SCIM Provisioning for Organizations
The SCIM API is used by SCIM-enabled Identity Providers (IdPs) to automate provisioning of GitHub organization membership. The GitHub API is based on version 2.0 of the SCIM standard. The GitHub SCIM endpoint that an IdP should use is: https://api.github.com/scim/v2/organizations/{org}/
.
Notes:
- The SCIM API is available only to organizations on GitHub Enterprise Cloud with SAML SSO enabled. Provisioning and deprovisioning user access with SCIM is not available for enterprise accounts. For more information about SCIM, see "About SCIM."
- The SCIM API cannot be used with Enterprise Managed Users.
Authenticating calls to the SCIM API
You must authenticate as an owner of a GitHub organization to use its SCIM API. The API expects an OAuth 2.0 Bearer token to be included in the Authorization
header. You may also use a personal access token, but you must first authorize it for use with your SAML SSO organization.
Mapping of SAML and SCIM data
The SAML IdP and the SCIM client must use matching NameID
and userName
values for each user. This allows a user authenticating through SAML to be linked to their provisioned SCIM identity.
Supported SCIM User attributes
Name | Type | Description |
---|---|---|
userName | string | The username for the user. |
name.givenName | string | The first name of the user. |
name.lastName | string | The last name of the user. |
emails | array | List of user emails. |
externalId | string | This identifier is generated by the SAML provider, and is used as a unique ID by the SAML provider to match against a GitHub user. You can find the externalID for a user either at the SAML provider, or using the List SCIM provisioned identities endpoint and filtering on other known attributes, such as a user's GitHub username or email address. |
id | string | Identifier generated by the GitHub SCIM endpoint. |
active | boolean | Used to indicate whether the identity is active (true) or should be deprovisioned (false). |
Note: Endpoint URLs for the SCIM API are case sensitive. For example, the first letter in the Users
endpoint must be capitalized:
GET /scim/v2/organizations/{org}/Users/{scim_user_id}
List SCIM provisioned identities
Retrieves a paginated list of all provisioned organization members, including pending invitations. If you provide the filter
parameter, the resources for all matching provisions members are returned.
When a user with a SAML-provisioned external identity leaves (or is removed from) an organization, the account's metadata is immediately removed. However, the returned list of user accounts might not always match the organization or enterprise member list you see on GitHub. This can happen in certain cases where an external identity associated with an organization will not match an organization member:
- When a user with a SCIM-provisioned external identity is removed from an organization, the account's metadata is preserved to allow the user to re-join the organization in the future.
- When inviting a user to join an organization, you can expect to see their external identity in the results before they accept the invitation, or if the invitation is cancelled (or never accepted).
- When a user is invited over SCIM, an external identity is created that matches with the invitee's email address. However, this identity is only linked to a user account when the user accepts the invitation by going through SAML SSO.
The returned list of external identities can include an entry for a null
user. These are unlinked SAML identities that are created when a user goes through the following Single Sign-On (SSO) process but does not sign in to their GitHub account after completing SSO:
-
The user is granted access by the IdP and is not a member of the GitHub organization.
-
The user attempts to access the GitHub organization and initiates the SAML SSO process, and is not currently signed in to their GitHub account.
-
After successfully authenticating with the SAML SSO IdP, the
null
external identity entry is created and the user is prompted to sign in to their GitHub account:- If the user signs in, their GitHub account is linked to this entry.
- If the user does not sign in (or does not create a new account when prompted), they are not added to the GitHub organization, and the external identity
null
entry remains in place.
get /scim/v2/organizations/{org}/Users
Parameters
Name | Type | In | Description |
---|---|---|---|
accept |
string | header |
Setting to
|
org |
string | path | |
startIndex |
integer | query |
Used for pagination: the index of the first result to return. |
count |
integer | query |
Used for pagination: the number of results to return. |
filter |
string | query |
Filters results using the equals query parameter operator (
To filter results for the identity with the email
|
Code samples
Shell
curl \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/scim/v2/organizations/ORG/Users
JavaScript (@octokit/core.js)
await octokit.request('GET /scim/v2/organizations/{org}/Users', {
org: 'org'
})
Response
Status: 200 OK
Not modified
Status: 304 Not Modified
Bad Request
Status: 400 Bad Request
Forbidden
Status: 403 Forbidden
Resource not found
Status: 404 Not Found
Notes
Provision and invite a SCIM user
Provision organization membership for a user, and send an activation email to the email address.
post /scim/v2/organizations/{org}/Users
Parameters
Name | Type | In | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
accept |
string | header |
Setting to
|
||||||
org |
string | path | |||||||
userName |
string | body |
Required. Configured by the admin. Could be an email, login, or username |
||||||
displayName |
string | body |
The name of the user, suitable for display to end-users |
||||||
name |
object | body |
Required. |
||||||
Properties of the
|
givenName (string)
|
Required. |
familyName (string)
|
Required. |
formatted (string)
|
emails
Required. user emails
Properties of the
emails
items
value (string)
|
Required. |
primary (boolean)
|
|
type (string)
|
schemas
externalId
groups
active
Code samples
Shell
curl \
-X POST \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/scim/v2/organizations/ORG/Users \
-d '{"userName":"userName","name":{"givenName":"givenName","familyName":"familyName","formatted":"formatted"},"emails":["[email protected]"]}'
JavaScript (@octokit/core.js)
await octokit.request('POST /scim/v2/organizations/{org}/Users', {
org: 'org',
userName: 'userName',
name: {
givenName: 'givenName',
familyName: 'familyName',
formatted: 'formatted'
},
emails: [
'[email protected]'
]
})
Response
Status: 201 Created
Not modified
Status: 304 Not Modified
Bad Request
Status: 400 Bad Request
Forbidden
Status: 403 Forbidden
Resource not found
Status: 404 Not Found
Conflict
Status: 409 Conflict
Internal Error
Status: 500 Internal Server Error
Notes
get /scim/v2/organizations/{org}/Users/{scim_user_id}
Parameters
Name | Type | In | Description |
---|---|---|---|
accept |
string | header |
Setting to
|
org |
string | path | |
scim_user_id |
string | path |
scim_user_id parameter |
Code samples
Shell
curl \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID
JavaScript (@octokit/core.js)
await octokit.request('GET /scim/v2/organizations/{org}/Users/{scim_user_id}', {
org: 'org',
scim_user_id: 'scim_user_id'
})
Response
Status: 200 OK
Not modified
Status: 304 Not Modified
Forbidden
Status: 403 Forbidden
Resource not found
Status: 404 Not Found
Notes
Update a provisioned organization membership
Replaces an existing provisioned user's information. You must provide all the information required for the user as if you were provisioning them for the first time. Any existing user information that you don't provide will be removed. If you want to only update a specific attribute, use the Update an attribute for a SCIM user endpoint instead.
