FusionAuth developer image
FusionAuth developer logo
  • Back to site
  • Expert Advice
  • Blog
  • Developers
  • Downloads
  • Account
  • Contact sales
Navigate to...
  • Welcome
  • Getting Started
  • 5-Minute Setup Guide
  • Release Notes
  • Core Concepts
    • Overview
    • Users
    • Roles
    • Groups
    • Entity Management
    • Registrations
    • Applications
    • Tenants
    • Identity Providers
    • Key Master
    • SCIM
    • Search
    • Authentication and Authorization
    • Integration Points
    • Localization and Internationalization
    • Editions and Features
    • Roadmap
  • Installation Guide
    • Overview
    • System Requirements
    • Server Layout
    • Cloud
    • Cluster
    • Docker
    • Fast Path
    • Kubernetes
      • Overview
      • Deployment Guide
      • Minikube Setup
      • Amazon EKS Setup
      • Google GKE Setup
      • Microsoft AKS Setup
    • Kickstart™
    • Homebrew
    • Packages
    • Database
    • FusionAuth App
    • FusionAuth Search
    • Common Configuration
  • Admin Guide
    • Overview
    • Account Portal
    • Config Management
    • Licensing
    • Monitoring
    • Proxy Setup
    • Securing
    • Technical Support
    • Troubleshooting
    • Upgrading
  • Migration Guide
    • Overview
    • General
    • Auth0
    • Keycloak
    • Amazon Cognito
    • Firebase
    • Tutorial
  • APIs
    • Overview
    • Authentication
    • Errors
    • Actioning Users
    • API Keys
    • Applications
    • Audit Logs
    • Connectors
      • Overview
      • Generic
      • LDAP
    • Consents
    • Emails
    • Entity Management
      • Overview
      • Entities
      • Entity Types
      • Grants
    • Event Logs
    • Families
    • Forms
    • Form Fields
    • Groups
    • Identity Providers
      • Overview
      • Links
      • Apple
      • External JWT
      • Epic Games
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
      • SAML v2
      • SAML v2 IdP Initiated
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • Xbox
    • Integrations
    • IP Access Control Lists
    • JWT
    • Keys
    • Lambdas
    • Login
    • Message Templates
    • Messengers
      • Overview
      • Generic
      • Kafka
      • Twilio
    • Multi-Factor/Two Factor
    • Passwordless
    • Reactor
    • Registrations
    • Reports
    • SCIM
      • Overview
      • SCIM EnterpriseUser
      • SCIM Group
      • SCIM Service Provider Config.
      • SCIM User
    • System
    • Tenants
    • Themes
    • Users
    • User Actions
    • User Action Reasons
    • User Comments
    • Webhooks
  • Client Libraries
    • Overview
    • Dart
    • Go
    • Java
    • JavaScript
    • .NET Core
    • Node
    • OpenAPI
    • PHP
    • Python
    • Ruby
    • Typescript
  • Themes
    • Overview
    • Examples
    • Helpers
    • Localization
    • Template Variables
  • Email & Templates
    • Overview
    • Configure Email
    • Email Templates
    • Email Variables
    • Message Templates
  • Events & Webhooks
    • Overview
    • Writing a Webhook
    • Securing Webhooks
    • Events
      • Overview
      • Audit Log Create
      • Event Log Create
      • JWT Public Key Update
      • JWT Refresh
      • JWT Refresh Token Revoke
      • Kickstart Success
      • User Action
      • User Bulk Create
      • User Create
      • User Create Complete
      • User Deactivate
      • User Delete
      • User Delete Complete
      • User Email Update
      • User Email Verified
