Skip to content

Using the SCIM 2.0 REST APIs

This REST API implements the SCIM 2.0 Protocol according to the SCIM 2.0 specification. The following endpoints are supported with WSO2 Identity Server.

Note

Prior to WSO2 Identity Server 5.4.0 version, SCIM 2.0 was supported as an external connector that could be plugged in to WSO2 Identity Server.

WSO2 Identity Server 5.9.0 supports SCIM 2.0 out-of-the-box.

Users endpoint

This endpoint is used to create and manage users and their profile attributes.

GET/ Get User by ID

This API is used to retrieve users by their user ID. It returns an HTTP 200 response if the user is not found.

GET https://localhost/t/{tenant-domain}/scim2/Users/{id}

Parameters

Type Name Description Schema Default Value
Path

id

(required)

String -
Query

attributes

(optional)

Attribute names of attributes that are to be included in the response.

All the of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification .

String -
Query

excludedAttributes

(optional)

Attribute names of attributes that are to be exclused from the response.
All the of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification .

String -

Responses

  • HTTP 200 - Valid user is found
  • HTTP 401 - Unauthorized
  • HTTP 404 - Valid user is not found

POST/ Create User

POST https://localhost/t/{tenant-domain}/scim2/Users

This API creates a user and returns the user details along with the user's unique ID. It returns HTTP 201 if the user is successfully created.

Parameters

Type Name Description Schema Default Value
Query

attributes

(optional)

String -
Query

excludedAttributes

(optional)

String -
Body

body

(optional)

String -

Responses

  • HTTP 201 - Valid user is created
  • HTTP 401 - Unauthorized
  • HTTP 404 - Invalid user

Tip

To create a user in a particular user store, add the {domainName}/ prefix in front of the user name.

curl -v -k --user admin:admin --data '{"schemas":[],"name":{"familyName":"jackson","givenName":"kim"},"userName":"WSO2/kim","password":"kimwso2","emails":[{"primary":true,"value":"kim.jackson@gmail.com","type":"home"},{"value":"kim_j@wso2.com","type":"work"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users

DELETE/ Delete User by ID

DELETE https://localhost/t/{tenant-domain}/scim2/Users/{id }

This API deletes a user using the user's unique ID. It returns HTTP 204 if the user is successfully deleted.

Parameters

Type Name Description Schema Default Value
Path

id

(required)

Unique ID of the resource type.

String -

Responses

  • HTTP 204 - User has been succesfully deleted
  • HTTP 401 - Unauthorized
  • HTTP 404 - Valid user is not found

GET/ Get Users (User Listing/Filtering)

GET https://localhost/t/{tenant-domain}/scim2/Users

This API returns users according to the filter, sort and pagination parameters. It returns an HTTP 404 response if the users are not found. Pagination is not supported across user stores and LDAP multi-attribute group filtering. However, filtering is supported across multiple user stores.

Parameters

Type Name Description Schema Default Value
Query

attributes

(optional)

Attribute names of attributes that are to be included in the response.

All the of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification .

String -
Query

excludedAttributes

(optional)

Attribute names of attributes that are to be exclused from the response.
All the of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification .

String -
Query

filter

(optional)

A filter expression used to filter users.

Supported filter operators are ‘ EQ ’, ' EW' , ‘ CO ’, ‘ SW ’, and ‘ AND ’.

Tip

Operators are case-insensitive.

String -
Query

startIndex

(optional)

The 1-based index of the first query result. Integer -
Query

count

(optional)

Specifies the desired maximum number of query results per page.

Tip

This parameter is optional but it is recommended to include it in the request.

When this parameter is not included in the request, the response returns all users from a given domain or across all user stores.

When this parameter is set to 0 (zero) or is a negative value, no users are retrieved.

Integer -
Query

sortBy

(optional)

Specifies the attribute whose value can be used to order the returned responses.

Warning

This parameter is not supported for this version.

String -
Query

sortOrder

(optional)

The order in which the "sortBy" parameter is applied. (e.g., ascending order)

Warning

This parameter is not supported for this version.