You must at least provide the required values for the user: userName
, name
, and emails
.
Warning: Setting active: false
removes the user from the organization, deletes the external identity, and deletes the associated {scim_user_id}
.
put /scim/v2/organizations/{org}/Users/{scim_user_id}
Parameters
Name | Type | In | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
accept |
string | header |
Setting to
|
||||||
org |
string | path | |||||||
scim_user_id |
string | path |
scim_user_id parameter |
||||||
schemas |
array of strings | body | |||||||
displayName |
string | body |
The name of the user, suitable for display to end-users |
||||||
externalId |
string | body | |||||||
groups |
array of strings | body | |||||||
active |
boolean | body | |||||||
userName |
string | body |
Required. Configured by the admin. Could be an email, login, or username |
||||||
name |
object | body |
Required. |
||||||
Properties of the
|
givenName (string)
|
Required. |
familyName (string)
|
Required. |
formatted (string)
|
emails
Required. user emails
Properties of the
emails
items
type (string)
|
|
value (string)
|
Required. |
primary (boolean)
|
Code samples
Shell
curl \
-X PUT \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID \
-d '{"userName":"userName","name":{"givenName":"givenName","familyName":"familyName","formatted":"formatted"},"emails":["[email protected]"]}'
JavaScript (@octokit/core.js)
await octokit.request('PUT /scim/v2/organizations/{org}/Users/{scim_user_id}', {
org: 'org',
scim_user_id: 'scim_user_id',
userName: 'userName',
name: {
givenName: 'givenName',
familyName: 'familyName',
formatted: 'formatted'
},
emails: [
'[email protected]'
]
})
Response
Status: 200 OK
Not modified
Status: 304 Not Modified
Forbidden
Status: 403 Forbidden
Resource not found
Status: 404 Not Found
Notes
Update an attribute for a SCIM user
Allows you to change a provisioned user's individual attributes. To change a user's values, you must provide a specific Operations
JSON format that contains at least one of the add
, remove
, or replace
operations. For examples and more information on the SCIM operations format, see the SCIM specification.
Note: Complicated SCIM path
selectors that include filters are not supported. For example, a path
selector defined as "path": "emails[type eq \"work\"]"
will not work.
Warning: If you set active:false
using the replace
operation (as shown in the JSON example below), it removes the user from the organization, deletes the external identity, and deletes the associated :scim_user_id
.
{
"Operations":[{
"op":"replace",
"value":{
"active":false
}
}]
}
patch /scim/v2/organizations/{org}/Users/{scim_user_id}
Parameters
Name | Type | In | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
accept |
string | header |
Setting to
|
||||||
org |
string | path | |||||||
scim_user_id |
string | path |
scim_user_id parameter |
||||||
schemas |
array of strings | body | |||||||
Operations |
array of objects | body |
Required. Set of operations to be performed |
||||||
Properties of the
|
op (string)
|
Required. |
path (string)
|
|
value (object or array or string)
|
Code samples
Shell
curl \
-X PATCH \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID \
-d '{"Operations":[{"op":"op","path":"path","value":{"active":true,"userName":"userName","externalId":"externalId","givenName":"givenName","familyName":"familyName"}}]}'
JavaScript (@octokit/core.js)
await octokit.request('PATCH /scim/v2/organizations/{org}/Users/{scim_user_id}', {
org: 'org',
scim_user_id: 'scim_user_id',
Operations: [
{
op: 'op',
path: 'path',
value: {
active: true,
userName: 'userName',
externalId: 'externalId',
givenName: 'givenName',
familyName: 'familyName'
}
}
]
})
Response
Status: 200 OK
Not modified
Status: 304 Not Modified
Bad Request
Status: 400 Bad Request
Forbidden
Status: 403 Forbidden
Resource not found
Status: 404 Not Found
Response
Status: 429 Too Many Requests
Notes
delete /scim/v2/organizations/{org}/Users/{scim_user_id}
Parameters
Name | Type | In | Description |
---|---|---|---|
accept |
string | header |
Setting to
|
org |
string | path | |
scim_user_id |
string | path |
scim_user_id parameter |
Code samples
Shell
curl \
-X DELETE \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID
JavaScript (@octokit/core.js)
await octokit.request('DELETE /scim/v2/organizations/{org}/Users/{scim_user_id}', {
org: 'org',
scim_user_id: 'scim_user_id'
})
Response
Status: 204 No Content
Not modified
Status: 304 Not Modified
Forbidden
Status: 403 Forbidden
Resource not found
Status: 404 Not Found