{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":[]},"type":"markdown"},"seo":{"title":"Okta and SCIM Version 2.0","description":"Okta Developer API Reference","siteUrl":"https://developer.asqula.com","keywords":"okta, api reference docs","lang":"en-US","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"okta-and-scim-version-20","__idx":0},"children":["Okta and SCIM Version 2.0"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This reference focuses on how Okta API endpoints share information with System for Cross-domain Identity Management (SCIM) specific API calls."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This document specifically covers ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Version 2.0"]}," of the SCIM specification. For Version 1.1 of the SCIM specification, see our ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/openapi/okta-scim/guides/scim-11"},"children":["SCIM 1.1 reference"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The SCIM protocol is an app-level REST protocol for provisioning and managing identity data on the web. The protocol supports creation, discovery, retrieval, and modification of core identity resources."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To better understand SCIM and the specific implementation of SCIM using Okta, see our ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://developer.asqula.com/docs/concepts/scim/"},"children":["Understanding SCIM"]}," guide or our blog post on ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://www.asqula.com/blog/2017/01/what-is-scim/"},"children":["What is SCIM?"]},"."]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note:"]}," Okta implements SCIM 2.0 as specified in the RFC documents from the Internet Engineering Task Force:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://tools.ietf.org/html/rfc7642"},"children":["Definitions, Overview, Concepts, and Requirements: RFC 7642"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://tools.ietf.org/html/rfc7643"},"children":["Core Schema: RFC 7643"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://tools.ietf.org/html/rfc7644"},"children":["Protocol: RFC 7644"]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"scim-user-operations","__idx":1},"children":["SCIM user operations"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"create-users","__idx":2},"children":["Create users"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"three-quarter"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"img","attributes":{"src":"/docs/api/assets/scim_flow-user-create.d0f3ddf2a338af16717c710e16f4105e56629465f9b1e38abe84930bc5edda18.89d7c3bf.png","alt":"Simple flow diagram for create user process"},"children":[]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The user creation operation brings the user's app profile from Okta over to the service provider as a user object. A user's app profile represents the key-value attributes defined on the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Profile"]}," tab when a user object is added."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To enable user provisioning, you must configure the provisioning options in the Admin Console:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Select your SCIM integration from the list of integrations in your Okta org."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["To App"]}," and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Edit"]}," under the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Provisioning"]}," tab."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Enable"]}," and then ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Save"]}," in the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create User"]}," section."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For more information on enabling the provisioning features of your SCIM integration, see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://help.asqula.com/okta_help.htm?id=ext_prov_lcm_prov_app"},"children":["Configure provisioning for an app integration"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["After saving the configuration, Okta makes two requests to your SCIM server:"]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note:"]}," The number of requests made by Okta depends on the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Import Groups"]}," checkbox setting. If this checkbox is selected, Okta makes two API calls, one to ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/Users"]}," and another to ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/Groups"]},". If the checkbox isn’t selected, only the call to ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/Users"]}," is made to create the user."]}]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"GET /scim/v2/Users?startIndex=1&count=2 HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["and"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"GET /scim/v2/Groups?startIndex=1&count=100 HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note:"]}," The query parameters that Okta sends at this point are always constant."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["After you complete this step, whenever a user is assigned to the integration in Okta, the following requests are made against the SCIM server:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Determine if the user object exists. Okta runs a query against the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["userName"]}," values stored on the SCIM server. If the query matches a user object, the SCIM server returns the user object's unique ID value. Okta stores this value as the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["externalId"]}," value in the Okta user profile."