SCIM

SCIM Provisioning for Organizations

The SCIM API is used by SCIM-enabled Identity Providers (IdPs) to automate provisioning of GitHub organization membership. The GitHub API is based on version 2.0 of the SCIM standard.

Please note that the SCIM API is available only to organizations on GitHub Business Cloud with SAML SSO enabled. For more information about SCIM, see "About SCIM" in the GitHub Help documentation.

Authenticating calls to the SCIM API

The API expects an OAuth 2.0 Bearer token to be passed to the Authorization header. You may also use Personal Access Tokens but they must be whitelisted from your token settings page.

Mapping of SAML and SCIM data

Make sure to configure your SAML Identity Provider and your SCIM client to have identical NameID and userName for the same user. This provides the ability for a user authenticating using SAML to be linked to their identity that is already provisioned using SCIM.

Supported SCIM User attributes

Name Type Description
userName string The username for the user.
name.givenName string The first name of the user.
name.lastName string The last name of the user.
emails array List of user emails.
externalId string External identifier (generated by the SAML SSO provider).
id string Identifier generated by the GitHub SCIM endpoint.
active boolean Used to indicate whether the identity is active (true) or should be deprovisioned (false).

Note: Endpoints for the SCIM API are case sensitive: the first letter in the Users endpoint must be capitalized. For example:

GET /scim/v2/organizations/:org/Users/:external_identity_guid

Get a list of provisioned identities

Note: The SCIM API on GitHub is currently available for developers to preview. To access the API, you must provide a custom media type in the Accept header:

application/vnd.github.cloud-9-preview+json+scim

Warning: The API may change without advance notice during the preview period. Preview features are not supported for production use. If you experience any issues, contact GitHub Support.

GET /scim/v2/organizations/:org/Users

Parameters

Name Type Description
startIndex integer Used for pagination: the index of the first result to return.
count integer Used for pagination: the number of results to return.
filter string Filters results using the equals query parameter operator (eq). You can filter results that are equal to id, userName, emails, and external_id. For example, to search for an identity with the userName Octocat, you would use this query: ?filter=userName%20eq%20\"Octocat\"

Example

If you want to filter by a specific email address, you'd use the email query parameter and the eq operator:

GET /scim/v2/organizations/:org/Users?filter=emails eq user@example.com

Your filter might look like this using cURL:

curl -u octocat:$token -H "Accept: application/vnd.github.cloud-9-preview+json+scim" https://api.github.com/scim/v2/organizations/octo-org/Users?filter=emails%20eq%20\"octocat@github.com\""

Response with filter

Retrieves users that match the filter. In the example, we searched only for octocat@github.com.

Status: 200 OK
{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "totalResults": 1,
  "itemsPerPage": 1,
  "startIndex": 1,
  "Resources": [
    {
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "id": "5fc0c238-1112-11e8-8e45-920c87bdbd75",
      "externalId": "00u1dhhb1fkIGP7RL1d8",
      "userName": "octocat@github.com",
      "name": {
        "givenName": "Mona",
        "familyName": "Octocat"
      },
      "emails": [
        {
          "value": "octocat@github.com",
          "primary": true,
          "type": "work"
        }
      ],
      "active": true,
      "meta": {
        "resourceType": "User",
        "created": "2018-02-13T15:05:24.000-08:00",
        "lastModified": "2018-02-13T15:05:55.000-08:00",
        "location": "https://api.github.com/scim/v2/organizations/Octo-org/Users/5fc0c238-1112-11e8-8e45-920c87bdbd75"
      }
    }
  ]
}

Response without filter

Retrieves a paginated list of all provisioned organization members, including pending invitations.

