Skip to content

Manage SCIM 2.0 attribute mappings

Attributes in your organization are mapped to the following SCIM 2.0 schema mappings:

Core schema

The core schema defines a set of common attributes that are included in every SCIM resource, such as unique identifiers and resource metadata. Core schema attributes are an integral part of every base resource schema. Unlike other schemas, the core schema does not have its own URI and is inherently included in every resource definition.

Read about core schema in the SCIM2 specification.

User schema

The user schema defines attributes specific to user resources, in addition to the core schema attributes. This schema is identified by the URI urn:ietf:params:scim:schemas:core:2.0:User. Attributes in the user schema include details such as the user's name, email addresses, phone numbers, roles, and other identity-related properties.

Read about user schema in the SCIM2 specification.

Enterprise schema

The enterprise schema extends the user schema to include attributes commonly used for representing users in business or enterprise environments. This schema is identified by the URI urn:ietf:params:scim:schemas:extension:enterprise:2.0:User. Attributes in the enterprise schema include details such as the user’s department, manager, cost center, and other organization-specific properties.

Read about enterprise schema in the SCIM2 specification.

Custom schema

Custom schema attributes provide the flexibility to extend standard SCIM schemas with additional fields to fit the needs of your organization. While other attribute schemas cannot be modified, you can freely add or delete custom schema attributes.

Custom user attributes in WSO2 Identity Server are created under the urn:scim:wso2:schema schema.

You can configure this schema in the following ways by adding configuration to <IS_HOME>/repository/conf/deployment.toml

  • To disable this schema,

    [scim2]
enable_custom_schema_extension = false

  • To rename this schema,

    [scim2]
custom_user_schema_uri = "urn:scim:custom:schema:new"

Note

A set of attributes in the enterprise schema are immutable. These attributes are used for internal purposes of WSO2 Identity Server and are not intended to be modified. Attempting to modify these attributes, either through the SCIM 2.0 API or from the user profile in the Console, will result in an error.

These attributes can be identified by the "mutability" key with the value "readOnly" configured in the scim2-schema-extension.config file.

The following attributes in the Identity Server are immutable in the default setup:

  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:pendingEmails.value
  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:pendingEmails
  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:accountState
  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:lastLoginTime
  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:lastLoginTime
  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:lastPasswordUpdateTime
  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:lockedReason
  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:isReadOnlyUser
  • urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:oneTimePassword

View SCIM 2.0 attributes

To view the SCIM 2 attributes mapped to user attributes in your organization:

  1. On the WSO2 Identity Server Console, go to User Attributes & Stores > Attributes.

  2. Under Manage Attribute Mappings, click SCIM 2.0.

    View SCIM2 attributes

Add a SCIM 2.0 custom schema attribute

You can add new SCIM 2.0 custom schema attributes as follows:

  1. On the WSO2 Identity Server Console, go to User Attributes & Stores > Attributes.
  2. Under Manage Attribute Mappings, click SCIM 2.0.

  3. Click New Attribute and enter values for the following properties:

    Add OpenID Connect attributes

    SCIM Attribute The SCIM attribute name that will be shared with applications.
    User attribute to map to Select the default attribute that should be mapped to the new SCIM attribute.

  4. Click Save.

Delete a SCIM 2.0 custom schema attribute

To delete the SCIM 2.0 custom schema attributes available in your organization:

  1. On the WSO2 Identity Server Console, go to User Attributes & Stores > Attributes.
  2. Under Manage Attribute Mappings, click SCIM 2.0.
  3. Navigate to the Custom Schema tab and select the attribute to delete.
  4. Click Delete and select the checkbox to confirm you action.
  5. Click Confirm.

Note

Only custom attributes can be deleted.