String -
Query

domain

(optional)

The name of the user store to which filtering needs to be applied. String -

Responses

  • HTTP 200 - Valid users are found
  • HTTP 401 - Unauthorized
  • HTTP 404 - Valid users are not found

Tip

There are two ways to retrieve users from a particular user store:

  1. Using the domain query parameter
    Filter or list users from a particular domain by setting the domain query parameter as shown in the example below.

    curl -v -k --user admin:admin 'https://localhost:9443/scim2/Users?startIndex=1&count=10&domain=WSO2
  2. Adding the “ {domain}/ ” prefix in front of the filter value
    Filter or list users from a particular domain by specifying the domain in front of the filter value as shown in the example below.
    Note that this feature can only be used with “userName” and “groups” attributes.
    If the domain name is specified in both the query parameter and the filter value, an ERROR is thrown if the two values are not equal.

    curl -v -k --user admin:admin 'https://localhost:9443/scim2/Users?startIndex=1&count=10&filter=userName+sw+WSO2/ki'

POST/ Search Users

POST https://localhost/t/{tenant-domain}/scim2/Users/.search

This API returns users according to the filter, sort and pagination parameters. It returns an HTTP 404 response if the users are not found.

Parameters

Type Name Description Schema Default Value
Body

body

(optional)

This is a JSON object that contains relevant values used to search for a user.

String -

Responses

  • HTTP 200 - Valid users are found
  • HTTP 401 - Unauthorized
  • HTTP 404 - Valid users are not found

PATCH/ Update User

PATCH https://localhost/t/{tenant-domain}/scim2/Users/{id }

This API updates user details and returns the updated user details using a PATCH operation. It returns an HTTP 404 response if the user is not found.

Parameters

Type Name Description Schema Default Value
Path

id

(required)

Unique ID of the resource type.




String -
Query

attributes

(optional)

String -
Query

excludedAttributes

(optional)

String -
Body

body

(optional)

This is a JSON object that contains relevant values used to search for a user.

Responses

  • HTTP 200 - User has been successfully updated
  • HTTP 401 - Unauthorized
  • HTTP 404 - Valid user is not found

PUT/ Update User

PUT https://localhost/t/{tenant-domain}/scim2/Users/{id }

This API updates user details and returns the updated user details using a PUT operation. It returns an HTTP 404 response if the user is not found.

Parameters

Type Name Description Schema Default Value
Path

id

(required)

Unique ID of the resource type.




String -
Query

attributes

(optional)

String -
Query

excludedAttributes

(optional)

String -
Body

body

(optional)

This is a JSON object that contains relevant values used to search for a user. String -

Responses

  • HTTP 200 - User has been successfully updated
  • HTTP 401 - Unauthorized
  • HTTP 404 - Valid users are not found

Groups endpoint

This endpoint is used to create and manage groups and group members.

Note

From WSO2 Identity Server 5.8.0 onwards, new configurations have been added to support filtering users and groups only from the PRIMARY domain.

If these properties are enabled, the responses recieved for the users endpoint and groups endpoint will change. For more information, see Migrate - What Has Changed.

GET/ Group by ID

GET https://localhost/t/{tenant-domain}/scim2/Groups/{id}

This API returns the group details of a particular group using its unique ID. It returns an HTTP 200 response if the group is found.

Parameters

Type Name Description Schema Default Value
Path

id

(required)

Unique ID of the resource type.




String -
Query

attributes

(optional)

Attribute names of attributes that are to be included in the response.

All the of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification .

String -
Query

excludedAttributes

(optional)

Attribute names of attributes that are to be exclused from the response.
All the of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification .

String -

Responses

  • HTTP 200 - Valid group is found
  • HTTP 401 - Unauthorized
  • HTTP 404 - Valid group is not found

POST/ Create Group

POST https://localhost/t/{tenant-domain}/scim2/Groups

This API creates a group and returns the details of the created group including its unique ID. It returns an HTTP 201 response if the group is successfully created.

Parameters

Type Name Description Schema Default Value
Query

attributes

(optional)

Attribute names of attributes that are to be included in the response.

All the of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification .

String -
Query

excludedAttributes

(optional)

Attribute names of attributes that are to be exclused from the response.
All the of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification .

String -
Body

body

(optional)

String -

Responses

  • HTTP 201 - Valid group is created
  • HTTP 401 - Unauthorized
  • HTTP 404 - Group is not found

POST/ Create Group

POST https://localhost/t/{tenant-domain}/scim2/Groups

This API creates a group and returns the details of the created group including its unique ID. It returns an HTTP 201 response if the group is successfully created.

