System for Cross-domain Identity Management

Designed to make managing user identity in cloud-based applications and services easier.

Learn more

Overview

The SCIM standard was created to simplify user management in the cloud by defining a schema for representing users and groups and a REST API for all the necessary CRUD operations.

See Overview »

Specifications

For a complete view of the SCIM schema and the API, please refer to the specification.

Read Specifications »

Implementations

List of implementations

Implementations »

Compliance

Test your SCIM 1.1 implementation using the online compliance test.

Run Tests »

Overview

The System for Cross-domain Identity Management (SCIM) specification is designed to make managing user identities in cloud-based applications and services easier. The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. Its intent is to reduce the cost and complexity of user management operations by providing a common user schema and extension model, as well as binding documents to provide patterns for exchanging this schema using standard protocols. In essence: make it fast, cheap, and easy to move users in to, out of, and around the cloud.

Information on this overview page is not normative.

Model

SCIM is built on a object model where a Resource is the common denominator and all SCIM objects are derived from it. SCIM currently has three objects that directly inherit from the Resource object. The ServiceProviderConfiguration and Schema are used for discovery and contain no user information. The CoreResource object is where user and group data are contained, within its two child resources, User and Group.

Example User

This is an example of how user data can be encoded as a SCIM object in JSON. XML encoding is also defined in the specification.

While this example does not contain the full set of attributes available, notice the different types of data that can be used to create SCIM objects. Simple types like strings for id, username, etc. Complex types, i.e. attributes that have sub-attributes, for name and address. Multivalued types for e-mail, phonenumber, address, etc.

{
  "schemas":["urn:scim:schemas:core:1.0"],
  "id":"2819c223-7f76-453a-919d-413861904646",
  "externalId":"bjensen",
  "meta":{
    "created":"2011-08-01T18:29:49.793Z",
    "lastModified":"2011-08-01T18:29:49.793Z",
    "location":"https://example.com/v1/Users/2819c223...",
    "version":"W\/\"f250dd84f0671c3\""
  },
  "name":{
    "formatted":"Ms. Barbara J Jensen III",
    "familyName":"Jensen",
    "givenName":"Barbara"
  },
  "userName":"bjensen",
  "phoneNumbers":[
    {
      "value":"555-555-8377",
      "type":"work"
    }
  ],
  "emails":[
    {
      "value":"bjensen@example.com",
      "type":"work"
    }
  ]
}

Example Group

In addition to users, the SCIM core includes the group concept. Groups are used to model the organizationational structure of provisioned objects. Groups can contain users or other groups .

{
  "schemas":["urn:scim:schemas:core:1.0"],
  "id":"2819c223-7f76-453a-919d-413861904646",
  "displayName": "Tour Guides",
  "members":[
    {
      "value":"2819c223-7f76-453a-919d-413861904646",
      "displayName":"Babs Jensen",
      "type":"User"
    },
    {
      "value":"2819c223-7f76-453a-919d-413861904646",
      "displayName":"Mandy Pepperidge",
      "type":"User"
    }
  ]
}

Operations

For manipulation of resources, SCIM provides a REST API with a rich but simple set of operations, which support everything from patching a specific attribute on a specific user to doing massive bulk updates:

  • Create = POST https://example.com/{v}/{resource}
  • Read = GET https://example.com/{v}/{resource}/{id}
  • Replace = PUT https://example.com/{v}/{resource}/{id}
  • Delete = DELETE https://example.com/{v}/{resource}/{id}
  • Update = PATCH https://example.com/{v}/{resource}/{id}
  • Search = GET https://example.com/{v}/{resource}?filter={attribute}{op}{value}&sortBy={attributeName}&sortOrder={ascending|descending}
  • Bulk = POST https://example.com/{v}/Bulk

Discovery

To simplify interoperability, SCIM provides two end points to discover supported features and specific attribute details:

  • GET /ServiceProviderConfigs

    Specification compliance, authentication schemes, data models.

  • GET /Schemas

    Introspect resources and attribute extensions.

Create Request

To create a resource, send an HTTP POST request to the resource's respective end point. In the example below we see the creation of a User.

As can be seen in this and later examples the URL contains a version number so that different versions of the SCIM API can co-exist. Available versions can be dynamically discovered via the ServiceProviderConfig end point.

POST /v1/Users  HTTP/1.1
Accept: application/json
Authorization: Bearer h480djs93hd8
Host: example.com
Content-Length: 164
Content-Type: application/json

{
  "schemas":["urn:scim:schemas:core:1.0"],
  "externalId":"bjensen",
  "userName":"bjensen",
  "name":{
    "familyName":"Jensen",
    "givenName":"Barbara"
  }
}

Create Response

A response contains the created Resource and HTTP code 201 to indicate that the Resource has been created successfully. Note that the returned user contains more data then was posted, id and meta data have been added by the service provider to make a complete User object. A location header indicates where the resource can be fetched in subsequent requests.

