SCIM

SCIM Provisioning for Organizations

The SCIM API is used by SCIM-enabled Identity Providers (IdPs) to automate provisioning of GitHub organization membership. The GitHub API is based on version 2.0 of the SCIM standard. The GitHub SCIM endpoint that an IdP should use is: https://api.github.com/scim/v2/organizations/:org/.

Please note that the SCIM API is available only to organizations on GitHub Enterprise Cloud with SAML SSO enabled. For more information about SCIM, see "About SCIM" in the GitHub Help documentation.

Authenticating calls to the SCIM API

You must authenticate as an owner of a GitHub organization to use its SCIM API. The API expects an OAuth 2.0 Bearer token to be included in the Authorization header. You may also use a personal access token, but you must first authorize it for use with your SAML SSO organization.

Mapping of SAML and SCIM data

Make sure to configure your SAML Identity Provider and your SCIM client to have identical NameID and userName values for the same user. This provides the ability for a user authenticating using SAML to be linked to their identity that is already provisioned using SCIM.

Supported SCIM User attributes

Name Type Description
userName string The username for the user.
name.givenName string The first name of the user.
name.lastName string The last name of the user.
emails array List of user emails.
externalId string This identifier is generated by the SAML provider, and is used as a unique ID by the SAML provider to match against a GitHub user. You can find the externalID for a user either at the SAML provider, or using the Get a list of provisioned identities endpoint and filtering on other known attributes, such as a user's GitHub username or email address.
id string Identifier generated by the GitHub SCIM endpoint.
active boolean Used to indicate whether the identity is active (true) or should be deprovisioned (false).

Note: Endpoint URLs for the SCIM API are case sensitive. For example, the first letter in the Users endpoint must be capitalized:

GET /scim/v2/organizations/:org/Users/:scim_user_id

Get a list of provisioned identities

GET /scim/v2/organizations/:org/Users

Parameters

Name Type Description
startIndex integer Used for pagination: the index of the first result to return.
count integer Used for pagination: the number of results to return.
filter string Filters results using the equals query parameter operator (eq). You can filter results that are equal to id, userName, emails, and external_id. For example, to search for an identity with the userName Octocat, you would use this query: ?filter=userName%20eq%20\"Octocat\".

Example

To filter for a specific email address, use the email query parameter and the eq operator:

GET /scim/v2/organizations/:org/Users?filter=emails eq user@example.com

Your filter would look like this cURL command:

curl -u octocat:$token https://api.github.com/scim/v2/organizations/octo-org/Users?filter=emails%20eq%20\"octocat@github.com\"

Response with filter

Retrieves users that match the filter. In the example, we searched only for octocat@github.com.

Status: 200 OK
{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "totalResults": 1,
  "itemsPerPage": 1,
  "startIndex": 1,
  "Resources": [
    {
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "id": "5fc0c238-1112-11e8-8e45-920c87bdbd75",
      "externalId": "00u1dhhb1fkIGP7RL1d8",
      "userName": "octocat@github.com",
      "name": {
        "givenName": "Mona",
        "familyName": "Octocat"
      },
      "emails": [
        {
          "value": "octocat@github.com",
          "primary": true,
          "type": "work"
        }
      ],
      "active": true,
      "meta": {
        "resourceType": "User",
        "created": "2018-02-13T15:05:24.000-08:00",
        "lastModified": "2018-02-13T15:05:55.000-08:00",
        "location": "https://api.github.com/scim/v2/organizations/octo-org/Users/5fc0c238-1112-11e8-8e45-920c87bdbd75"
      }
    }
  ]
}

Response without filter

Retrieves a paginated list of all provisioned organization members, including pending invitations.

Status: 200 OK
{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "totalResults": 2,
  "itemsPerPage": 2,
  "startIndex": 1,
  "Resources": [
    {
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "id": "edefdfedf-050c-11e7-8d32",
      "externalId": "a7d0f98382",
      "userName": "mona.octocat@okta.example.com",
      "name": {
        "givenName": "Mona",
        "familyName": "Octocat"
      },
      "emails": [
        {
          "value": "mona.octocat@okta.example.com",
          "type": "work",
          "primary": true
        }
      ],
      "active": true,
      "meta": {
        "resourceType": "User",
        "created": "2017-03-09T16:11:13-05:00",
        "lastModified": "2017-03-09T16:11:13-05:00",
        "location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
      }
    },
    {
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "id": "77563764-eb6-24-0598234-958243",
      "externalId": "sdfoiausdofiua",
      "userName": "hubot@example.com",
      "name": {
        "givenName": "hu",
        "familyName": "bot"
      },
      "emails": [
        {
          "value": "hubot@example.com",
          "type": "work",
          "primary": true
        }
      ],
      "active": true,
      "meta": {
        "resourceType": "User",
        "created": "2017-03-09T16:11:13-05:00",
        "lastModified": "2017-03-09T16:11:13-05:00",
        "location": "https://api.github.com/scim/v2/organizations/octo-org/Users/77563764-eb6-24-0598234-958243"
      }
    }
  ]
}

