|
1 | 1 | --- |
2 | 2 | title: SCIM |
3 | | -intro: '' |
| 3 | +intro: 'You can automate user creation and team memberships using the SCIM API.' |
4 | 4 | versions: |
5 | 5 | ghes: '>=3.6' |
6 | 6 | topics: |
7 | 7 | - API |
8 | 8 | miniTocMaxHeadingLevel: 3 |
9 | 9 | --- |
10 | 10 |
|
| 11 | +{% note %} |
| 12 | + |
| 13 | +**Note:** The SCIM API for {% data variables.product.product_name %} is currently in private beta and subject to change. To access the private beta and test the API, contact your account manager on {% data variables.contact.contact_enterprise_sales %}. |
| 14 | + |
| 15 | +{% endnote %} |
| 16 | + |
| 17 | +## About the SCIM API |
| 18 | + |
| 19 | +{% data variables.product.product_name %} provides a SCIM API for use by SCIM-enabled Identity Providers (IdPs). An integration on the IdP can use the API to automatically provision, manage, or deprovision user accounts on a {% data variables.product.product_name %} instance that uses SAML single sign-on (SSO) for authentication. For more information about SAML SSO, see "[About SAML for enterprise IAM](/admin/identity-and-access-management/using-saml-for-enterprise-iam/about-saml-for-enterprise-iam)." |
| 20 | + |
| 21 | +The SCIM API is based on SCIM 2.0. For more information, see the [specification](https://www.simplecloud.info/#Specification). |
| 22 | + |
| 23 | +### SCIM endpoint URLs |
| 24 | + |
| 25 | +An IdP can use the following root URL to communicate with the SCIM API for a {% data variables.product.product_name %} instance. |
| 26 | + |
| 27 | +``` |
| 28 | +{% data variables.product.api_url_code %}/scim/v2/ |
| 29 | +``` |
| 30 | + |
| 31 | +Endpoint URLs for the SCIM API are case-sensitive. For example, the first letter in the `Users` endpoint must be capitalized. |
| 32 | + |
| 33 | +```shell |
| 34 | +GET /scim/v2/Users/{scim_user_id} |
| 35 | +``` |
| 36 | + |
| 37 | +### Authenticating calls to the SCIM API |
| 38 | + |
| 39 | +The SCIM integration on the IdP performs actions on behalf of an enterprise owner for the {% data variables.product.product_name %} instance. For more information, see "[Roles in an enterprise](/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise#enterprise-owners)." |
| 40 | + |
| 41 | +To authenticate requests to the API, the person who configures SCIM on the IdP must use a personal access token (classic) with `admin:enterprise` scope, which the IdP must provide in the request's `Authorization` header. For more information about personal access tokens (classic), see "[Creating a personal access token](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)". |
| 42 | + |
| 43 | +{% note %} |
| 44 | + |
| 45 | +**Note:** Enterprise owners must generate and use a personal access token (classic) for authentication of requests to the SCIM API. {% ifversion ghes > 3.8 %}Fine-grained personal access tokens and {% endif %}GitHub app callers are not supported at this time. |
| 46 | + |
| 47 | +{% endnote %} |
| 48 | + |
| 49 | +### About mapping of SAML and SCIM data |
| 50 | + |
| 51 | +The {% data variables.product.product_name %} instance links each user who authenticates successfully with SAML SSO to a SCIM identity. To link the identities successfully, the SAML IdP and the SCIM integration must use matching SAML `NameID` and SCIM `userName` values for each user. |
| 52 | + |
| 53 | +{% ifversion ghes > 3.7 %} |
| 54 | +{% note %} |
| 55 | + |
| 56 | +**Note:** If the {% data variables.product.product_name %} uses Azure AD as a SAML IdP, {% data variables.product.product_name %} will also check the SCIM `externalId` claim and SAML `http://schemas.microsoft.com/identity/claims/objectidentifier` claim to match users first, instead of using `NameID` and `userName`. |
| 57 | + |
| 58 | +{% endnote %} |
| 59 | +{% endif %} |
| 60 | + |
| 61 | +### Supported SCIM user attributes |
| 62 | + |
| 63 | +The SCIM API's `User` endpoints support the following attributes within a request's parameters. |
| 64 | + |
| 65 | +| Name | Type | Description | |
| 66 | +| :- | :- | :- | |
| 67 | +| `displayName` | String | Human-readable name for a user. | |
| 68 | +| `name.formatted` | String | The user's full name, including all middle names, titles, and suffixes, formatted for display. |
| 69 | +| `name.givenName` | String | The first name of the user. | |
| 70 | +| `name.familyName` | String | The last name of the user. | |
| 71 | +| `userName` | String | The username for the user, generated by the IdP. Undergoes [normalization](/admin/identity-and-access-management/managing-iam-for-your-enterprise/username-considerations-for-external-authentication#about-username-normalization) before being used. |
| 72 | +| `emails` | Array | List of the user's emails. | |
| 73 | +| `roles` | Array | List of the user's roles. | |
| 74 | +| `externalId` | String | This identifier is generated by an IdP provider. You can find the `externalId` for a user either on the IdP, or by using the [List SCIM provisioned identities](#list-scim-provisioned-identities-for-an-enterprise) endpoint and filtering on other known attributes, such as a user's username or email address on the {% data variables.product.product_name %} instance. | |
| 75 | +| `id` | String | Identifier generated by the instance's SCIM endpoint. | |
| 76 | +| `active` | Boolean | Indicates whether the identity is active (`true`) or should be suspended (`false`). | |
| 77 | + |
0 commit comments