HTTP/1.1 201 Created
Content-Type: application/json
Location: https://example.com/v1/Users/2819c223-7f76-453a-919d-413861904646
ETag: W/"e180ee84f0671b1"

{
  "schemas":["urn:scim:schemas:core:1.0"],
  "id":"2819c223-7f76-453a-919d-413861904646",
  "externalId":"bjensen",
  "meta":{
    "created":"2011-08-01T21:32:44.882Z",
    "lastModified":"2011-08-01T21:32:44.882Z",
    "location":"https://example.com/v1/Users/2819c223-7f76-453a-919d-413861904646",
    "version":"W\/\"e180ee84f0671b1\""
  },
  "name":{
    "familyName":"Jensen",
    "givenName":"Barbara"
  },
  "userName":"bjensen"
}

Get Request

Fetching resources is done by sending HTTP GET requests to the desired Resource end point, as in this example. Note the postfixed '.json' at the end of the URL. This is another method for clients to indicate the desired response format, in addition to using the accept header.

GET /v1/Users/2819c223-7f76-453a-919d-413861904646.json
Host: example.com
Accept: application/json
Authorization: Bearer h480djs93hd8

Get Response

The response to a GET contains the Resource. The Etag header can, in subsequent requests, be used to prevent concurrent modifications of Resources.

HTTP/1.1 200 OK
Content-Type: application/json
Location: https://example.com/v1/Users/2819c223-7f76-453a-919d-413861904646
Etag: W/"e180ee84f0671b1"

{
  "schemas":["urn:scim:schemas:core:1.0"],
  "id":"2819c223-7f76-453a-919d-413861904646",
  "externalId":"bjensen",
  "meta":{
    "created":"2011-08-01T21:32:44.882Z",
    "lastModified":"2011-08-01T21:32:44.882Z",
    "location":"https://example.com/v1/Users/2819c223-7f76-453a-919d-413861904646",
    "version":"W\/\"e180ee84f0671b1\""
  },
  "name":{ ...

Filter Request

In addition to getting single Resources it is possible to fetch sets of Resources by querying the Resource end point without the id of a specific Resource. Typically, a fetch request will include a filter to be applied to the Resources. SCIM has support for the filter operations equals, contains, starts with, and more. In addition to filtering the response it is also possible to ask the service provider to sort the Resources in the response.

In addition to filtering the response it is also possible to ask the service provider to sort the Resources in the response, return specific attributes of the resources, and return only a subset of the resources.

  • https://example.com/{resource}?filter={attribute} {op} {value} & sortBy={attributeName}&sortOrder={ascending|descending}&attributes={attributes}
  • https://example.com/Users?filter=title pr and userType eq “Employee”&sortBy=title&sortOrder=ascending&attributes=title,username

Filter Response

The response to a GET request is a list of matching resources:

{
  "schemas":["urn:scim:schemas:core:1.0"],
  "totalResults":2,
  "Resources":[
    {
      "id":"c3a26dd3-27a0-4dec-a2ac-ce211e105f97",
      "title":"Assistant VP",
      "userName":"bjensen"
    },
    {
      "id":"a4a25dd3-17a0-4dac-a2ac-ce211e125f57",
      "title":"VP",
      "userName":"jsmith"
    }
  ]
}
Draft

SCIM 2.0

Next version of SCIM is currently under development by the SCIM working group under IETF.

  • Core Schema

    The Core Schema provides a platform-neutral schema and extension model for representing users and groups.

  • REST API

    The SCIM Protocol is an application-level, REST protocol for provisioning and managing identity data on the web.

  • SCIM Use Cases

    This document lists the user scenarios and use cases of System for Cross-domain Identity Management (SCIM).

Related documents (not working group documents).

  • draft-wahl-scim-jit-profile

    This document specifies a profile of the System for Cross-Domain Identity Management Protocol (SCIM) for use by servers which rely upon just-in-time provisioning patterns in a protocol (such as SAML) to create user accounts, and need an additional channel to be notified of changes to user accounts.

  • SCIM and vCard mapping

    This document defines a mapping between SCIM and vCard.

Active

SCIM 1.1

Second official release of the SCIM specification, released in July 2012. Compatible with 1.0 and contains cleanups and clarifications on issues found during interop testing.

  • Core Schema

    The Core Schema provides a platform-neutral schema and extension model for representing users and groups in JSON and XML formats.

  • REST API

    The SCIM Protocol is an application-level, REST protocol for provisioning and managing identity data on the web.