Parameters

Type Name Description Schema Default Value
Query

attributes

(optional)

Attribute names of attributes that are to be included in the response.

All the of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification .

String -
Query

excludedAttributes

(optional)

Attribute names of attributes that are to be exclused from the response.
All the of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification .

String -
Body

body

(optional)

String -

Responses

  • HTTP 201 - Valid group is created
  • HTTP 401 - Unauthorized
  • HTTP 404 - Invalid group

Tip

To create a user in a particular user store, add the {domainName}/ prefix in front of the user name as shown in the example below.

curl -v -k --user admin:admin --data '{"displayName":"WSO2DOMAIN/manager"}' --header "Content-Type:application/json" https://localhost:9443/scim2/Groups

DELETE/ Delete Group By ID

DELETE https://localhost/t/{tenant-domain}/scim2/Groups/{id }

This API deletes a particular group using its unique ID. It returns an HTTP 204 reponse if the group is successfully deleted.

Parameters

Type Name Description Schema Default Value
Path

id

(required)

Unique ID of the resource type.

String -

Responses

  • HTTP 204 - Valid group has been successfully deleted.
  • HTTP 401 - Unauthorized
  • HTTP 404 - Invalid group

GET/ Filter Groups

GET https://localhost/t/{tenant-domain}/scim2/Groups

This API deletes a particular group using its unique ID. It returns an HTTP 204 reponse if the group is successfully deleted.

Parameters

Type Name Description Schema Default Value
Query

attributes

(optional)

Attribute names of attributes that are to be included in the response.

All the of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification .

String -
Query

excludedAttributes

(optional)

Attribute names of attributes that are to be exclused from the response.
All the of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification .

String -
Query

filter

(optional)

A filter expression used to filter users.

Supported filter operators are ‘ EQ ’, ' EW' , ‘ CO ’, ‘ SW ’, and ‘ AND ’.

Note

Operators are case-insensitive.

String -
Query

startIndex

(optional)

The 1-based index of the first query result.

Warning

Pagination is not supported.

Integer -
Query

count

(optional)

Specifies the desired maximum number of query results per page.

Warning

Pagination is not supported.

Note

When this parameter is not included in the request, the response returns all groups from the given domain or across all user stores. When the count is zero or any value less than zero, no groups are returned.

Integer -
Query

sortBy

(optional)

Specifies the attribute whose value can be used to order the returned responses.

Warning

This parameter is not supported for this version.

String -
Query

sortOrder

(optional)

The order in which the "sortBy" parameter is applied. (e.g., ascending order)

Warning

This parameter is not supported for this version.

String -
Query

domain

(optional)

The name of the user store to which filtering needs to be applied. String -

Responses

  • HTTP 204 - Valid group has been successfully deleted.
  • HTTP 401 - Unauthorized
  • HTTP 404 - Invalid group

Tip

There are two ways to retrieve users from a particular user store:

  1. Using the domain query parameter
    Setting the domain parameter enables both filtering and listing groups in a specified user store.

    Sample Request

    curl -v -k --user admin:admin 'https://localhost:9443/scim2/Groups?startIndex=3&count=20&domain=WSO2’
  2. Adding the “ {domain}/ ” prefix in front of the filter value
    Filter or list users from a particular domain by specifying the domain in front of the filter value as shown in the example below.
    Note that this feature can only be used with "displayName", "members.display" and "members.value" attributes.
    If the domain name is specified in both the query parameter and the filter value, an ERROR is thrown if the two values are not equal.

    curl -v -k --user admin:admin 'https://localhost:9443/scim2/Groups?startIndex=2&count=20&filter=displayName+eq+WSO2/manager'

POST/ Search Groups

POST https://localhost/t/{tenant-domain}/scim2/Groups/.search

This API returns groups according to the specified filter, sort and pagination parameters. It returns an HTTP 404 response if the groups are not found.

Parameters

Type Name Description Schema Default Value
Body

body

(optional)

This is a JSON object that contains relevant values used to search for a group.

String -

Responses

  • HTTP 200 - Valid groups are found
  • HTTP 401 - Unauthorized
  • HTTP 404 - Groups are not found

PATCH/ Update Group

PATCH https://localhost/t/{tenant-domain}/scim2/Groups/{id}

This API updates the group details and returns the updated group details using a PATCH operation. It returns an HTTP 404 response if the group is not found.