Status: 200 OK
{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "totalResults": 2,
  "itemsPerPage": 2,
  "startIndex": 1,
  "Resources": [
    {
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "id": "8773fe-ffff-42837498757",
      "externalId": "239482347928374",
      "userName": "mona@example.com",
      "name": {
        "givenName": "mona",
        "familyName": "octocat"
      },
      "active": true,
      "meta": {
        "resourceType": "User",
        "created": "2017-03-09T16:11:13-05:00",
        "lastModified": "2017-03-09T16:11:13-05:00"
      }
    },
    {
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "id": "77563764-eb6-24-0598234-958243",
      "externalId": "sdfoiausdofiua",
      "userName": "hubot@example.com",
      "name": {
        "givenName": "hu",
        "familyName": "bot"
      },
      "active": true,
      "meta": {
        "resourceType": "User",
        "created": "2017-03-09T16:11:13-05:00",
        "lastModified": "2017-03-09T16:11:13-05:00"
      }
    }
  ]
}

Get provisioning details for a single user

Note: The SCIM API on GitHub is currently available for developers to preview. To access the API, you must provide a custom media type in the Accept header:

application/vnd.github.cloud-9-preview+json+scim

Warning: The API may change without advance notice during the preview period. Preview features are not supported for production use. If you experience any issues, contact GitHub Support.

GET /scim/v2/organizations/:org/Users/:external_identity_guid

Response

Status: 200 OK
{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "77563764-eb6-24-0598234-958243",
  "externalId": "sdfoiausdofiua",
  "userName": "hubot@example.com",
  "name": {
    "givenName": "hu",
    "familyName": "bot"
  },
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00"
  }
}

Provision and invite users

Note: The SCIM API on GitHub is currently available for developers to preview. To access the API, you must provide a custom media type in the Accept header:

application/vnd.github.cloud-9-preview+json+scim

Warning: The API may change without advance notice during the preview period. Preview features are not supported for production use. If you experience any issues, contact GitHub Support.

Provision organization membership for and send activation emails to a list of email addresses.

POST /scim/v2/organizations/:org/Users

Response

Status: 200 OK
{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "edefdfedf-050c-11e7-8d32",
  "externalId": "a7d0f98382",
  "userName": "mona.octocat@okta.example.com",
  "name": {
    "givenName": "Mona",
    "familyName": "Octocat"
  },
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00"
  }
}

Update a provisioned organization membership

Note: The SCIM API on GitHub is currently available for developers to preview. To access the API, you must provide a custom media type in the Accept header:

application/vnd.github.cloud-9-preview+json+scim

Warning: The API may change without advance notice during the preview period. Preview features are not supported for production use. If you experience any issues, contact GitHub Support.

PUT /scim/v2/organizations/:org/Users/:external_identity_guid

Note: Setting active: false removes the user from the organization, deletes the external identity, and deletes the associated :user_id.

Response

Status: 200 OK
{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "edefdfedf-050c-11e7-8d32",
  "externalId": "a7d0f98382",
  "userName": "mona.octocat@okta.example.com",
  "name": {
    "givenName": "Mona",
    "familyName": "Octocat"
  },
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00"
  }
}

Update a user attribute

Note: The SCIM API on GitHub is currently available for developers to preview. To access the API, you must provide a custom media type in the Accept header:

application/vnd.github.cloud-9-preview+json+scim

Warning: The API may change without advance notice during the preview period. Preview features are not supported for production use. If you experience any issues, contact GitHub Support.

PATCH /scim/v2/organizations/:org/Users/:external_identity_guid

Note: Setting active: false removes the user from the organization, deletes the external identity, and deletes the associated :user_id.

Response

Status: 200 OK
{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "edefdfedf-050c-11e7-8d32",
  "externalId": "a7d0f98382",
  "userName": "mona.octocat@okta.example.com",
  "name": {
    "givenName": "Mona",
    "familyName": "Octocat"
  },
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00"
  }
}

Remove a user from the organization

Note: The SCIM API on GitHub is currently available for developers to preview. To access the API, you must provide a custom media type in the Accept header:

application/vnd.github.cloud-9-preview+json+scim

Warning: The API may change without advance notice during the preview period. Preview features are not supported for production use. If you experience any issues, contact GitHub Support.

DELETE /scim/v2/organizations/:org/Users/:external_identity_guid

Response

Status: 204 No Content