SCIM

SCIM Provisioning for Organizations
Authenticating calls to the SCIM API
Supported SCIM User attributes
Get a list of provisioned identities
Get provisioning details for a single user
Provision and invite users
Update a provisioned organization membership
Update a user attribute
Remove a user from the organization

SCIM Provisioning for Organizations

The SCIM API is used by SCIM-enabled Identity Providers (IdPs) to automate provisioning of GitHub organization membership. The GitHub API is based on version 2.0 of the SCIM standard.

Please note that the SCIM API is available only to organizations on GitHub Enterprise Cloud with SAML SSO enabled. For more information about SCIM, see "About SCIM" in the GitHub Help documentation.

Authenticating calls to the SCIM API

The API expects an OAuth 2.0 Bearer token to be passed to the Authorization header. You may also use Personal Access Tokens but they must be whitelisted from your token settings page.

Mapping of SAML and SCIM data

Make sure to configure your SAML Identity Provider and your SCIM client to have identical NameID and userName for the same user. This provides the ability for a user authenticating using SAML to be linked to their identity that is already provisioned using SCIM.

Supported SCIM User attributes

Name	Type	Description
`userName`	`string`	The username for the user.
`name.givenName`	`string`	The first name of the user.
`name.lastName`	`string`	The last name of the user.
`emails`	`array`	List of user emails.
`externalId`	`string`	External identifier (generated by the SAML SSO provider).
`id`	`string`	Identifier generated by the GitHub SCIM endpoint.
`active`	`boolean`	Used to indicate whether the identity is active (true) or should be deprovisioned (false).

Note: Endpoints for the SCIM API are case sensitive: the first letter in the Users endpoint must be capitalized. For example:

GET /scim/v2/organizations/:org/Users/:external_identity_guid

Get a list of provisioned identities

GET /scim/v2/organizations/:org/Users

Parameters

Name	Type	Description
`startIndex`	`integer`	Used for pagination: the index of the first result to return.
`count`	`integer`	Used for pagination: the number of results to return.
`filter`	`string`	Filters results using the equals query parameter operator (`eq`). You can filter results that are equal to `id`, `userName`, `emails`, and `external_id`. For example, to search for an identity with the `userName` Octocat, you would use this query: `?filter=userName%20eq%20\"Octocat\"`

Example

If you want to filter by a specific email address, you'd use the email query parameter and the eq operator:

GET /scim/v2/organizations/:org/Users?filter=emails eq user@example.com

Your filter might look like this using cURL:

curl -u octocat:$token https://api.github.com/scim/v2/organizations/octo-org/Users?filter=emails%20eq%20\"octocat@github.com\""

Response with filter

Retrieves users that match the filter. In the example, we searched only for octocat@github.com.

Status: 200 OK

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "totalResults": 1,
  "itemsPerPage": 1,
  "startIndex": 1,
  "Resources": [
    {
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "id": "5fc0c238-1112-11e8-8e45-920c87bdbd75",
      "externalId": "00u1dhhb1fkIGP7RL1d8",
      "userName": "octocat@github.com",
      "name": {
        "givenName": "Mona",
        "familyName": "Octocat"
      },
      "emails": [
        {
          "value": "octocat@github.com",
          "primary": true,
          "type": "work"
        }
      ],
      "active": true,
      "meta": {
        "resourceType": "User",
        "created": "2018-02-13T15:05:24.000-08:00",
        "lastModified": "2018-02-13T15:05:55.000-08:00",
        "location": "https://api.github.com/scim/v2/organizations/Octo-org/Users/5fc0c238-1112-11e8-8e45-920c87bdbd75"
      }
    }
  ]
}

Response without filter

Retrieves a paginated list of all provisioned organization members, including pending invitations.

Status: 200 OK

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "totalResults": 2,
  "itemsPerPage": 2,
  "startIndex": 1,
  "Resources": [
    {
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "id": "8773fe-ffff-42837498757",
      "externalId": "239482347928374",
      "userName": "mona@example.com",
      "name": {
        "givenName": "mona",
        "familyName": "octocat"
      },
      "active": true,
      "meta": {
        "resourceType": "User",
        "created": "2017-03-09T16:11:13-05:00",
        "lastModified": "2017-03-09T16:11:13-05:00"
      }
    },
    {
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "id": "77563764-eb6-24-0598234-958243",
      "externalId": "sdfoiausdofiua",
      "userName": "hubot@example.com",
      "name": {
        "givenName": "hu",
        "familyName": "bot"
      },
      "active": true,
      "meta": {
        "resourceType": "User",
        "created": "2017-03-09T16:11:13-05:00",
        "lastModified": "2017-03-09T16:11:13-05:00"
      }
    }
  ]
}

Get provisioning details for a single user

GET /scim/v2/organizations/:org/Users/:external_identity_guid

Response

Status: 200 OK

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "77563764-eb6-24-0598234-958243",
  "externalId": "sdfoiausdofiua",
  "userName": "hubot@example.com",
  "name": {
    "givenName": "hu",
    "familyName": "bot"
  },
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00"
  }
}

Provision and invite users

Provision organization membership for and send activation emails to a list of email addresses.

POST /scim/v2/organizations/:org/Users

Response

Status: 201 Created

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "edefdfedf-050c-11e7-8d32",
  "externalId": "a7d0f98382",
  "userName": "mona.octocat@okta.example.com",
  "name": {
    "givenName": "Mona",
    "familyName": "Octocat"
  },
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00"
  }
}

Update a provisioned organization membership

PUT /scim/v2/organizations/:org/Users/:external_identity_guid

Warning: Setting active: false removes the user from the organization, deletes the external identity, and deletes the associated :user_id.

Response

Status: 200 OK

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "edefdfedf-050c-11e7-8d32",
  "externalId": "a7d0f98382",
  "userName": "mona.octocat@okta.example.com",
  "name": {
    "givenName": "Mona",
    "familyName": "Octocat"
  },
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00"
  }
}

Update a user attribute

PATCH /scim/v2/organizations/:org/Users/:external_identity_guid

Warning: If you set active:false using the replace operation (as shown in the JSON example below), it removes the user from the organization, deletes the external identity, and deletes the associated :user_id.

{
  "Operations":[{
    "op":"replace",
    "value":{
      "active":false
    }
  }]
}

Response

Status: 200 OK

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "edefdfedf-050c-11e7-8d32",
  "externalId": "a7d0f98382",
  "userName": "mona.octocat@okta.example.com",
  "name": {
    "givenName": "Mona",
    "familyName": "Octocat"
  },
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00"
  }
}

Remove a user from the organization

DELETE /scim/v2/organizations/:org/Users/:external_identity_guid

Response

Status: 204 No Content