bcfe4dab3b
* Add new product to products.yml * Move directory to its new location and rename it * Update new index page * Remove old category from GitHub product index * Add collaboration category * Add membership category * Add roles category * Add teams category * Add team discussion category * Add repo access category * Add project board access category * Add app management category * Add org settings category * Add improved org perms category * Add category for OAuth app restrictions * Add org security category * Add SAML category * Add SAML access category * Add git access category * Add redirects and update links for collaboration category * Add redirects and update links to team discussions content * Add redirects and update links to SAML access category * Update links to org security category and add redirects * Add redirects for app managers content * Add redirects for project board category * Add redirects and update links for the repo access category * Add redirects for git access category * Add redirects and update links for membership category * Add redirects and update links for org settings category * Fix links * Add redirects and update links to org access category * Add redirects and upate links to SSO category * Add redirects to improved org perms category * Add redirects and update links to teams category * Add redirects and update links to oauth apps category * Fix links * Fix links * Fix links
2.9 KiB
title, redirect_from, versions, topics
| title | redirect_from | versions | topics | ||||
|---|---|---|---|---|---|---|---|
| SCIM |
|
|
|
SCIM Provisioning for Organizations
The SCIM API is used by SCIM-enabled Identity Providers (IdPs) to automate provisioning of {% data variables.product.product_name %} organization membership. The {% data variables.product.product_name %} API is based on version 2.0 of the SCIM standard. The {% data variables.product.product_name %} SCIM endpoint that an IdP should use is: {% data variables.product.api_url_code %}/scim/v2/organizations/{org}/.
{% note %}
Note: The SCIM API is available only to organizations on {% data variables.product.prodname_ghe_cloud %} with SAML SSO enabled. For more information about SCIM, see "About SCIM."
{% endnote %}
Authenticating calls to the SCIM API
You must authenticate as an owner of a {% data variables.product.product_name %} organization to use its SCIM API. The API expects an OAuth 2.0 Bearer token to be included in the Authorization header. You may also use a personal access token, but you must first authorize it for use with your SAML SSO organization.
Mapping of SAML and SCIM data
The SAML IdP and the SCIM client must use matching NameID and userName values for each user. This allows a user authenticating through SAML to be linked to their provisioned SCIM identity.
Supported SCIM User attributes
| Name | Type | Description |
|---|---|---|
userName |
string |
The username for the user. |
name.givenName |
string |
The first name of the user. |
name.lastName |
string |
The last name of the user. |
emails |
array |
List of user emails. |
externalId |
string |
This identifier is generated by the SAML provider, and is used as a unique ID by the SAML provider to match against a GitHub user. You can find the externalID for a user either at the SAML provider, or using the List SCIM provisioned identities endpoint and filtering on other known attributes, such as a user's GitHub username or email address. |
id |
string |
Identifier generated by the GitHub SCIM endpoint. |
active |
boolean |
Used to indicate whether the identity is active (true) or should be deprovisioned (false). |
{% note %}
Note: Endpoint URLs for the SCIM API are case sensitive. For example, the first letter in the Users endpoint must be capitalized:
GET /scim/v2/organizations/{org}/Users/{scim_user_id}
{% endnote %}
{% include rest_operations_at_current_path %}