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["If the user isn't found on the SCIM server, create the user."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["If the user is found on the SCIM server, but the Okta account isn't active, activate the user in Okta."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["If the user is found on the SCIM server and the Okta account is active, then update the Okta profile by setting its unique ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["externalId"]}," value to match the ID value returned from the SCIM server."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"determine-if-the-user-already-exists","__idx":3},"children":["Determine if the user already exists"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["GET"]}," /Users"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Okta checks that the user object exists on the SCIM server through a GET method request with the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["filter=userName eq \"{userName}\""]}," query parameter. Your SCIM server must support this query parameter to provision users with Okta successfully. This check is performed using the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["eq"]}," (equal) operator against the unique identifier configured for the SCIM integration."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For example, if you configure the email attribute as a unique identifier, then the query parameter to determine if the user exists is ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["filter=userName eq \"{email}\""]},"."]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note:"]}," The filter must check an attribute that’s ",{"$$mdtype":"Tag","name":"em","attributes":{},"children":["unique"]}," for all users in the service provider profiles."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For Okta Integration Network (OIN) integrations, this filter is configured with the help of the assigned Okta App analyst during the submission process. Integration submissions are handled through the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://oinmanager.asqula.com"},"children":["OIN Manager"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The requests from Okta to the service provider are of the form:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"GET /scim/v2/Users?filter=userName%20eq%20%22test.user%40okta.local%22&startIndex=1&count=100 HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The SCIM app checks the filter provided and returns an empty response if no users match the filter criteria. For example:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"HTTP/1.1 200 OK\nDate: Tue, 10 Sep 2019 01:49:39 GMT\nContent-Type: application/scim+json; charset=UTF-8\n\n{\n \"schemas\": [\"urn:ietf:params:scim:api:messages:2.0:ListResponse\"],\n \"totalResults\": 0,\n \"startIndex\": 1,\n \"itemsPerPage\": 0,\n \"Resources\": []\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Another acceptable response from the SCIM app if no user objects match the filter criteria is to return the error schema response:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"HTTP/1.1 404 Not Found\nDate: Tue, 10 Sep 2019 01:58:03 GMT\nContent-Type: application/scim+json; charset=UTF-8\n\n{\n \"schemas\": [\"urn:ietf:params:scim:api:messages:2.0:Error\"],\n \"detail\": \"User not found\",\n \"status\": \"404\"\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If the SCIM server does return a user object, Okta automatically matches the result with the user in Okta and sends the user's app profile to the SCIM server."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"create-the-user","__idx":4},"children":["Create the user"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["POST"]}," /Users"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If the user object isn't found on the SCIM server, then Okta attempts to create it through a POST method request that contains the user's app profile. The request appears as follows:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"POST /scim/v2/Users HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n\n{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:User\"],\n \"userName\": \"test.user@okta.local\",\n \"name\": {\n \"givenName\": \"Test\",\n \"familyName\": \"User\"\n },\n \"emails\": [{\n \"primary\": true,\n \"value\": \"test.user@okta.local\",\n \"type\": \"work\"\n }],\n \"displayName\": \"Test User\",\n \"locale\": \"en-US\",\n \"externalId\": \"00ujl29u0le5T6Aj10h7\",\n \"groups\": [],\n \"password\": \"1mz050nq\",\n \"active\": true\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note:"]}," Okta sends the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["password"]}," parameter in a create user request, even if password sync isn't enabled. This parameter acts as a placeholder for legacy provisioning platforms and its value isn't relevant or sensitive in nature."