SCIM Integration
This document provides comprehensive information about our System for Cross-domain Identity Management (SCIM) integration. SCIM is an open standard that simplifies user provisioning and deprovisioning in cloud-based applications and services.
Our SCIM implementation allows enterprise customers to automatically provision, update, and deprovision user accounts from their identity provider (IdP) to our service.
Supported Features
Based on our SCIM implementation, we support the following features:
FeatureSupport StatusNotes | ||
User Management | ✅ | Create, read, update, and delete users |
Group Management | ❌ | Not currently supported |
Bulk Operations | ❌ | Not supported |
Filtering | ✅ | Limited to email filtering |
Pagination | ✅ | Supported with |
Sorting | ❌ | Not supported |
Password Changes | ❌ | Not supported |
PATCH Operations | ✅ | Supported for partial updates |
Authentication | ✅ | Bearer token authentication |
Authentication
Our SCIM API uses Bearer Token authentication. You will need to include the token in the Authorization header of all requests:
Authorization: Bearer {your_token}
Contact our support team to receive your SCIM integration token.
Endpoints
Our SCIM API is accessible at the base URL:https://api.goentri.com/integration/scim/v2
The following endpoints are available:
EndpointHTTP MethodDescription | ||
| GET | Returns the service provider's configuration |
| GET | Returns the schemas supported by the service provider |
| GET | Returns the resource types supported by the service provider |
| GET | Returns a list of users |
| GET | Returns a specific user |
| POST | Creates a new user |
| PUT | Updates a user (full replacement) |
| PATCH | Updates a user (partial update) |
| DELETE | Deletes a user |
User Schema
The following attributes are supported for the User resource:
Core Attributes
AttributeTypeRequiredDescription | |||
| string | Yes | Username (email address) |
| boolean | No | Whether the user is active |
| complex (multi-valued) | No | Email addresses of the user |
Email Subattributes
AttributeTypeRequiredDescription | |||
| string | Yes | The email address |
Pagination
Our SCIM implementation supports pagination with the following parameters:
startIndex: The 1-based index of the first result (default: 1)count: The maximum number of results to return (default: 10, max: 100)
Example:
GET /scim/v2/Users?startIndex=1&count=10
Filtering
Limited filtering is supported for email addresses. The syntax follows the SCIM standard:
Example:
GET /scim/v2/Users?filter=email eq "john.doe@example.com"
Examples
Getting Service Provider Configuration
Request:
GET /scim/v2/ServiceProviderConfig
Authorization: Bearer {your_token}
Response:
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
"patch": {
"supported": true
},
"bulk": {
"supported": false,
"maxOperations": 0,
"maxPayloadSize": 0
},
"filter": {
"supported": true,
"maxResults": 100
},
"pagination": {
"supported": true,
"defaultStartIndex": 1,
"defaultCount": 10,
"maxResults": 100
},
"changePassword": {
"supported": false
},
"sort": {
"supported": false
},
"etag": {
"supported": false
},
"delete": {
"supported": true
},
"authenticationSchemes": [
{
"type": "httpbearer",
"name": "Bearer Token Authentication",
"description": "Authentication using a bearer token",
"specUri": "<https://tools.ietf.org/html/rfc6750>",
"primary": true
}
]
}
Creating a User
Request:
POST /scim/v2/Users
Authorization: Bearer {your_token}
Content-Type: application/json
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "john.doe@example.com",
"active": true,
"emails": [
{
"value": "john.doe@example.com"
}
]
}
Response:
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "123456",
"userName": "john.doe@example.com",
"active": true,
"emails": [
{
"value": "john.doe@example.com"
}
],
"meta": {
"resourceType": "User",
"created": "2023-01-01T00:00:00Z",
"lastModified": "2023-01-01T00:00:00Z",
"location": "/scim/v2/Users/123456"
}
}
Retrieving a User
Request:
GET /scim/v2/Users/123456
Authorization: Bearer {your_token}
Updating a User (PATCH)
Request:
PATCH /scim/v2/Users/123456
Authorization: Bearer {your_token}
Content-Type: application/json
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "replace",
"path": "active",
"value": false
}
]
}
Deleting a User
Request:
DELETE /scim/v2/Users/123456
Authorization: Bearer {your_token}
Troubleshooting
Common Issues
Authentication Failures
Ensure the bearer token is valid and correctly formatted in the request header
Verify the token has not expired
User Creation Failures
Check that required attributes (userName) are provided
Verify that the userName is unique
Filtering Issues
Remember that filtering is only supported for email attributes
Ensure the filter syntax follows SCIM standards
Error Responses
Our SCIM API returns standard HTTP status codes:
Status CodeDescription | |
200 | OK - Operation successful |
201 | Created - Resource successfully created |
400 | Bad Request - Invalid or malformed request |
401 | Unauthorized - Authentication failed |
403 | Forbidden - Not authorized to perform the operation |
404 | Not Found - Resource not found |
409 | Conflict - Resource already exists |
500 | Internal Server Error - Unexpected server error |
Each error response includes a detailed message explaining the issue.
Dashboard Configuration
Accessing SCIM Integration Settings
Log into your dashboard
Navigate to Account Settings → SCIM Settings
Here you will find:
Your unique SCIM base URL
Options to generate and manage your SCIM bearer token
Note: Token will expire after every 6 months, so it is recommended to regenerate the token after every 6 months and change it in your relevant identity provider.