Deprecated

SCIM 1.0

First official release of the SCIM specification, released in December 2011.

  • Scenarios Doc - draft 4

    The senario document was created to guide the development of the specification and is not normative.

  • Core Schema

    The Core Schema provides a platform-neutral schema and extension model for representing users and groups in JSON and XML formats.

  • REST API

    The SCIM Protocol is an application-level, REST protocol for provisioning and managing identity data on the web.

  • SAML 2.0 Binding - draft 1

    Defines a binding of SCIM schema to SAML messages and assertions.

Resources

Participate

SCIM 2.x is developed under the IETF. To participate, discuss and ask questions regarding SCIM 2.x use this mailing list.

Presentations

An overview of SCIM was presented by Kelly Grizzle at IETF 84 it can be found here.

Historical SCIM 1.x artifacts

SCIM 1.x is developed under the Open Web Foundation. Signed agreements can be found here.

SCIM 1.x was developed on this mailing list.

The original development of the SCIM specification was done here. This is where you can find the version tracking for the 1.x specification, and the outcomes of the interop events.

For generating code and validating XML, SCIM 1.1 provides two XML Schemas. One for Core and one for the Enterprise extension.

Known SCIM 1.1 implementations


Project Name Client Server Open Source Developer URL
CA IdentityMinder Yes No No CA Technologies ftp://ftp.ca.com/pub/IdentityManager/guides/Connect%20to%20a%20SCIM%20Endpoint.pdf
Cisco No Yes No Cisco http://www.cisco.com/
CloudFoundry UAA Yes Yes Yes, Apache 2.0 Pivotal https://github.com/cloudfoundry/uaa
https://github.com/cloudfoundry/cf-uaa-lib
https://github.com/cloudfoundry/cf-uaac
Gluu Yes Yes Yes, MIT License Gluu.org http://www.gluu.org/
Grouper Yes No Yes, Apache 2.2 Internet 2 http://www.internet2.edu/products-services/trust-identity-middleware/grouper/
IBM Security Directory Integrator Yes Yes No IBM http://www-01.ibm.com/support/knowledgecenter/SSCQGF_7.2.0/com.ibm.IBMDI.doc_7.2/scim.html?lang=en
IdentityIQ Yes No No SailPoint http://www.sailpoint.com/
Ingy dot Net No Yes Yes, MIT Ingy döt Net https://github.com/ingydotnet/scim-query-filter-parser-rb#readme/ http://rubygems.org/gems/scim-query-filter-parser
McAfee Provisioning Service Yes No No McAfee http://www.mcafee.com
neXus Hybrid Access Manager Yes No No neXus http://www.nexusgroup.com/
OpenSCIM Yes Yes Yes, GPL V3 Google Code http://code.google.com/p/openscim/
PingFederate Yes Yes No Ping Identity https://www.pingidentity.com/products/pingfederate/
PingOne Yes Yes No Ping Identity https://www.pingone.com/
python-scim No No Yes, MIT License Concordus Applications https://github.com/concordusapps/python-scim
RadiantOne VDS Yes Yes No Radiant Logic http://www.radiantlogic.com
Salesforce No Yes No Salesforce http://www.salesforce.com/
SCIM Easy No Yes Yes, Apache-2.0 Eugene Zhukov http://ee.dy.fi/scim
SCIM Proxy Yes Yes Yes, MIT License neXus http://code.google.com/p/scimproxy/
Switch Identity Governance Yes Yes No Switch Identity Governance Ltd http://www.switchresearch.com
Unbound Reference SDK Yes Yes Yes. GPL, LGPL, or UnboundID Free License. UnboundID http://www.unboundid.com/scim/
UnboundID Identity Data Platform Yes Yes No UnboundID http://www.unboundid.com/scim/
WSO2 Charon Yes Yes Apache 2.0 License WSO2 Inc http://wso2.org/projects/charon

Experimental implementations of SCIM 2.0

The 2.0 specification is still under development, deploy implementations based on SCIM 1.1.


Project Name Client Server Open Source Developer URL
django_scim No Yes Yes, MIT License Atlassian https://bitbucket.org/atlassian/django_scim
eSCIMo Yes Yes Yes, ASL 2.0 Apache Software Foundation http://svn.apache.org/viewvc/directory/escimo/trunk/
OSIAM Yes Yes Yes, MIT License osiam.org team http://osiam.org
Add implementation
Know of an implementation that should be listed? Send a email with information about name, type, license, developer, URL and if it's a SCIM 1.1 or SCIM 2.0 implementation.
Beta

Compliance Test

Run test suite against an internet facing SCIM 1.1 server. There are currently no support for the enterprise extension.

Settings

Authentication

Authentication required!

Configure attributes

Under Construction!

Results