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The response from the SCIM server contains the created user object:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"HTTP/1.1 201 Created\nDate: Tue, 10 Sep 2019 02:02:58 GMT\nContent-Type: application/scim+json; charset=UTF-8\n\n{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:User\"],\n \"id\": \"23a35c27-23d3-4c03-b4c5-6443c09e7173\",\n \"userName\": \"test.user@okta.local\",\n \"name\": {\n \"givenName\": \"Test\",\n \"familyName\": \"User\"\n },\n \"emails\": [{\n \"primary\": true,\n \"value\": \"test.user@okta.local\",\n \"type\": \"work\"\n }],\n \"displayName\": \"Test User\",\n \"locale\": \"en-US\",\n \"externalId\": \"00ujl29u0le5T6Aj10h7\",\n \"active\": true,\n \"groups\": [],\n \"meta\": {\n \"resourceType\": \"User\"\n }\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Another scenario is if your SCIM server has custom attributes that you want to add for any new user. Any custom attributes defined in your app schema for user profiles are applied to the user's app profile when the user is created. The request to the SCIM server looks like the following:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"POST /scim/v2/Users HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n\n{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:User\"],\n \"userName\": \"test.user@okta.local\",\n \"name\": {\n \"givenName\": \"Test\",\n \"familyName\": \"User\"\n },\n \"emails\": [{\n \"primary\": true,\n \"value\": \"test.user@okta.local\",\n \"type\": \"work\"\n }],\n \"displayName\": \"Test User\",\n \"locale\": \"en-US\",\n \"groups\": [],\n \"password\": \"1mz050nq\",\n \"active\": true\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The response from the SCIM server contains the created user object with the additional custom attributes:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"HTTP/1.1 201 Created\nDate: Tue, 10 Sep 2019 02:02:58 GMT\nContent-Type: application/scim+json; charset=UTF-8\n\n{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:User\"],\n \"id\": \"23a35c27-23d3-4c03-b4c5-6443c09e7173\",\n \"userName\": \"test.user@okta.local\",\n \"name\": {\n \"givenName\": \"Test\",\n \"familyName\": \"User\"\n },\n \"emails\": [{\n \"primary\": true,\n \"value\": \"test.user@okta.local\",\n \"type\": \"work\"\n }],\n \"displayName\": \"Test User\",\n \"locale\": \"en-US\",\n \"externalId\": \"00ujl29u0le5T6Aj10h7\",\n \"active\": true,\n \"userType\": \"Contractor\"\n \"groups\": [],\n \"meta\": {\n \"resourceType\": \"User\"\n }\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In this example, the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["externalID"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["userType"]}," attributes weren't included in the original POST method request, but are generated and returned in the SCIM server response."]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note:"]}," If your custom attributes are defined in your Okta integration (as an app to Okta mapping), the custom attributes aren't applied to the Okta user profile until an admin runs an import from the SCIM app or a Force Sync operation."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If the SCIM server returns an empty response body to the provisioning request, then Okta marks the operation as invalid, and the Admin Console displays an error:"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["\"Automatic provisioning of user ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["userName"]}," to app ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["AppName"]}," failed: Error while creating user ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["displayName"]},": Create new user returned empty user.\""]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If the user object that Okta tries to create exists in the service provider app, then the service provider needs to respond with an error schema to stop the provisioning job. The response appears as follows:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"HTTP/1.1 409 Conflict\nDate: Tue, 10 Sep 2019 02:22:30 GMT\nContent-Type: application/scim+json; charset=UTF-8\n\n{\n \"schemas\": [\"urn:ietf:params:scim:api:messages:2.0:Error\"],\n \"detail\": \"User already exists in the database.\",\n \"status\": \"409\"\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"retrieve-users","__idx":5},"children":["Retrieve users"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["GET"]}," /Users"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When importing user objects from the SCIM server, Okta accesses the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/Users"]}," endpoint and processes them page by page, using ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["startIndex"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["count"]},", and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["totalResults"]}," as pagination references. Similarly, when returning large lists of resources, your SCIM implementation must support pagination. Using a limit of ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["count"]}," results and an offset of ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["startIndex"]}," returns smaller groupings of resources in a request."]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note:"]}," The ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["itemsPerPage"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["startIndex"]},", and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["totalResults"]}," values need to be exchanged as integers, not as strings."