Parameters

Type Name Description Schema Default Value
Path

id

(required)

Unique ID of the resource type.




String -
Query

attributes

(optional)

String -
Query

excludedAttributes

(optional)

String -
Body

body

(optional)

This is a JSON object that contains relevant values used to search for a user. String -

Responses

  • HTTP 200 - Group has been successfully updated
  • HTTP 401 - Unauthorized
  • HTTP 404 - Valid group is not found

PATCH/ Remove Group Member

This API removes group member and returns the updated group details using a PATCH operation. It returns an HTTP 404 response if the group is not found.

PATCH https://localhost/t/{tenant-domain}/scim2/Groups/{id}

Parameters

Type Name Description Schema
Path

id

(required)

Unique ID of the resource type.




String
Query

attributes

(optional)

Attribute names of attributes that are to be included in the response.

All the of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification .

Sample Request

String
Query

excludedAttributes

(optional)

Attribute names of attributes that are to be exclused from the response.
All the of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification .

Sample Request

String
Body

body

(optional)

This is a JSON object that contains relevant values used to search for a user. String

Request

curl -v -k --user [user name]:[password] -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"[operation]","path":"members[display eq [user's user name],value eq [user Id]]"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Groups/[group Id]

Response

  • HTTP 200 - Group has been successfully updated
  • HTTP 401 - Unauthorized
  • HTTP 404 - Valid group is not found

Example

curl -v -k --user admin:admin -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"remove","path":"members[display eq kim,value eq 81ffe274-19a9-46aa-acfe-469a09cdd25a]"}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Groups/1b91c4ef-9834-4278-82e3-ed810a94403b
{"displayName":"PRIMARY/testGroup","meta":{"created":"2019-12-06T09:34:52.250Z","location":"https://localhost:9443/scim2/Groups/1b91c4ef-9834-4278-82e3-ed810a94403b","lastModified":"2019-12-06T09:34:52.250Z"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"],"members":[{"display":"orange","value":"81ffe274-19a9-46aa-acfe-469a09cdd25a","$ref":"https://localhost:9443/scim2/Users/81ffe274-19a9-46aa-acfe-469a09cdd25a"}],"id":"1b91c4ef-9834-4278-82e3-ed810a94403b"}

PUT/ Update Group

PUT https://localhost/t/{tenant-domain}/scim2/Groups/{id }

This API updates the group details and returns the updated group details using a PUT operation. It returns an HTTP 404 reponse if the group is not found.

Parameters

Type Name Description Schema Default Value
Path

id

(required)

Unique ID of the resource type.




String -
Query

attributes

(optional)

String -
Query

excludedAttributes

(optional)

String -
Body

body

(optional)

This is a JSON object that contains relevant values used to search for a user. String -

Responses

  • HTTP 200 - Group has been successfully updated
  • HTTP 401 - Unauthorized
  • HTTP 404 - Valid group is not found

Me Endpoint

This endpoint is used to create and manage the currently authenticated user.

POST/ Create Users in Bulk

POST https://localhost/t/{tenant-domain}/scim2/Me

This API is used to register a user anonymously. It returns an HTTP 201 response if the user is successfully created. These endpoints are secured by default. Therefore, to invoke this API anonymously, set the secured property for the SCIM2 resource in the identity.xml file to false. For more information, see Authenticating and Authorizing REST APIs.

curl -v -k  --data '{"schemas":[],"name:{"familyName":[last name],"givenName":[name]},"userName":[username],"password":[password],"emails":[{"primary":[true/false],"value":[email address],"type":[home/work]},{"value":[email address 2],"type":[home/work]}],"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"employeeNumber":[employee ID],"manager":{"value":[manager's name]}}}' --header "Content-Type:application/json" https://localhost:9443/scim2/Me
curl -v -k --data '{"schemas":[],"name":{"familyName":"Johnson","givenName":"Alex"},"userName":"alex","password":"alexwso2","emails":[{"primary":true,"value":"alex.j@gmail.com","type":"home"},{"value":"alex_j@wso2.com","type":"work"}],"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"employeeNumber":"123A","manager":{"value":"Taylor"}}}' --header "Content-Type:application/json" https://localhost:9443/scim2/Me
{"emails":[{"type":"home","value":"alex.j@gmail.com","primary":true},{"type":"work","value":"alex_j@wso2.com"}],"meta":{"created":"2018-08-17T10:34:29Z","location":"https://localhost:9443/scim2/Users/008bba85-451d-414b-87de-c03b5a1f4217","lastModified":"2018-08-17T10:34:29Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"manager":{"value":"Taylor"},"employeeNumber":"123A"},"name":{"familyName":"Johnson","givenName":"Alex"},"id":"008bba85-451d-414b-87de-c03b5a1f4217","userName":"alex"}

Parameters

Type Name Description Schema Default
Query attributes (optional)

Attribute names of attributes that are to be included in the response. When this parameter is included in the request, the response returns only the attributes that are specified in the request. All the attributes of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification.