      • User IdP Link
      • User IdP Unlink
      • User Login Failed
      • User Login Id Duplicate Create
      • User Login Id Duplicate Update
      • User Login New Device
      • User Login Success
      • User Login Suspicious
      • User Password Breach
      • User Password Reset Send
      • User Password Reset Start
      • User Password Reset Success
      • User Password Update
      • User Reactivate
      • User Registration Create
      • User Registration Create Complete
      • User Registration Delete
      • User Registration Delete Complete
      • User Registration Update
      • User Registration Update Complete
      • User Registration Verified
      • User Two Factor Method Add
      • User Two Factor Method Remove
      • User Update
      • User Update Complete
  • Example Apps
    • Overview
    • Dart
    • Go
    • Java
    • JavaScript
    • .NET Core
    • PHP
    • Python
    • Ruby
  • Lambdas
    • Overview
    • Apple Reconcile
    • Client Cred. JWT Populate
    • Epic Games Reconcile
    • External JWT Reconcile
    • Facebook Reconcile
    • Google Reconcile
    • HYPR Reconcile
    • JWT Populate
    • LDAP Connector Reconcile
    • LinkedIn Reconcile
    • Nintendo Reconcile
    • OpenID Connect Reconcile
    • SAML v2 Populate
    • SAML v2 Reconcile
    • SCIM Group Req. Converter
    • SCIM Group Resp. Converter
    • SCIM User Req. Converter
    • SCIM User Resp. Converter
    • Sony PSN Reconcile
    • Steam Reconcile
    • Twitch Reconcile
    • Twitter Reconcile
    • Xbox Reconcile
  • Identity Providers
    • Overview
    • Apple
    • Epic Games
    • External JWT
      • Overview
      • Example
    • Facebook
    • Google
    • HYPR
    • LinkedIn
    • Nintendo
    • OpenID Connect
      • Overview
      • Azure AD
      • Discord
      • Github
    • Sony PlayStation Network
    • Steam
    • Twitch
    • Twitter
    • SAML v2
      • Overview
      • ADFS
    • SAML v2 IdP Initiated
      • Overview
      • Okta
    • Xbox
  • Messengers
    • Overview
    • Generic Messenger
    • Kafka Messenger
    • Twilio Messenger
  • Connectors
    • Overview
    • Generic Connector
    • LDAP Connector
    • FusionAuth Connector
  • Self Service Account Mgmt
    • Overview
    • Updating User Data & Password
    • Add Two-Factor Authenticator
    • Add Two-Factor Email
    • Add Two-Factor SMS
    • Customizing
    • Troubleshooting
  • Advanced Threat Detection
    • Overview
  • Integrations
    • Overview
    • CleanSpeak
    • Kafka
    • Twilio
  • OpenID Connect & OAuth 2.0
    • Overview
    • Endpoints
    • Tokens
  • SAML v2 IdP
    • Overview
    • Google
    • Zendesk
  • Plugins
    • Plugins
    • Writing a Plugin
    • Custom Password Hashing
  • Guides
    • Overview
    • Advanced Registration Forms
    • Breached Password Detection
    • Multi-Factor Authentication
    • Multi-Tenant
    • Passwordless
    • Securing Your APIs
    • Silent Mode
    • Single Sign-on
  • Tutorials
    • Overview
    • User Control & Gating
      • Gate Unverified Users
      • Gate Unverified Registrations
      • User Account Lockout
    • Setup Wizard & First Login
    • Register/Login a User
    • Start and Stop FusionAuth
    • Authentication Tokens
    • Key Rotation
    • JSON Web Tokens
    • Prometheus Setup
    • Switch Search Engines
    • Two Factor (pre 1.26)
  • Reference
    • CORS
    • Configuration
    • Data Types
    • Known Limitations
    • Password Hashes