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Okta uses ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["count=100"]}," as the pagination reference to return up to 100 elements. If the value of ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["totalResults"]}," is higher than 100, then after Okta finishes retrieving the first 100 resources, the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["startIndex"]}," becomes ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["startIndex+100"]}," and is passed as a query parameter along with ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["count"]}," in a new request to the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/Users"]}," endpoint. This pagination operation repeats until all pages are viewed."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The SCIM server must consistently return the same ordering of results for the requests, regardless of which values are provided for the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["count"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["startIndex"]}," pagination references. For more information on pagination, see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://tools.ietf.org/html/rfc7644#section-3.4.2.4"},"children":["Section 3.4.2.4"]}," of the V2.0 specification."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The following is a sample request from Okta to retrieve the users from the SCIM app:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"GET /scim/v2/Users?startIndex=1&count=100 HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The response to this request is a JSON list of all the resources found in the SCIM app."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"retrieve-a-specific-user","__idx":6},"children":["Retrieve a specific user"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["GET"]}," /Users/",{"$$mdtype":"Tag","name":"em","attributes":{},"children":["{userID}"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Okta can also run a GET method request to check if a specific user object still exists on the SCIM server. The request looks like the following:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"GET /scim/v2/Users/23a35c27-23d3-4c03-b4c5-6443c09e7173 HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The response from the server is the user object:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"HTTP/1.1 200 OK\nDate: Tue, 10 Sep 2019 03:46:53 GMT\nContent-Type: application/scim+json; charset=UTF-8\n\n{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:User\"],\n \"id\": \"23a35c27-23d3-4c03-b4c5-6443c09e7173\",\n \"userName\": \"test.user@okta.local\",\n \"name\": {\n \"givenName\": \"Test\",\n \"middleName\": \"\",\n \"familyName\": \"User\"\n },\n \"active\": true,\n \"emails\": [{\n \"primary\": true,\n \"value\": \"test.user@okta.local\",\n \"type\": \"work\",\n \"display\": \"test.user@okta.local\"\n }],\n \"groups\": [],\n \"meta\": {\n \"resourceType\": \"User\"\n }\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"update-a-specific-user-put","__idx":7},"children":["Update a specific user (PUT)"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"three-quarter"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"img","attributes":{"src":"/docs/api/assets/scim_flow-user-update-put.9c5949db1a030c785459309be0aac15774faa3c0de23ba77880716d87b263046.89d7c3bf.png","alt":"Simple flow diagram for updating a user with a PUT method request"},"children":[]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Updating a user object refers to modifying an attribute in the Okta user's app profile that is mapped to an attribute in the SCIM app."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To update a user object, you need to enable the functionality in the Admin Console:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Select your SCIM integration from the list of integrations in your Okta org."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Under the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Provisioning"]}," tab, click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["To App"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["In the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Update User Attributes"]}," option, click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Enable"]}," and then ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Save"]},"."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"retrieve-the-user","__idx":8},"children":["Retrieve the user"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["GET"]}," /Users/",{"$$mdtype":"Tag","name":"em","attributes":{},"children":["{userID}"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To update a user, Okta first makes a GET method request to ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/Users/{userID}"]}," and retrieves the body of the user object:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"GET /scim/v2/Users/23a35c27-23d3-4c03-b4c5-6443c09e7173 HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When the SCIM server receives this request, it responds with the user object:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"HTTP/1.1 200 OK\nDate: Tue, 10 Sep 2019 03:46:53 GMT\nContent-Type: application/scim+json; charset=UTF-8\n\n{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:User\"],\n \"id\": \"23a35c27-23d3-4c03-b4c5-6443c09e7173\",\n \"userName\": \"test.user@okta.local\",\n \"name\": {\n \"givenName\": \"Another\",\n \"middleName\": \"\",\n \"familyName\": \"User\"\n },\n \"emails\": [{\n \"primary\": true,\n \"value\": \"test.user@okta.local\",\n \"type\": \"work\",\n \"display\": \"test.user@okta.local\"\n }],\n \"active\": true,\n \"groups\": [],\n \"meta\": {\n \"resourceType\": \"User\"\n }\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"update-the-user","__idx":9},"children":["Update the user"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["PUT"]}," /Users/",{"$$mdtype":"Tag","name":"em","attributes":{},"children":["{userID}"]}]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note:"]}]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For any new OIN app integrations, all updates to a user object are handled using a PUT method request, except as noted in ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"#update-a-specific-user-patch"},"children":["Update a specific user (PATCH)"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For any custom app integrations created using the App Integration Wizard (AIW), all updates to a user object are handled using a PUT method request."]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["After the SCIM server retrieves the user object, Okta modifies the attributes that were changed and runs a PUT method request with the new body to the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/Users/{userID}"]}," endpoint:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"PUT /scim/v2/Users/23a35c27-23d3-4c03-b4c5-6443c09e7173 HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n\n{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:User\"],\n \"id\": \"23a35c27-23d3-4c03-b4c5-6443c09e7173\",\n \"userName\": \"test.user@okta.local\",\n \"name\": {\n \"givenName\": \"Another\",\n \"middleName\": \"Excited\",\n \"familyName\": \"User\"\n },\n \"emails\": [{\n \"primary\": true,\n \"value\": \"test.user@okta.local\",\n \"type\": \"work\",\n \"display\": \"test.user@okta.local\"\n }],\n \"active\": true,\n \"groups\": [],\n \"meta\": {\n \"resourceType\": \"User\"\n }\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The response from the SCIM server needs to be the updated user object:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"HTTP/1.1 200 OK\nDate: Tue, 10 Sep 2019 03:48:10 GMT\nContent-Type: application/scim+json; charset=UTF-8\n\n{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:User\"],\n \"id\": \"23a35c27-23d3-4c03-b4c5-6443c09e7173\",\n \"userName\": \"test.user@okta.local\",\n \"name\": {\n \"givenName\": \"Another\",\n \"middleName\": \"Excited\",\n \"familyName\": \"User\"\n },\n \"emails\": [{\n \"primary\": true,\n \"value\": \"test.user@okta.local\",\n \"type\": \"work\",\n \"display\": \"test.user@okta.local\"\n }],\n \"active\": true,\n \"groups\": [],\n \"meta\": {\n \"resourceType\": \"User\"\n }\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"update-a-specific-user-patch","__idx":10},"children":["Update a specific user (PATCH)"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"three-quarter"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"img","attributes":{"src":"/docs/api/assets/scim_flow-user-update-patch.ad8a15419c924dcba862db4d6c4fc70f446697ee33165ebb5e41192530bae4d3.89d7c3bf.png","alt":"Simple flow diagram for updating a user with a PATCH method request"},"children":[]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["PATCH"]}," /Users/",{"$$mdtype":"Tag","name":"em","attributes":{},"children":["{userID}"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For new OIN app integrations, the following operations update a user object through a PATCH method request:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Activating a user"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Deactivating a user"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Syncing the user password"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["All other updates to user objects are handled through a PUT method request."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For any custom app integrations created using the AIW, all SCIM operations that update a user object, including these operations, are always sent through a PUT method request."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["active"]}," attribute in an Okta user profile represents the user's current status."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To deactivate users, you need to enable the functionality in the Admin Console:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Select your SCIM integration from the list of integrations in your Okta org."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["To App"]}," and ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Edit"]}," under the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Provisioning"]}," tab."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Enable"]}," and then ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Save"]}," in the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Deactivate Users"]}," section."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When a user is deactivated, Okta sends this request:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"PATCH /scim/v2/Users/23a35c27-23d3-4c03-b4c5-6443c09e7173 HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n\n{\n \"schemas\": [\"urn:ietf:params:scim:api:messages:2.0:PatchOp\"],\n \"Operations\": [{\n \"op\": \"replace\",\n \"value\": {\n \"active\": false\n }\n }]\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The response from the SCIM server needs to be the updated user object:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"HTTP/1.1 200 OK\nDate: Tue, 10 Sep 2019 03:50:23 GMT\nContent-Type: application/scim+json; charset=UTF-8\n\n{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:User\"],\n \"id\": \"23a35c27-23d3-4c03-b4c5-6443c09e7173\",\n \"userName\": \"test.user@okta.local\",\n \"name\": {\n \"givenName\": \"Another\",\n \"middleName\": \"\",\n \"familyName\": \"User\"\n },\n \"emails\": [{\n \"primary\": true,\n \"value\": \"test.user@okta.local\",\n \"type\": \"work\",\n \"display\": \"test.user@okta.local\"\n }],\n \"active\": false,\n \"groups\": [],\n \"meta\": {\n \"resourceType\": \"User\"\n }\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note:"]}," The SCIM server response to PATCH method requests can also be an HTTP 204 response, with no body returned."