Get provisioning details for a single user

GET /scim/v2/organizations/:org/Users/:scim_user_id

Response

Status: 200 OK
{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "edefdfedf-050c-11e7-8d32",
  "externalId": "a7d0f98382",
  "userName": "mona.octocat@okta.example.com",
  "name": {
    "givenName": "Mona",
    "familyName": "Octocat"
  },
  "emails": [
    {
      "value": "mona.octocat@okta.example.com",
      "type": "work",
      "primary": true
    }
  ],
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00",
    "location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
  }
}

Provision and invite users

Provision organization membership for a user, and send an activation email to the email address.

POST /scim/v2/organizations/:org/Users

As shown in the following example, you must at least provide the required values for the user: userName, name, and emails.

Example

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "userName": "mona.octocat@okta.example.com",
  "name": {
    "familyName": "Octocat",
    "givenName": "Mona"
  },
  "emails": [
    {
      "value": "mona.octocat@okta.example.com",
      "type": "work",
      "primary": true
    }
  ]
}

Response

Status: 201 Created
{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "edefdfedf-050c-11e7-8d32",
  "externalId": "a7d0f98382",
  "userName": "mona.octocat@okta.example.com",
  "name": {
    "givenName": "Mona",
    "familyName": "Octocat"
  },
  "emails": [
    {
      "value": "mona.octocat@okta.example.com",
      "type": "work",
      "primary": true
    }
  ],
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00",
    "location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
  }
}

Replace a provisioned user's information

Replaces an existing provisioned user's information. You must provide all the information required for the user as if you were provisioning them for the first time. Any existing user information that you don't provide will be removed. If you want to only update a specific attribute, use the Update a user attribute endpoint instead.

PUT /scim/v2/organizations/:org/Users/:scim_user_id

As shown in the following example, you must at least provide the required values for the user: userName, name, and emails.

Warning: Setting active: false removes the user from the organization, deletes the external identity, and deletes the associated :scim_user_id.

Example

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "userName": "mona.octocat@okta.example.com",
  "name": {
    "familyName": "Octocat",
    "givenName": "Mona"
  },
  "emails": [
    {
      "value": "mona.octocat@okta.example.com",
      "type": "work",
      "primary": true
    }
  ]
}

Response

Status: 200 OK
{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "edefdfedf-050c-11e7-8d32",
  "externalId": "a7d0f98382",
  "userName": "mona.octocat@okta.example.com",
  "name": {
    "givenName": "Mona",
    "familyName": "Octocat"
  },
  "emails": [
    {
      "value": "mona.octocat@okta.example.com",
      "type": "work",
      "primary": true
    }
  ],
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00",
    "location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
  }
}

Update a user attribute

Allows you to change a provisioned user's individual attributes. To change a user's values, you must provide a specific Operations JSON format that contains at least one of the add, remove, or replace operations.

The following example shows adding a new email address and updating the user's given name. For other examples and more information on the SCIM operations format, see the SCIM specification.

PATCH /scim/v2/organizations/:org/Users/:scim_user_id

Note: Complicated SCIM path selectors that include filters are not supported. For example, a path selector defined as "path": "emails[type eq \"work\"]" will not work.

Warning: If you set active:false using the replace operation (as shown in the JSON example below), it removes the user from the organization, deletes the external identity, and deletes the associated :scim_user_id.

{
  "Operations":[{
    "op":"replace",
    "value":{
      "active":false
    }
  }]
}

Example

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ],
  "Operations": [
    {
      "op": "add",
      "path": "emails",
      "value": [
        {
          "value": "monalisa@octocat.github.com",
          "type": "home"
        }
      ]
    },
    {
      "op": "replace",
      "path": "name.givenName",
      "value": "Monalisa"
    }
  ]
}

Response

Status: 200 OK
{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "edefdfedf-050c-11e7-8d32",
  "externalId": "a7d0f98382",
  "userName": "mona.octocat@okta.example.com",
  "name": {
    "givenName": "Monalisa",
    "familyName": "Octocat"
  },
  "emails": [
    {
      "value": "mona.octocat@okta.example.com",
      "type": "work",
      "primary": true
    },
    {
      "value": "monalisa@octocat.github.com",
      "type": "home"
    }
  ],
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00",
    "location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
  }
}

Remove a user from the organization

DELETE /scim/v2/organizations/:org/Users/:scim_user_id

Response

Status: 204 No Content