Click to see the Sample Request

curl -v -k --data '{"schemas":[],"name":{"familyName":"Johnson","givenName":"Alex"},"userName":"alex","password":"alexwso2","emails":[{"primary":true,"value":"alex.j@gmail.com","type":"home"},{"value":"alex_j@wso2.com","type":"work"}],"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"employeeNumber":"123A","manager":{"value":"Taylor"}}}' --header "Content-Type:application/json" https://localhost:9443/scim2/Me?attributes=userName,name.familyName

String -
Query excludedAttributes (optional)

Attribute names of attributes that are to be excluded from the response. When this parameter is included in the request, the response returns all attributes except the excluded attributes that are specified in the request. All the attributes of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification.

Click to see the Sample Request

curl -v -k --data '{"schemas":[],"name":{"familyName":"Johnson","givenName":"Alex"},"userName":"alex","password":"alexwso2","emails":[{"primary":true,"value":"alex.j@gmail.com","type":"home"},{"value":"alex_j@wso2.com","type":"work"}],"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"employeeNumber":"123A","manager":{"value":"Taylor"}}}' --header "Content-Type:application/json" https://localhost:9443/scim2/Me?excludedAttributes=userName,name.familyName

String -
Body body (optional) A JSON object that contains relevant values for creating a user. String -

Responses

  • HTTP 201 - Valid user is created
  • HTTP 401 - Unauthorized
  • HTTP 404 - Invalid user

DELETE/ Delete Me

DELETE https://localhost/t/{tenant-domain}/scim2/Me

This API is used to delete the currently authenticated user. It returns HTTP 204 if the user is successfully deleted.

curl -v -k --user  [username]:[password] -X DELETE https://localhost:9443/scim2/Me
curl -v -k --user alex:alexwso2 -X DELETE https://localhost:9443/scim2/Me
HTTP/1.1 204 NOT IMPLEMENTED
Type Name Description Schema Default Value
Path id (required) Unique ID of the resource type. String -

Response - HTTP 204 - User has been succesfully deleted - HTTP 401 - Unauthorized - HTTP 404 - Valid user is not found

GET/ Get Me

GET https://localhost/t/{tenant-domain}/scim2/Me

This API returns the user details of the currently authenticated user. These endpoints are secured by default. Therefore, to invoke this API anonymously, set the secured property for the SCIM2 resource in the identity.xml file to false. For more information, see Authenticating and Authorizing REST APIs.

curl -v -k --user [username]:[password] https://localhost:9443/scim2/Me
curl -v -k --user kim:kimwso2 https://localhost:9443/scim2/Me
{"schemas":["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],"resourceType":[{"schema":"urn:ietf:params:scim:schemas:core:2.0:User","endpoint":"/Users","meta":{"location":"https://localhost:9443/scim2/ResourceType/User","resourceType":"ResourceType"},"name":"User","description":"User Account","schemaExtensions":{"schema":"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User","required":false},"id":"User"},{"schema":"urn:ietf:params:scim:schemas:core:2.0:Group","endpoint":"/Groups","meta":{"location":"https://localhost:9443/scim2/ResourceType/Group","resourceType":"ResourceType"},"name":"Group","description":"Group","id":"Group"}]}

Parameters None

Responses

  • HTTP 200 - Schema is found
  • HTTP 401 - Unauthorized
  • HTTP 404 - Schema is not found

PATCH/ Update Me

PATCH https://localhost/t/{tenant-domain}/scim2/Me

This API uses a PATCH operation to update user details Returns HTTP 404 if the user is not found.