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"delete-users","__idx":11},"children":["Delete users"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"three-quarter"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"img","attributes":{"src":"/docs/api/assets/scim_flow-user-deprovision.5c0864f72af52f05a8c7607dac057e8a52b944543473c6d2743208bebf33e861.89d7c3bf.png","alt":"Simple flow diagram for deprovisioning a user"},"children":[]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["DELETE"]}," /Users/",{"$$mdtype":"Tag","name":"em","attributes":{},"children":["{userID}"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Okta doesn't perform DELETE operations on user objects in your SCIM app."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If a user is deactivated or removed from your integration inside Okta, then Okta sends a request to your SCIM app to set the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["active"]}," attribute to ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["false"]},". There's no deprovisioning event sent for users that are suspended inside Okta."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For all new OIN app integrations, this request to update a user object is sent through a PATCH method request."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For any custom app integrations created using the AIW, this request is sent through a PUT method request."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For a detailed explanation on deleting users, see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://developer.asqula.com/docs/concepts/scim/#delete-deprovision"},"children":["Delete (Deprovision)"]},"."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"scim-group-operations","__idx":12},"children":["SCIM group operations"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"create-groups","__idx":13},"children":["Create groups"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["POST"]}," /Groups"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To create a group object on the SCIM server, you first need to enable provisioning with the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Push Group"]}," feature in the Admin Console:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Select your SCIM integration from the list of integrations in your Okta org."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Push Groups"]}," on the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Push Groups"]}," tab."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["You can select which existing Okta group to push, either by specifying a name or a rule. If a group doesn't exist, create a group in Okta and then push it to the SCIM server. For more information, see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://help.asqula.com/okta_help.htm?id=ext_Directory_Using_Group_Push"},"children":["Group Push"]}," in the Okta Help Documentation."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["After the group is selected, Okta makes a POST method request to the service provider:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"POST /scim/v2/Groups HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n\n{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:Group\"],\n \"displayName\": \"Test SCIMv2\",\n \"members\": []\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When it receives this request, the SCIM server responds with the group object as it would for a GET method request to ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/Groups/${groupID}/"]},":"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"HTTP/1.1 201 Created\nDate: Tue, 10 Sep 2019 04:54:18 GMT\nContent-Type: application/scim+json; charset=UTF-8\n\n{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:Group\"],\n \"id\": \"abf4dd94-a4c0-4f67-89c9-76b03340cb9b\",\n \"displayName\": \"Test SCIMv2\",\n \"members\": [],\n \"meta\": {\n \"resourceType\": \"Group\"\n }\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"retrieve-groups","__idx":14},"children":["Retrieve groups"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["GET"]}," /Groups"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When importing group objects from the SCIM server, Okta accesses the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/Groups"]}," endpoint and processes them page by page, using the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["startIndex"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["count"]},", and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["totalResults"]}," values for reference. Similarly, when returning large lists of resources, your SCIM implementation must support pagination. Using a limit of ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["count"]}," results and an offset of ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["startIndex"]}," returns smaller groupings of resources in a request."]