Skip to main content
OpenEye Knowledge Base

Supported SCIM Operations

The SCIM 2.0 user and group operations that are supported by OWS are documented here.

The reference implementation for SCIM 2.0 in OWS is Okta, which may be utilized along with this documentation when implementing against the OWS SCIM API. Any SSO service that supports SCIM 2.0 should work, however.

That documentation can be found here: https://developer.okta.com/docs/reference/scim/scim-20/

User Operations

Create https://developer.okta.com/docs/reference/scim/scim-20/#create-users

Create supports the following user properties: 

  • userName - Expected to be an email address. This is the globally unique OWS username. (e.g. jsmith@example.com) Required.
  • givenName - Given name. Also known as first name. Required.
  • familyName - Family name. Also known as last name. Optional.
  • middleName - Middle name. Optional.
  • title - Job title. Optional.

Retrieve One or Morehttps://developer.okta.com/docs/reference/scim/scim-20/#retrieve-users

Retrieves one or more users, paged, with the following API details:

  • startIndex - Defaults to 1 if not specified.
  • count - Defaults to 100 if not specified.
  • filter - Allows searching/filtering based on the following format for an URL encoded filter value (quotes are required around the search value): <PROPERTY> eq "<SEARCH_VALUE>". Example (shown not URL encoded): userName eq j"smith@example.com". These may be combined by separating more than one with a single space. The searchable properties are:
    • active - If user is active or not. Only active users can login. Boolean. "true" or "false" or "1" or "0".
    • userName - Expected to be an email address. This is the globally unique OWS username. (e.g. jsmith@example.com)
    • givenName - Given name. Also known as first name.
    • familyName - Family name. Also known as last name.

Retrieve Only One - https://developer.okta.com/docs/reference/scim/scim-20/#retrieve-users

Update (PUT) - https://developer.okta.com/docs/reference/scim/scim-20/#update-a-specific-user-put

Supports the same properties documented for Create.

Update (PATCH) https://developer.okta.com/docs/reference/scim/scim-20/#update-a-specific-user-patch

Supports the same properties documented for Create but also:

  • active - If user is active or not. Only active users can login. Boolean. "true" or "false" or "1" or "0".

Delete - Delete is not supported. Setting the "active" flag to false via "Update (PATCH)" is the replacement for delete for users.

Group Operations

Create https://developer.okta.com/docs/reference/scim/scim-20/#create-groups

Create supports the following group properties: 

  • externalId - Optional system provided unique ID. (e.g. UUID or GUID) If not specified then one will be generated for you and returned in the response. This value is hidden from admins or users.
  • displayName - Required name for the group. This is what admins and users would see for the group name in OWS.

Retrieve One or More - https://developer.okta.com/docs/reference/scim/scim-20/#retrieve-groups

Retrieves one or more groups, paged, with the following API details:

  • startIndex - Defaults to 1 if not specified.
  • count - Defaults to 100 if not specified.
  • filter - Allows searching/filtering based on the following format for an URL encoded filter value (quotes are required around the search value): <PROPERTY> eq "<SEARCH_VALUE>". Example (shown not URL encoded): userName eq j"smith@example.com". These may be combined by separating more than one with a single space. The searchable properties are:
    • displayName - Name of the group that is seen in OWS.
  • excludedAttributes=members - If this key/value is specified, then members of the group(s) will not be returned when obtaining the groups. This is an optimization to avoid unnecessary data or overhead if group members are not required.

Retrieve Only One - https://developer.okta.com/docs/reference/scim/scim-20/#retrieve-specific-groups

Retrieves a group by its ID. The ID was either provided by the caller as "externalId" or automatically generated and returned when creating the group.

Update (PUT or PATCH) - https://developer.okta.com/docs/reference/scim/scim-20/#update-a-specific-group-namehttps://developer.okta.com/docs/reference/scim/scim-20/#update-specific-group-membership

See Okta links, above. Supports members and display name.

Delete https://developer.okta.com/docs/reference/scim/scim-20/#delete-a-specific-group

Deletes a group by its ID. The ID was either provided by the caller as "externalId" or automatically generated and returned when creating the group.

  • Was this article helpful?