    SCIM EnterpriseUser APIs

    Overview

    This page contains all of the APIs for managing Users through SCIM EnterpriseUser requests.

    • Create an EnterpriseUser

    • Delete an EnterpriseUser

    • Retrieve an EnterpriseUser

    • Update an EnterpriseUser

    Create an EnterpriseUser

    This API is used to create a new FusionAuth User from a SCIM request

    Request

    Create an EnterpriseUser from a SCIM request

    URI

    POST /api/scim/resource/v2/EnterpriseUsers

    Where my field definitions at!?!

    Because the SCIM specification allows for customization of the schemas using extensions, there is no way to accurately document all the JSON structure possibilities.

    The following is just an example of a typical SCIM EnterpriseUser request body a SCIM client might send. However, your incoming request lambda must map these values to populate the FusionAuth User. A default lambda is provided for you that would handle a request like this example.

    This is taken from the SCIM Schema RFC describing a SCIM EnterpriseUser schema. For the full specification you can find the RFC.

    Example Request Body

    Example Request JSON
    {
      "active": true,
      "emails":[
        {
          "value":"example@fusionauth.io",
          "type":"work",
          "primary": true
        }
      ],
      "externalId":"cc6714c6-286c-411c-a6bc-ee413cda1dbc",
      "name":{
        "familyName": "Doe",
        "formatted": "John Doe",
        "givenName": "John",
        "honorificPrefix": "Mr.",
        "honorificSuffix": "III",
        "middleName": "William"
      },
      "password": "supersecret",
      "phoneNumbers":[
        {
          "primary": true,
          "type":"mobile",
          "value":"303-555-1234"
        }
      ],
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
      ],
      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        "costCenter": "123",
        "department": "",
        "division": "R&D",
        "employeeNumber": "42",
        "manager": {
          "displayName": "Bob",
          "$ref": "https://login.piedpiper.com/api/scim/resource/v2/EnterpriseUsers/550f49a9-7697-4e73-95e6-08b50a864b03",
          "value": "550f49a9-7697-4e73-95e6-08b50a864b03"
        }
      },
      "userName":"johnny123"
    }

    Response

    The response for this API contains the User that was just created in SCIM schema format.

    Table 1. Response Codes
    Code Description

    200

    The request was successful. The response will contain a JSON body.

    400

    The request was invalid and/or malformed. The response will contain a SCIM Error JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.

    401

    You did not supply a valid JWT in your Authorization header. The response will be empty. Ensure you’ve correctly set up Entities and performed a Client Credentials grant.

    500

    There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

    503

    The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

    504

    One or more Webhook endpoints returned an invalid response or were unreachable. Based on the transaction configuration for this event your action cannot be completed. A stack trace is provided and logged in the FusionAuth log files.

    For FusionAuth SCIM endpoints, any error responses will be returned in standard SCIM schema. See more details in the SCIM API Overview.

    Where my field definitions at!?!

    Because the SCIM specification allows for customization of the schemas using extensions, there is no way to accurately document all the JSON structure possibilities.

    The following is just an example of a typical SCIM EnterpriseUser response body a SCIM client might send. However, your incoming request lambda must map these values to populate the FusionAuth User. A default lambda is provided for you that would handle a response like this example.

    This is taken from the SCIM Schema RFC describing a SCIM EnterpriseUser schema. For the full specification you can find the RFC.

    Example Response Body

    Example Response JSON
    {
      "active": true,
      "emails":[
        {
          "primary": true,
          "type":"work",
          "value":"example@fusionauth.io"
        }
      ],
      "externalId":"cc6714c6-286c-411c-a6bc-ee413cda1dbc",
      "id": "2819c223-7f76-453a-919d-413861904600",
      "meta" : {
        "created" : "2022-04-12T21:59:23.279Z",
        "lastModified" : "2022-04-12T21:59:23.279Z",
        "location" : "https://piedpiper.com/api/scim/resource/v2/EnterpriseUsers/550f49a9-7697-4e73-95e6-08b50a864b03",
        "resourceType" : "EnterpriseUser"
      },
      "name":{
        "familyName": "Doe",
        "formatted": "John Doe",
        "givenName": "John",
        "honorificPrefix": "Mr.",
        "honorificSuffix": "III",
        "middleName": "William"
      },
      "phoneNumbers":[
        {
          "primary": true,
          "type":"mobile",
          "value":"303-555-1234"
        }
      ],
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
      ],
      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        "division": "R&D",
        "employeeNumber": "42",
        "manager": {
          "displayName": "Bob",
          "$ref": "https://login.piedpiper.com/api/scim/resource/v2/EnterpriseUsers/550f49a9-7697-4e73-95e6-08b50a864b03",
          "value": "550f49a9-7697-4e73-95e6-08b50a864b03"
        }
      },
      "userName":"johnny123"
    }

    Delete an EnterpriseUser

    This API is used to hard delete a FusionAuth User through a SCIM request. You must specify the Id of the User on the URI.

    The data of a User who has been hard deleted is permanently removed from FusionAuth. The User’s data cannot be restored via the FusionAuth API or the administrative user interface. If you need to restore the User’s data, you must retrieve it from a database backup.

    Request

    Delete an EnterpriseUser through a SCIM request

    URI

    DELETE /api/scim/resource/v2/EnterpriseUsers/{userId}

    Request Parameters

    userId [UUID] Optional

    The FusionAuth unique User Id.

    Response

    This API does not return a JSON response body.