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note:"]}," The ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["itemsPerPage"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["startIndex"]},", and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["totalResults"]}," values need to be exchanged as integers, not as strings."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Okta uses ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["count=100"]}," as the pagination reference to return up to 100 elements. If the value of ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["totalResults"]}," is higher than 100, then after Okta finishes retrieving the first 100 resources, the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["startIndex"]}," becomes ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["startIndex+100"]}," and is passed as a query parameter along with ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["count"]}," in a new request to the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/Groups"]}," endpoint. This pagination operation repeats until all pages are viewed."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The SCIM server must consistently return the same ordering of results for the requests, regardless of which values are provided for the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["count"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["startIndex"]}," pagination references."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The following is a sample request from Okta to retrieve the group objects from the SCIM app:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"GET /scim/v2/Groups?startIndex=1&count=100 HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The response to this request is a JSON list of all the group objects found in the SCIM app."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["You must also implement filtering results with the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["eq"]}," (equals) operator on your SCIM server."," ","Okta checks that the group object exists on the SCIM server through a GET method request with the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["filter=displayName eq \"{groupName}\""]}," path parameter, where ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["groupName"]}," is the group name on the target app."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Okta uses the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["GET /Groups"]}," request with a group name filter when you want to update a group, but the external group ID isn't known."]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note:"]}," One case where the external group ID isn't known is when admins configure the provisioning app integration and clear the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Import Groups"]}," checkbox. See ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://help.asqula.com/okta_help.htm?id=ext_prov_lcm_prov_app"},"children":["Configure provisioning for an app integration"]},"."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The following is an example of a request to the SCIM server:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"GET /scim/v2/Groups?filter=displayName%20eq%20%22Test%20SCIMv2%22&startIndex=1&count=100 HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The SCIM server processes the request and responds with one of the following:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A list of groups if they match the filter criteria, for example:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"HTTP/1.1 200 OK\nDate: Wed, 15 May 2024 10:02:45 GMT\nContent-Type: application/scim+json; charset=UTF-8\n\n{\n \"schemas\": [\n \"urn:ietf:params:scim:api:messages:2.0:ListResponse\"\n ],\n \"totalResults\": 1,\n \"startIndex\": 1,\n \"itemsPerPage\": 1,\n \"Resources\": [\n {\n \"id\": \"e7d09e9b3faa4888b65cf9e9316cba1c\",\n \"meta\": {\n \"created\": \"2024-05-15T09:21:23\",\n \"lastModified\": \"2024-05-15T09:21:23\",\n \"version\": \"v1.0\"\n },\n \"displayName\": \"Test SCIMv1\"\n },\n ]\n}\n","lang":"http"},"children":[]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["An empty response if no groups match the filter criteria, for example:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"HTTP/1.1 200 OK\nDate: Wed, 15 May 2024 11:02:14 GMT\nContent-Type: application/scim+json; charset=UTF-8\n\n{\n \"schemas\": [\"urn:ietf:params:scim:api:messages:2.0:ListResponse\"],\n \"totalResults\": 0,\n \"startIndex\": 1,\n \"itemsPerPage\": 0,\n \"Resources\": []\n}\n","lang":"http"},"children":[]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"retrieve-specific-groups","__idx":15},"children":["Retrieve specific groups"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["GET"]}," /Groups/",{"$$mdtype":"Tag","name":"em","attributes":{},"children":["{groupID}"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["There are situations where Okta needs to run a GET method request on a specific ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["{groupID}"]},", for example, to see if the group object still exists on the SCIM server. The request appears as follows:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"GET /scim/v2/Groups/abf4dd94-a4c0-4f67-89c9-76b03340cb9b HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The response from the server is the group object details:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"HTTP/1.1 200 OK\nDate: Tue, 10 Sep 2019 05:06:25 GMT\nContent-Type: application/scim+json; charset=UTF-8\n\n{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:Group\"],\n \"id\": \"abf4dd94-a4c0-4f67-89c9-76b03340cb9b\",\n \"displayName\": \"Test SCIMv2\",\n \"members\": [{\n \"value\": \"b1c794f24f4c49f4b5d503a4cb2686ea\",\n \"display\": \"SCIM 2 Group A\"\n }],\n \"meta\": {\n \"resourceType\": \"Group\"\n }\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note:"]}," You must return the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["members"]}," list payload when ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["GET /Groups/{groupID}"]}," is requested without any query parameters."