--- title: REST API endpoints for SCIM shortTitle: SCIM allowTitleToDifferFromFilename: true intro: >- Use the REST API to control and manage your GitHub organization members' access with SCIM. versions: # DO NOT MANUALLY EDIT. CHANGES WILL BE OVERWRITTEN BY A 🤖 ghec: '*' topics: - API redirect_from: - /rest/reference/scim autogenerated: rest --- {% data reusables.scim.organization-rest-api-ghec-deployment-option %} ## About SCIM ### SCIM Provisioning for Organizations These endpoints are used by SCIM-enabled Identity Providers (IdPs) to automate provisioning of {% data variables.product.github %} organization membership and are based on version 2.0 of the [SCIM standard](http://www.simplecloud.info/). IdPs should use the base URL `{% data variables.product.rest_url %}/scim/v2/organizations/{org}/` for {% data variables.product.github %} SCIM endpoints. > [!NOTE] > * These endpoints are only available for individual organizations that use {% data variables.product.prodname_ghe_cloud %} with SAML SSO enabled. For more information about SCIM, see [AUTOTITLE](/enterprise-cloud@latest/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations). For more information about authorizing a token for a SAML SSO organization, see [AUTOTITLE](/rest/overview/authenticating-to-the-rest-api). > * These endpoints cannot be used with an enterprise account or with an {% data variables.enterprise.prodname_emu_org %}. ### Authentication You must authenticate as an owner of a {% data variables.product.github %} organization to use these endpoints. The REST API expects an OAuth 2.0 Bearer token (for example, a {% data variables.product.prodname_github_app %} user access token) to be included in the `Authorization` header. If you use a {% data variables.product.pat_v1 %} for authentication, it must have the `admin:org` scope and you must also [authorize it for use with your SAML SSO organization](/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on). ### Matching SAML and SCIM attributes To successfully link a {% data variables.product.github %} user account to a SCIM identity in an organization, specific attributes from your Identity Provider's SAML response and SCIM API provisioning call must match for a user. #### Microsoft Entra ID for SAML When using Entra ID (previously known as Azure AD) for SAML, the following SAML attribute and SCIM attribute must match. | SAML attribute | Matching SCIM attribute | | :- | :- | | `http://schemas.microsoft.com/identity/claims/objectidentifier` | `externalId` | #### Other IdPs for SAML When using other IdPs for SAML, the following SAML claims and SCIM attribute must match. | SAML attribute | Matching SCIM attribute | | :- | :- | | `NameID` | `userName` | There are two different ways a {% data variables.product.github %} user account can get linked to a SCIM identity in an organization when these SAML/SCIM attributes match: 1. For users who are not yet members of the organization: * The IdP sends a SCIM provisioning call to {% data variables.product.github %} for a user who is not a member of an organization. This generates an organization invitation and an unlinked SCIM identity in the organization. * User authenticates via SAML in the organization. * {% data variables.product.github %} automatically links the SAML and SCIM identity to the new user account in the organization. 1. For existing organization members: * The IdP sends a SCIM provisioning call to {% data variables.product.github %} for a user who is already a member of the organization. * If the organization member does not have a linked SAML identity in the organization, this generates an organization invitation and an unlinked SCIM identity in the organization. User authenticates via SAML in the organization to link their SAML and SCIM identity. * If the organization member has a linked SAML identity in the organization, {% data variables.product.github %} automatically links the SCIM identity to the existing user account in the organization. No organization invite is created. Ensuring that a user gets properly linked to their SCIM identity in the organization can help prevent unexpected issues with SCIM deprovisioning when the user's access to the app is removed on the IdP side. For more information on auditing the linked SCIM identities in an organization, see [AUTOTITLE](/enterprise-cloud@latest/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization#auditing-organization-members-on-github) ### Supported SCIM User attributes Name | Type | Description -----|------|-------------- `userName`|`string` | The username for the user. `name.givenName`|`string` | The first name of the user. `name.familyName`|`string` | The last name of the user. `emails` | `array` | List of user emails. `externalId` | `string` | This identifier is generated by the SAML provider, and is used as a unique ID by the SAML provider to match against a GitHub user. You can find the `externalID` for a user either at the SAML provider, or using the [List SCIM provisioned identities](#list-scim-provisioned-identities) endpoint and filtering on other known attributes, such as a user's GitHub username or email address. `id` | `string` | Identifier generated by the GitHub SCIM endpoint. `active` | `boolean` | Used to indicate whether the identity is active (true) or should be deprovisioned (false). > [!NOTE] > These endpoints are case sensitive. For example, the first letter in the `Users` endpoint must be capitalized: > > ```shell > GET /scim/v2/organizations/{org}/Users/{scim_user_id} > ```