|
| 1 | +--- |
| 2 | +id: scim |
| 3 | +title: SCIM |
| 4 | +sidebar_label: SCIM |
| 5 | +--- |
| 6 | + |
| 7 | +# System for Cross-domain Identity Management |
| 8 | + |
| 9 | +:::info |
| 10 | + |
| 11 | +SCIM provisioning is only available in Ory Network and via the Ory Enterprise License (OEL). If you have any questions, please |
| 12 | +[reach out](https://www.ory.sh/contact/). |
| 13 | + |
| 14 | +::: |
| 15 | + |
| 16 | +SCIM (System for Cross-domain Identity Management) is a standard for automating the exchange of user identity information between |
| 17 | +identity domains or IT systems. It is designed to make it easier to manage user identities in cloud-based applications and |
| 18 | +services. SCIM provides a common schema for representing user identities and a RESTful API for managing them. This allows |
| 19 | +organizations to automate the provisioning and de-provisioning of user accounts across multiple systems, reducing the |
| 20 | +administrative burden and improving security. |
| 21 | + |
| 22 | +In the Ory Network, SCIM is available at the organization level. This means that within one project, you can have multiple |
| 23 | +organizations with different SCIM configurations. Each organization can have its own SCIM settings, including the ability to |
| 24 | +enable or disable SCIM, set the base URL for SCIM endpoints, and configure authentication methods. This allows organizations to |
| 25 | +tailor their SCIM implementation to meet their specific needs and requirements. |
| 26 | + |
| 27 | +Identities that are provisioned through the SCIM API are automatically created in the Ory Network and added to that SCIM server's |
| 28 | +organization. The provisioned identities can then log in through any of the organization's configured SSO methods. |
| 29 | + |
| 30 | +```mdx-code-block |
| 31 | +import Mermaid from "@site/src/theme/Mermaid" |
| 32 | +
|
| 33 | +<Mermaid |
| 34 | + chart={` |
| 35 | +flowchart TD |
| 36 | + P(Project) --> O1(Organization 1) |
| 37 | + P(Project) --> O(Organization 2) |
| 38 | + P(Project) --> O3(Organization 3) |
| 39 | +
|
| 40 | + O --> S(SCIM Client) |
| 41 | + O <-->|belongs to| I(Identity) |
| 42 | + S -->|provisions| I |
| 43 | +`} |
| 44 | +/> |
| 45 | +``` |
| 46 | + |
| 47 | +## Set up identity provisioning with SCIM |
| 48 | + |
| 49 | +To set up identity provisioning with SCIM, follow these steps: |
| 50 | + |
| 51 | +### Create an organization |
| 52 | + |
| 53 | +If you haven't already, create an [organization](../organizations). This organization will be used to manage your SCIM settings |
| 54 | +and provision identities. |
| 55 | + |
| 56 | +### Configure a SCIM client |
| 57 | + |
| 58 | +In the organization view, under **SCIM clients**, click **Add SCIM client**. This will open a form where you can configure your |
| 59 | +SCIM client's settings. |
| 60 | + |
| 61 | +- **Client ID**: Enter an identifier for your SCIM client. This identifier will be part of the URL the client uses to access the |
| 62 | + Ory Network SCIM server. It should be unique within your project. |
| 63 | +- **Label**: Enter a human-readable label for your SCIM client. the SCIM server. |
| 64 | +- **Authorization header secret**: Enter a secret in the client authenticaiton's **secret** field. This secret will be used to |
| 65 | + authenticate requests to the SCIM server. Clients need to specify this in the `Authorization` header of their requests. |
| 66 | +- **Data mapping**: When the client creates or updates a user, the supplied data will be applied to the identity based on this |
| 67 | + data mapping. |
| 68 | + |
| 69 | +### Use the SCIM client |
| 70 | + |
| 71 | +Once you have configured a SCIM client, you can use it to provision identities. The Ory Network SCIM server provides a set of |
| 72 | +endpoints that allow the creation and management of user identities and groups. |
| 73 | + |
| 74 | +The following endpoints are available: |
| 75 | + |
| 76 | +- **User endpoints** |
| 77 | + - `GET /Users`: Retrieve a list of users. |
| 78 | + - `POST /Users`: Create a new user. |
| 79 | + - `GET /Users/{id}`: Retrieve a specific user by ID. |
| 80 | + - `PUT /Users/{id}`: Update a specific user by ID. |
| 81 | + - `PATCH /Users/{id}`: Partially update a specific user by ID. |
| 82 | + - `DELETE /Users/{id}`: Delete a specific user by ID. |
| 83 | +- **Group endpoints** |
| 84 | + - `GET /Groups`: Retrieve a list of groups. |
| 85 | + - `POST /Groups`: Create a new group. |
| 86 | + - `GET /Groups/{id}`: Retrieve a specific group by ID. |
| 87 | + - `PUT /Groups/{id}`: Update a specific group by ID. |
| 88 | + - `PATCH /Groups/{id}`: Partially update a specific group by ID. |
| 89 | + - `DELETE /Groups/{id}`: Delete a specific group by ID. |
| 90 | + |
| 91 | +### Known limitations |
| 92 | + |
| 93 | +- For querying users with `GET /Users`, the SCIM server only supports the `eq` operator for filtering, and only with the |
| 94 | + `userName` attribute. Other operators like `ne`, `co`, `sw`, and `ew` are not supported. |
| 95 | +- For querying groups with `GET /Groups`, the SCIM server only supports the `eq` operator for filtering, and only with the |
| 96 | + `displayName` attribute. Other operators like `ne`, `co`, `sw`, and `ew` are not supported. |
| 97 | +- For both user and group query endpoints, `startIndex` must be lower than 5000, and `count` must be lower than 1000. |
| 98 | +- If the user already exists within the project or organization the provisioning may fail with a 409 conflict error. This is |
| 99 | + because the SCIM server cannot modify existing users that have not been provisioned via SCIM. In this case, you need to manually |
| 100 | + delete the user first. |
0 commit comments