    Table 2. Response Codes
    Code Description

    204

    The request was successful. The response will be empty.

    400

    The request was invalid and/or malformed. The response will contain a SCIM Error JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.

    401

    You did not supply a valid JWT in your Authorization header. The response will be empty. Ensure you’ve correctly set up Entities and performed a Client Credentials grant.

    404

    The object doesn’t exist. The response will be empty.

    500

    There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

    503

    The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

    504

    One or more Webhook endpoints returned an invalid response or were unreachable. Based on the transaction configuration for this event your action cannot be completed. A stack trace is provided and logged in the FusionAuth log files.

    For FusionAuth SCIM endpoints, any error responses will be returned in standard SCIM schema. See more details in the SCIM API Overview.

    Retrieve an EnterpriseUser

    This API is used to retrieve a FusionAuth User in SCIM schema format through a SCIM request.

    Request

    Retrieves an EnterpriseUser through a SCIM request

    URI

    GET /api/scim/resource/v2/EnterpriseUsers/{userId}

    Request Parameters

    userId [UUID] Optional

    The FusionAuth unique User Id.

    Response

    The response for this API contains the User in SCIM schema format.

    Table 3. Response Codes
    Code Description

    200

    The request was successful. The response will contain a JSON body.

    400

    The request was invalid and/or malformed. The response will contain a SCIM Error JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.

    401

    You did not supply a valid JWT in your Authorization header. The response will be empty. Ensure you’ve correctly set up Entities and performed a Client Credentials grant.

    404

    The object doesn’t exist. The response will be empty.

    500

    There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

    503

    The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

    For FusionAuth SCIM endpoints, any error responses will be returned in standard SCIM schema. See more details in the SCIM API Overview.

    Where my field definitions at!?!

    Because the SCIM specification allows for customization of the schemas using extensions, there is no way to accurately document all the JSON structure possibilities.

    The following is just an example of a typical SCIM EnterpriseUser response body a SCIM client might send. However, your incoming request lambda must map these values to populate the FusionAuth User. A default lambda is provided for you that would handle a response like this example.

    This is taken from the SCIM Schema RFC describing a SCIM EnterpriseUser schema. For the full specification you can find the RFC.

    Example Response Body

    Example Response JSON
    {
      "active": true,
      "emails":[
        {
          "primary": true,
          "type":"work",
          "value":"example@fusionauth.io"
        }
      ],
      "externalId":"cc6714c6-286c-411c-a6bc-ee413cda1dbc",
      "id": "2819c223-7f76-453a-919d-413861904600",
      "meta" : {
        "created" : "2022-04-12T21:59:23.279Z",
        "lastModified" : "2022-04-12T21:59:23.279Z",
        "location" : "https://piedpiper.com/api/scim/resource/v2/EnterpriseUsers/550f49a9-7697-4e73-95e6-08b50a864b03",
        "resourceType" : "EnterpriseUser"
      },
      "name":{
        "familyName": "Doe",
        "formatted": "John Doe",
        "givenName": "John",
        "honorificPrefix": "Mr.",
        "honorificSuffix": "III",
        "middleName": "William"
      },
      "phoneNumbers":[
        {
          "primary": true,
          "type":"mobile",
          "value":"303-555-1234"
        }
      ],
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
      ],
      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        "division": "R&D",
        "employeeNumber": "42",
        "manager": {
          "displayName": "Bob",
          "$ref": "https://login.piedpiper.com/api/scim/resource/v2/EnterpriseUsers/550f49a9-7697-4e73-95e6-08b50a864b03",
          "value": "550f49a9-7697-4e73-95e6-08b50a864b03"
        }
      },
      "userName":"johnny123"
    }

    Update an EnterpriseUser

    This API is used to update a new FusionAuth User from a SCIM request. The FusionAuth User will be overwritten by the data contained in the request. It is not a partial update or a patch.

    Request

    Updates an EnterpriseUser from a SCIM request

    URI

    PUT /api/scim/resource/v2/EnterpriseUsers/{userId}

    Request Parameters

    userId [UUID] Optional

    The FusionAuth unique User Id.

    Where my field definitions at!?!

    Because the SCIM specification allows for customization of the schemas using extensions, there is no way to accurately document all the JSON structure possibilities.