curl -v -k --user [username]:[password] -X PATCH -d '{"schemas":[],"Operations":[{"op":[operation],"value":{[attributeName]:[attribute value]}}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Me
curl -v -k --user kim:kimwso2 -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"add","value":{"nickName":"shaggy"}}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Me
{"emails":[{"type":"work","value":"jackson_k@wso2.com"},{"type":"home","value":"jacksonk@gmail.com"}],"meta":{"created":"2018-08-16T17:19:43Z","location":"https://localhost:9443/scim2/Users/f60e6ddd-8d04-411f-92b9-c7ba95fb0fa9","lastModified":"2018-08-17T11:43:34Z","resourceType":"User"},"nickName":"shaggy","schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"manager":{"value":"Taylor"},"employeeNumber":"123A"},"roles":[{"type":"default","value":"manager,Internal/everyone,admin"}],"name":{"givenName":"Kim","familyName":"JacksonJohn"},"groups":[{"display":"manager","value":"a43fe003-d90d-43ca-ae38-d2332ecc0f36"}],"id":"f60e6ddd-8d04-411f-92b9-c7ba95fb0fa9","userName":"kim"}

Parameters

Type Name Description Schema Default Value
Query attributes (optional)

Attribute names of attributes that are to be included in the response. When this parameter is included in the request, the response returns only the attributes that are specified in the request. All the attributes of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification.

Click to see the sample request

curl -v -k --user kim:kimwso2 -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"add","value":{"nickName":"shaggy"}}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Me?attributes=userName,name.familyName

String -
Query excludedAttributes (optional)

Attribute names of attributes that are to be excluded from the response. When this parameter is included in the request, the response returns all attributes except the excludedattributes that are specified in the request. All the attributes of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification.

Click to see the sample request

curl -v -k --user kim:kimwso2 -X PATCH -d '{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"add","value":{"nickName":"shaggy"}}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Me?excludedAttributes=userName,name.familyName

String -
Body body (optional) This is a JSON object that contains relevant values used to search for a user.

Response

  • HTTP 200 - User has been successfully updated
  • HTTP 401 - Unauthorized
  • HTTP 404 - Valid user is not found

PUT/ Update User

PUT https://localhost/t/{tenant-domain}/scim2/Me

This API uses a PUT operation to update user details. It returns HTTP 404 if the user is not found.

curl -v -k --user [username]:[password] -X PUT -d '{"schemas":[],"name":{"familyName":[last name],"givenName":[name]},"emails":[{"primary":[true/false],"value":[email address],"type":[home/work]},{"value":[email address 2],"type":[home/work]}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Me
curl -v -k --user kim:kimwso2 -X PUT -d '{"schemas":[],"name":{"familyName":"JacksonJohn","givenName":"Kim"},"userName":"kim","emails":[{"primary":true,"value":"jacksonk@gmail.com","type":"home"},{"value":"jackson_k@wso2.com","type":"work"}],"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"employeeNumber":"123A","manager":{"value":"Taylor"}}}' --header "Content-Type:application/json" https://localhost:9443/scim2/Me
{"emails":[{"type":"work","value":"jackson_k@wso2.com"},{"type":"home","value":"jacksonk@gmail.com"}],"meta":{"created":"2018-08-16T17:19:43Z","location":"https://localhost:9443/scim2/Users/f60e6ddd-8d04-411f-92b9-c7ba95fb0fa9","lastModified":"2018-08-16T17:43:17Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"manager":{"value":"Taylor"},"employeeNumber":"123A"},"roles":[{"type":"default","value":"manager,Internal/everyone,admin"}],"name":{"givenName":"Kim","familyName":"JacksonJohn"},"groups":[{"display":"manager","value":"a43fe003-d90d-43ca-ae38-d2332ecc0f36"}],"id":"f60e6ddd-8d04-411f-92b9-c7ba95fb0fa9","userName":"kim"}

Parameters

Type Name Description Schema Default Value
Query attributes (optional)

Attribute names of attributes that are to be included in the response. When this parameter is included in the request, the response returns only the attributes that are specified in the request. All the attributes of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification.

Click to see the sample request

curl -v -k --user kim:kimwso2 -X PUT -d '{"schemas":[],"name":{"familyName":"JacksonJohn","givenName":"Kim"},"userName":"kim","emails":[{"primary":true,"value":"jacksonk@gmail.com","type":"home"},{"value":"jackson_k@wso2.com","type":"work"}],"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"employeeNumber":"123A","manager":{"value":"Taylor"}}}' --header "Content-Type:application/json" https://localhost:9443/scim2/Meattributes=userName,name.familyName

String -
Query excludedAttributes (optional)

Attribute names of attributes that are to be excluded from the response. When this parameter is included in the request, the response returns all attributes except the excluded attributes that are specified in the request. All the attributes of the users dialect and meta dialect are supported. For more information about this parameter, see the SCIM 2.0 specification.

