SCIM Service Provider API Overview
This feature is only available in the Enterprise plan. Please visit our pricing page to learn more.
Overview
This API is used to retrieve information about the configuration of the FusionAuth SCIM Service Provider as specified in the RFC.
Retrieve Resource Types
Request
GET /api/scim/resource/v2/ResourceTypes
Retrieve a Resource Type by Id
GET /api/scim/resource/v2/ResourceTypes/{resourceTypeId}
Request Parameters
- resourceTypeId [String] Optional
-
The unique Resource Type Id, such as
User
.
Response
The response for this API contains the ResourceType(s) in standard SCIM schema.
Code | Description |
---|---|
200 |
The request was successful. The response will contain a JSON body. |
400 |
The request was invalid and/or malformed. The response will contain a SCIM Error JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 |
You did not supply a valid JWT in your Authorization header. The response will be empty. Ensure you’ve correctly set up Entities and performed a Client Credentials grant. |
500 |
There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
For FusionAuth SCIM endpoints, any error responses will be returned in standard SCIM schema. See more details in the SCIM API Overview.
The SCIM specification allows for customization of the schemas using extensions. Therefore, it is not possible to accurately document all the possible variations.
The following is the default response body. However, you can customize the schemas portion of the response by modifying the schemas setting.
This is taken from the SCIM RFC describing a SCIM ResourceTypes schema. For the full specification you can find the RFC.
Response Body
{
"itemsPerPage": 10,
"Resources": [
{
"description": "User Account",
"endpoint": "/Users",
"id": "User",
"meta": {
"location": "https://piedpiper.com/api/scim/v2/ResourceTypes/User",
"resourceType": "ResourceType"
},
"name": "User",
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"schemaExtensions": [
{
"required": true,
"schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
]
},
{
"description": "Group",
"endpoint": "/Groups",
"id": "Group",
"meta": {
"location": "https://piedpiper.com/api/scim/v2/ResourceTypes/Group",
"resourceType": "ResourceType"
},
"name": "Group",
"schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
]
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"startIndex": 1,
"totalResults": 2
}
Retrieve Schemas
Request
GET /api/scim/resource/v2/Schemas
GET /api/scim/resource/v2/Schemas/{schemaId}
Request Parameters
- schemaId [String] Optional
-
The unique Schema Id, such as
urn:ietf:params:scim:schemas:core:2.0:User
.
Response
The response for this API contains the Schema definition(s) in standard SCIM schema.
Code | Description |
---|---|
200 |
The request was successful. The response will contain a JSON body. |
400 |
The request was invalid and/or malformed. The response will contain a SCIM Error JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 |
You did not supply a valid JWT in your Authorization header. The response will be empty. Ensure you’ve correctly set up Entities and performed a Client Credentials grant. |
404 |
The object doesn’t exist. The response will be empty. |
500 |
There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
For FusionAuth SCIM endpoints, any error responses will be returned in standard SCIM schema. See more details in the SCIM API Overview.
The SCIM specification allows for customization of the schemas using extensions. Therefore, it is not possible to accurately document all the possible variations.
The following is the default response body. However, you can customize this response by modifying the Tenant’s schemas setting.
This example is taken from RFC 7643 section #7.
Response Body
{
"itemsPerPage": 4,
"Resources": [
{
"attributes": [],
"description": "Enterprise User",
"id": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"meta": {
"location": "https://piedpiper.com/api/scim/resource/v2/Schemas/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"resourceType": "Schema"
},
"name": "EnterpriseUser"
},
{
"attributes": [
{
"caseExact": false,
"description": "A human-readable name for the Group. REQUIRED.",
"multiValued": false,
"mutability": "readWrite",
"name": "displayName",
"required": false,
"returned": "default",
"type": "string",
"uniqueness": "none"
},
{
"description": "A list of members of the Group.",
"multiValued": true,
"mutability": "readWrite",
"name": "members",
"required": false,
"returned": "default",
"subAttributes": [
{
"caseExact": false,
"description": "Identifier of the member of this Group.",
"multiValued": false,
"mutability": "immutable",
"name": "value",
"required": false,
"returned": "default",
"type": "string",
"uniqueness": "none"
},
{
"caseExact": false,
"description": "The URI corresponding to a SCIM resource that is a member of this Group.",
"multiValued": false,
"mutability": "immutable",
"name": "$ref",
"referenceTypes": [
"Group",
"User"
],
"required": false,
"returned": "default",
"type": "reference",
"uniqueness": "none"
}
],
"type": "complex"
}
],
"description": "Group",
