        {
            "name": "schemas",
            "type": "string",
            "multiValued": true,
            "required": true,
            "caseExact": false,
            "mutability": "readOnly"
        },
        {
            "name": "id",
            "type": "string",
            "multiValued": false,
            "required": true,
            "caseExact": true,
            "mutability": "readOnly",
            "returned": "always"
        },
        {
            "name": "meta",
            "type": "complex",
            "subAttributes": [
                {
                    "name": "resourceType",
                    "type": "string",
                    "multiValued": false,
                    "required": true,
                    "caseExact": true,
                    "mutability": "readOnly"
                },
                {
                    "name": "created",
                    "type": "dateTime",
                    "multiValued": false,
                    "required": false,
                    "mutability": "readOnly"
                },
                {
                    "name": "lastModified",
                    "type": "dateTime",
                    "multiValued": false,
                    "required": false,
                    "mutability": "readOnly"
                },
                {
                    "name": "location",
                    "type": "string",
                    "multiValued": false,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readOnly"
                },
                {
                    "name": "version",
                    "type": "string",
                    "multiValued": false,
                    "required": false,
                    "caseExact": true,
                    "mutability": "readOnly"
                }
            ],
            "multiValued": false,
            "required": true,
            "mutability": "readOnly"
        }
    ],
    "id": "urn:ietf:params:scim:schemas:core:2.0:User",
    "meta": {
        "resourceType": "Schema",
        "created": "2023-08-01T07:31:01.0931431Z",
        "lastModified": "2023-08-01T07:31:01.0931431Z",
        "location": "https://sample.serviceprovider.baseurl.com/scim/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User"
    }
}
Application responses SCIM version 2

All\global schemas endpoint

Values

Request URL

https://sample.serviceprovider.baseurl.com/scim/Schemas

Action type

GET

Response status code

200 OK

Headers

key: Authorization

val: Bearer {{ Token }}

Response body

The SCIM client uses this information to automatically identify optional SCIM-specified attributes that are supported by the target app's SCIM server. The mandatory attributes specified by SCIM are predefined in the SCIM ietf spec for version 2.