Click to see the sample request

curl -v -k --user kim:kimwso2 -X PUT -d '{"schemas":[],"name":{"familyName":"JacksonJohn","givenName":"Kim"},"userName":"kim","emails":[{"primary":true,"value":"jacksonk@gmail.com","type":"home"},{"value":"jackson_k@wso2.com","type":"work"}],"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{"employeeNumber":"123A","manager":{"value":"Taylor"}}}' --header "Content-Type:application/json" https://localhost:9443/scim2/MeexcludedAttributes=userName,name.familyName

String -
Body body (optional) This is a JSON object that contains relevant values used to search for a user. String -

Responses

  • HTTP 200 - User has been successfully updated
  • HTTP 401 - Unauthorized
  • HTTP 404 - Valid users are not found

Bulk Endpoint

POST/ Create Users in Bulk

POST https://localhost/t/{tenant-domain}/scim2/Bulk

This API is used to create multiple users at once. It returns an HTTP 201 response if the users are successfully created.

Parameters

Type Name Description Schema Default Value
Body

body

(optional)

This is a JSON object that contains relevant values used to create the users. String -

Responses

  • HTTP 200 - Valid users are created
  • HTTP 401 - Unauthorized
  • HTTP 404 - Invalid users

ResourceType Endpoint

GET/ Get Resource Types

GET https://localhost/t/{tenant-domain}/scim2/ResourceType

This API lists and returns metadata about resource types. It returns an HTTP 200 response if the schema is found.

Parameters

None

Responses

  • HTTP 200 - Schema is found
  • HTTP 401 - Unauthorized
  • HTTP 404 - Schema is not found

ServiceProviderConfig Endpoint

GET/ Get Service Provider Config

GET https://localhost/t/{tenant-domain}/scim2/ServiceProviderConfig

This API is used to create multiple users at once. It returns an HTTP 201 response if the users are successfully created.

Parameters

None

Responses

  • HTTP 200 - Schema is found
  • HTTP 401 - Unauthorized
  • HTTP 404 - Schema is not found

Permissions

Following are the default permissions that are required to access each resource in SCIM 2.0.

Endpoint HTTP Method Permission
/scim2/Users
POST
        
/permission/admin/manage/identity/usermgt/create
        
/scim2/Users
        
GET
        
/permission/admin/manage/identity/usermgt/list
        
/scim2/Groups
        
POST
        
/permission/admin/manage/identity/rolemgt/create
        
/scim2/Groups
        
GET
        
/permission/admin/manage/identity/rolemgt/view
        
/scim2/Users/(.*)
        
GET
        
/permission/admin/manage/identity/usermgt/view
        
/scim2/Users/(.*)
        
PUT
/permission/admin/manage/identity/usermgt/update
        
/scim2/Users/(.*)
        
PATCH
/permission/admin/manage/identity/usermgt/update
        
/scim2/Users/(.*)
        
DELETE
/permission/admin/manage/identity/usermgt/delete
        
/scim2/Groups/(.*)
        
GET
        
/permission/admin/manage/identity/rolemgt/view
        
/scim2/Groups/(.*)
        
PUT
/permission/admin/manage/identity/rolemgt/update
        
/scim2/Groups/(.*)
        
PATCH
/permission/admin/manage/identity/rolemgt/update
        
/scim2/Groups/(.*)
        
DELETE
/permission/admin/manage/identity/rolemgt/delete
        
/scim2/Me
        
GET
/permission/admin/login
        
/scim2/Me
        
DELETE
/permission/admin/login
        
/scim2/Me
        
PUT
/permission/admin/login
        
/scim2/Me
        
PATCH
/permission/admin/login
        
/scim2/Me
        
POST
/permission/admin/manage/identity/usermgt/create
        
/scim2/ServiceProviderConfig
        
all -
/scim2/ResourceType
        
all -
/scim2/Bulk
        
all
/permission/admin/manage/identity/usermgt
        

Info

More information about how to secure the REST APIs and configure authorization level, see Authenticating and Authorizing REST APIs.

Top