"id": "urn:ietf:params:scim:schemas:core:2.0:Group",
"meta": {
"location": "https://piedpiper.com/api/scim/resource/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group",
"resourceType": "Schema"
},
"name": "Group"
},
{
"attributes": [
{
"caseExact": false,
"description": "Unique identifier for the User, typically used by the user to directly authenticate to the service provider. Each User MUST include a non-empty userName value. REQUIRED.",
"multiValued": false,
"mutability": "readWrite",
"name": "userName",
"required": true,
"returned": "default",
"type": "string",
"uniqueness": "server"
},
{
"description": "A Boolean value indicating the User's administrative status.",
"multiValued": false,
"mutability": "readWrite",
"name": "active",
"required": false,
"returned": "default",
"type": "boolean"
}
],
"description": "User Account",
"id": "urn:ietf:params:scim:schemas:core:2.0:User",
"meta": {
"location": "https://piedpiper.com/api/scim/resource/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User",
"resourceType": "Schema"
},
"name": "User"
},
{
"attributes": [
{
"description": "A list of field errors.",
"multiValued": true,
"mutability": "immutable",
"name": "fieldErrors",
"required": false,
"returned": "default",
"subAttributes": [
{
"attributes": [
{
"caseExact": false,
"description": "The Fusion Auth error code",
"multiValued": false,
"mutability": "immutable",
"name": "code",
"required": false,
"returned": "default",
"type": "string",
"uniqueness": "none"
},
{
"caseExact": false,
"description": "The Fusion Auth error message",
"multiValued": false,
"mutability": "immutable",
"name": "message",
"required": false,
"returned": "default",
"type": "string",
"uniqueness": "none"
}
],
"description": "A list of field errors.",
"multiValued": true,
"mutability": "immutable",
"name": "object.fieldName",
"required": false,
"returned": "default"
}
],
"type": "complex"
},
{
"description": "A list of general errors.",
"multiValued": true,
"mutability": "immutable",
"name": "generalErrors",
"required": false,
"returned": "default",
"subAttributes": [
{
"caseExact": false,
"description": "The Fusion Auth error code",
"multiValued": false,
"mutability": "immutable",
"name": "code",
"required": false,
"returned": "default",
"type": "string",
"uniqueness": "none"
},
{
"caseExact": false,
"description": "The Fusion Auth error data",
"multiValued": true,
"mutability": "immutable",
"name": "data",
"required": false,
"returned": "default",
"type": "complex",
"uniqueness": "none"
},
{
"caseExact": false,
"description": "The Fusion Auth error message",
"multiValued": false,
"mutability": "immutable",
"name": "message",
"required": false,
"returned": "default",
"type": "string",
"uniqueness": "none"
}
],
"type": "complex"
}
],
"description": "FusionAuth Errors",
"id": "urn:ietf:params:scim:schemas:extension:fusionauth:2.0:Error",
"meta": {
"location": "https://piedpiper.com/api/scim/resource/v2/Schemas/urn:ietf:params:scim:schemas:extension:fusionauth:2.0:Error",
"resourceType": "Schema"
},
"name": "FusionAuthError"
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"startIndex": 1,
"totalResults": 4
}
Retrieve Service Provider Configuration
Request
Retrieve Service Provider Configuration
GET /api/scim/resource/v2/ServiceProviderConfig
Response
The response for this API contains the Service Provider Configuration in standard SCIM schema.
Code | Description |
---|---|
200 |
The request was successful. The response will contain a JSON body. |
400 |
The request was invalid and/or malformed. The response will contain a SCIM Error JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
401 |
You did not supply a valid JWT in your Authorization header. The response will be empty. Ensure you’ve correctly set up Entities and performed a Client Credentials grant. |
500 |
There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
For FusionAuth SCIM endpoints, any error responses will be returned in standard SCIM schema. See more details in the SCIM API Overview.
The SCIM specification allows for customization of the schemas using extensions. Therefore, it is not possible to accurately document all the possible variations.
The following response body is taken from the SCIM RFC describing a SCIM Service Provider Configuration schema. For the full specification you can find the RFC.
Response Body
{
"authenticationSchemes": [
{
"description": "Authentication scheme using the OAuth Bearer Token Standard",
"name": "OAuth2 Bearer Token",
"primary": true,
"specUri": "http://www.rfc-editor.org/info/rfc6750",
"type": "oauthbearertoken"
}
],
"bulk": {
"supported": false
},
"changePassword": {
"supported": true
},
"etag": {
"supported": false
},
"filter": {
"maxResults": 500,
"supported": false
},
"meta": {
"location": "https://piedpiper.com/api/scim/resource/v2/ServiceProviderConfig",
"resourceType": "ServiceProviderConfig"
},
"patch": {
"supported": false
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
],
"sort": {
"supported": false
}
}
Feedback
How helpful was this page?
See a problem?
File an issue in our docs repo
Have a question or comment to share?
Visit the FusionAuth community forum.