    The following is just an example of a typical SCIM EnterpriseUser request body a SCIM client might send. However, your incoming request lambda must map these values to populate the FusionAuth User. A default lambda is provided for you that would handle a request like this example.

    This is taken from the SCIM Schema RFC describing a SCIM EnterpriseUser schema. For the full specification you can find the RFC.

    Example Request Body

    Example Request JSON
    {
      "active": true,
      "emails":[
        {
          "value":"example@fusionauth.io",
          "type":"work",
          "primary": true
        }
      ],
      "externalId":"cc6714c6-286c-411c-a6bc-ee413cda1dbc",
      "name":{
        "familyName": "Doe",
        "formatted": "John Doe",
        "givenName": "John",
        "honorificPrefix": "Mr.",
        "honorificSuffix": "III",
        "middleName": "William"
      },
      "password": "supersecret",
      "phoneNumbers":[
        {
          "primary": true,
          "type":"mobile",
          "value":"303-555-1234"
        }
      ],
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
      ],
      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        "costCenter": "123",
        "department": "",
        "division": "R&D",
        "employeeNumber": "42",
        "manager": {
          "displayName": "Bob",
          "$ref": "https://login.piedpiper.com/api/scim/resource/v2/EnterpriseUsers/550f49a9-7697-4e73-95e6-08b50a864b03",
          "value": "550f49a9-7697-4e73-95e6-08b50a864b03"
        }
      },
      "userName":"johnny123"
    }

    Response

    The response for this API contains the User that was updated in SCIM schema format.

    Table 4. Response Codes
    Code Description

    200

    The request was successful. The response will contain a JSON body.

    400

    The request was invalid and/or malformed. The response will contain a SCIM Error JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.

    401

    You did not supply a valid JWT in your Authorization header. The response will be empty. Ensure you’ve correctly set up Entities and performed a Client Credentials grant.

    404

    The object doesn’t exist. The response will be empty.

    500

    There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.

    503

    The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.

    504

    One or more Webhook endpoints returned an invalid response or were unreachable. Based on the transaction configuration for this event your action cannot be completed. A stack trace is provided and logged in the FusionAuth log files.

    For SCIM endpoints, error responses will be returned in standard SCIM schema. See more details in the SCIM API Overview.

    Where my field definitions at!?!

    Because the SCIM specification allows for customization of the schemas using extensions, there is no way to accurately document all the JSON structure possibilities.

    The following is just an example of a typical SCIM EnterpriseUser response body a SCIM client might send. However, your incoming request lambda must map these values to populate the FusionAuth User. A default lambda is provided for you that would handle a response like this example.

    This is taken from the SCIM Schema RFC describing a SCIM EnterpriseUser schema. For the full specification you can find the RFC.

    Example Response Body

    Example Response JSON
    {
      "active": true,
      "emails":[
        {
          "primary": true,
          "type":"work",
          "value":"example@fusionauth.io"
        }
      ],
      "externalId":"cc6714c6-286c-411c-a6bc-ee413cda1dbc",
      "id": "2819c223-7f76-453a-919d-413861904600",
      "meta" : {
        "created" : "2022-04-12T21:59:23.279Z",
        "lastModified" : "2022-04-12T21:59:23.279Z",
        "location" : "https://piedpiper.com/api/scim/resource/v2/EnterpriseUsers/550f49a9-7697-4e73-95e6-08b50a864b03",
        "resourceType" : "EnterpriseUser"
      },
      "name":{
        "familyName": "Doe",
        "formatted": "John Doe",
        "givenName": "John",
        "honorificPrefix": "Mr.",
        "honorificSuffix": "III",
        "middleName": "William"
      },
      "phoneNumbers":[
        {
          "primary": true,
          "type":"mobile",
          "value":"303-555-1234"
        }
      ],
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
      ],
      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        "division": "R&D",
        "employeeNumber": "42",
        "manager": {
          "displayName": "Bob",
          "$ref": "https://login.piedpiper.com/api/scim/resource/v2/EnterpriseUsers/550f49a9-7697-4e73-95e6-08b50a864b03",
          "value": "550f49a9-7697-4e73-95e6-08b50a864b03"
        }
      },
      "userName":"johnny123"
    }

    Feedback

    How helpful was this page?

    See a problem?

    File an issue in our docs repo

    © 2021 FusionAuth
    Subscribe for developer updates