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "totalResults": 5,
    "itemsPerPage": 5,
    "startIndex": 1,
    "Resources": [
        {
            "name": "User",
            "description": "User Account",
            "attributes": [
                {
                    "name": "name",
                    "type": "complex",
                    "subAttributes": [
                        {
                            "name": "formatted",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "readOnly"
                        },
                        {
                            "name": "familyName",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "readWrite"
                        },
                        {
                            "name": "givenName",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "readWrite"
                        }
                    ],
                    "multiValued": false,
                    "required": false,
                    "mutability": "readWrite"
                },
                {
                    "name": "displayName",
                    "type": "string",
                    "multiValued": false,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readWrite"
                },
                {
                    "name": "preferredLanguage",
                    "type": "string",
                    "multiValued": false,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readWrite"
                },
                {
                    "name": "active",
                    "type": "boolean",
                    "multiValued": false,
                    "required": false,
                    "mutability": "readWrite"
                },
                {
                    "name": "password",
                    "type": "string",
                    "multiValued": false,
                    "required": false,
                    "caseExact": false,
                    "mutability": "writeOnly"
                },
                {
                    "name": "emails",
                    "type": "complex",
                    "subAttributes": [
                        {
                            "name": "type",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "readOnly"
                        },
                        {
                            "name": "primary",
                            "type": "boolean",
                            "multiValued": false,
                            "required": false,
                            "mutability": "readOnly"
                        },
                        {
                            "name": "value",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "readWrite"
                        }
                    ],
                    "multiValued": true,
                    "required": false,
                    "mutability": "readWrite"
                },
                {
                    "name": "phoneNumbers",
                    "type": "complex",
                    "subAttributes": [
                        {
                            "name": "type",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "readWrite"
                        },
                        {
                            "name": "value",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "readWrite"
                        }
                    ],
                    "multiValued": true,
                    "required": false,
                    "mutability": "readWrite"
                },
                {
                    "name": "groups",
                    "type": "complex",
                    "subAttributes": [
                        {
                            "name": "type",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "readOnly"
                        },
                        {
                            "name": "display",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "readOnly"
                        },
                        {
                            "name": "value",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "readOnly"
                        },
                        {
                            "name": "$ref",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "readOnly"
                        }
                    ],
                    "multiValued": true,
                    "required": false,
                    "mutability": "readOnly"
                },
                {
                    "name": "userName",
                    "type": "string",
                    "multiValued": false,
                    "required": true,
                    "caseExact": true,
                    "mutability": "readWrite"
                },
                {
                    "name": "schemas",
                    "type": "string",
                    "multiValued": true,
                    "required": true,
                    "caseExact": false,
                    "mutability": "readOnly"
                },
                {
                    "name": "id",
                    "type": "string",
                    "multiValued": false,
                    "required": true,
                    "caseExact": true,
                    "mutability": "readOnly",
                    "returned": "always"
                },
                {
                    "name": "meta",
                    "type": "complex",
                    "subAttributes": [
                        {
                            "name": "resourceType",
                            "type": "string",
                            "multiValued": false,
                            "required": true,
                            "caseExact": true,
                            "mutability": "readOnly"
                        },
                        {
                            "name": "created",
                            "type": "dateTime",
                            "multiValued": false,
                            "required": false,
                            "mutability": "readOnly"
                        },
                        {
                            "name": "lastModified",
                            "type": "dateTime",
                            "multiValued": false,
                            "required": false,
                            "mutability": "readOnly"
                        },
                        {
                            "name": "location",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "readOnly"
                        },
                        {
                            "name": "version",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": true,
                            "mutability": "readOnly"
                        }
                    ],
                    "multiValued": false,
                    "required": true,
                    "mutability": "readOnly"
                }
            ],
            "id": "urn:ietf:params:scim:schemas:core:2.0:User",
            "meta": {
                "resourceType": "Schema",
                "created": "2023-08-01T07:25:56.2102576Z",
                "lastModified": "2023-08-01T07:25:56.2102576Z",
                "location": "https://sample.serviceprovider.baseurl.com/scim/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User"
            }
        },
        {
            "name": "EnterpriseUser",
            "description": "Enterprise User",
            "attributes": [
                {
                    "name": "organization",
                    "type": "string",
                    "multiValued": false,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readWrite"
                },
                {
                    "name": "manager",
                    "type": "complex",
                    "subAttributes": [
                        {
                            "name": "value",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "readWrite"
                        },
                        {
                            "name": "$ref",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "readWrite"
                        },
                        {
                            "name": "displayName",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "readWrite"
                        }
                    ],
                    "multiValued": false,
                    "required": false,
                    "mutability": "readWrite"
                }
            ],
            "id": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
            "meta": {
                "resourceType": "Schema",
                "created": "2023-08-01T07:25:56.2102576Z",
                "lastModified": "2023-08-01T07:25:56.2102576Z",
                "location": "https://sample.serviceprovider.baseurl.com/scim/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
            }
        },
        {
            "name": "CustomData",
            "description": "Custom Data for User",
            "attributes": [
                {
                    "name": "customDataAttributes",
                    "type": "complex",
                    "multiValued": false,
                    "required": false,
                    "mutability": "readWrite"
                }
            ],
            "id": "urn:scim:schemas:extension:custom:2.0",
            "meta": {
                "resourceType": "Schema",
                "created": "2023-08-01T07:25:56.2102576Z",
                "lastModified": "2023-08-01T07:25:56.2102576Z",
                "location": "https://sample.serviceprovider.baseurl.com/scim/v2/Schemas/urn:scim:schemas:extension:custom:2.0"
            }
        },
        {
            "name": "LinkedObject",
            "description": "Linked Object attributes for external user or group",
            "attributes": [
                {
                    "name": "source",
                    "type": "string",
                    "multiValued": false,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readOnly"
                },
                {
                    "name": "nativeIdentifier",
                    "type": "string",
                    "multiValued": false,
                    "required": false,
                    "caseExact": false,
                    "mutability": "readOnly"
                }
            ],
            "id": "urn:ietf:params:scim:schemas:pam:1.0:LinkedObject",
            "meta": {
                "resourceType": "Schema",
                "created": "2023-08-01T07:25:56.2102576Z",
                "lastModified": "2023-08-01T07:25:56.2102576Z",
                "location": "https://sample.serviceprovider.baseurl.com/scim/v2/Schemas/urn:ietf:params:scim:schemas:pam:1.0:LinkedObject"
            }
        },
        {
            "name": "Group",
            "attributes": [
                {
                    "name": "members",
                    "type": "complex",
                    "subAttributes": [
                        {
                            "name": "value",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "immutable"
                        },
                        {
                            "name": "$ref",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "immutable"
                        },
                        {
                            "name": "type",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "immutable"
                        },
                        {
                            "name": "display",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "immutable"
                        }
                    ],
                    "multiValued": true,
                    "required": false,
                    "mutability": "readWrite"
                },
                {
                    "name": "displayName",
                    "type": "string",
                    "multiValued": false,
                    "required": true,
                    "caseExact": false,
                    "mutability": "readWrite"
                },
                {
                    "name": "schemas",
                    "type": "string",
                    "multiValued": true,
                    "required": true,
                    "caseExact": false,
                    "mutability": "readOnly"
                },
                {
                    "name": "id",
                    "type": "string",
                    "multiValued": false,
                    "required": true,
                    "caseExact": true,
                    "mutability": "readOnly",
                    "returned": "always"
                },
                {
                    "name": "meta",
                    "type": "complex",
                    "subAttributes": [
                        {
                            "name": "resourceType",
                            "type": "string",
                            "multiValued": false,
                            "required": true,
                            "caseExact": true,
                            "mutability": "readOnly"
                        },
                        {
                            "name": "created",
                            "type": "dateTime",
                            "multiValued": false,
                            "required": false,
                            "mutability": "readOnly"
                        },
                        {
                            "name": "lastModified",
                            "type": "dateTime",
                            "multiValued": false,
                            "required": false,
                            "mutability": "readOnly"
                        },
                        {
                            "name": "location",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": false,
                            "mutability": "readOnly"
                        },
                        {
                            "name": "version",
                            "type": "string",
                            "multiValued": false,
                            "required": false,
                            "caseExact": true,
                            "mutability": "readOnly"
                        }
                    ],
                    "multiValued": false,
                    "required": true,
                    "mutability": "readOnly"
                }
            ],
            "id": "urn:ietf:params:scim:schemas:core:2.0:Group",
            "meta": {
                "resourceType": "Schema",
                "created": "2023-08-01T07:25:56.2102576Z",
                "lastModified": "2023-08-01T07:25:56.2102576Z",
                "location": "https://sample.serviceprovider.baseurl.com/scim/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group"
            }
        }
    ]
}