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"update-a-specific-group-name","__idx":16},"children":["Update a specific group name"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["PATCH"]}," /Groups/",{"$$mdtype":"Tag","name":"em","attributes":{},"children":["{groupID}"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["PUT"]}," /Groups/",{"$$mdtype":"Tag","name":"em","attributes":{},"children":["{groupID}"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Updates to existing names for Okta groups are handled by a method request to your SCIM app. The group object must be already pushed out to the SCIM server."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For all new OIN app integrations, this request to update a group object is sent through a PATCH method request."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For custom app integrations created using the AIW, this request to update a group object is sent through a PUT request."]}]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note:"]}," Okta recommends using the PATCH method to update the group name for SCIM groups."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"patch-method-request","__idx":17},"children":["PATCH method request"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"PATCH /scim/v2/Groups/abf4dd94-a4c0-4f67-89c9-76b03340cb9b HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n\n{\n \"schemas\": [\"urn:ietf:params:scim:api:messages:2.0:PatchOp\"],\n \"Operations\": [{\n \"op\": \"replace\",\n \"value\": {\n \"id\": \"abf4dd94-a4c0-4f67-89c9-76b03340cb9b\",\n \"displayName\": \"Test SCIMv2\"\n }\n }]\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The group name update operation triggers each time there's a group membership update operation."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The SCIM server response returns the updated group object:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"HTTP/1.1 200 OK\nDate: Tue, 10 Sep 2019 05:08:48 GMT\nContent-Type: application/scim+json; charset=UTF-8\n\n{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:Group\"],\n \"id\": \"abf4dd94-a4c0-4f67-89c9-76b03340cb9b\",\n \"displayName\": \"Test SCIMv20\",\n \"members\": null,\n \"meta\": {\n \"resourceType\": \"Group\"\n }\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note:"]}," The SCIM server response to PATCH method requests can also be an HTTP 204 response, with no body returned."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"put-method-request","__idx":18},"children":["PUT method request"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"PUT /scim/v2/Groups/U0FP0NMEE HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:Group\"],\n \"id\":\"e9e30dba-f08f-4109-8486-d5c6a331660a\",\n \"displayName\": \"Tour Guides\",\n \"members\": [\n {\n \"value\": \"some-member-1\",\n \"display\": \"Babs Jensen\"\n },\n {\n \"value\": \"some-member-2\",\n \"display\": \"Mandy Pepperidge\"\n }\n ]\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The SCIM server response returns the updated group object:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"HTTP/1.1 200 OK\nContent-Type: application/scim+json; charset=UTF-8\n\n{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:Group\"],\n \"id\":\"e9e30dba-f08f-4109-8486-d5c6a331660a\",\n \"displayName\": \"Tour Guides\",\n \"members\": [\n {\n \"value\": \"some-member-1\",\n \"display\": \"Babs Jensen\"\n },\n {\n \"value\": \"some-member-2\",\n \"display\": \"Mandy Pepperidge\"\n }\n ],\n \"meta\": {\n \"resourceType\": \"Group\",\n \"created\": \"01-23-2017 00:00:00\",\n \"lastModified\": \"01-23-2017 00:00:00\",\n \"version\": \"v1.0\"\n }\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"update-specific-group-membership","__idx":19},"children":["Update specific group membership"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["PATCH"]}," /Groups/",{"$$mdtype":"Tag","name":"em","attributes":{},"children":["{groupID}"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["PUT"]}," /Groups/",{"$$mdtype":"Tag","name":"em","attributes":{},"children":["{groupID}"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To add or remove users inside a specific pushed group object on the SCIM server, Okta requires the following:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The user must be a member of the group in Okta."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The user has been added under the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Assignments"]}," tab of the SCIM integration inside the Admin Console."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The group is pushed under the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Push Groups"]}," tab of the SCIM integration inside the Admin Console."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If these three requirements are met, Okta sends a request to add the specified users to the group object on the SCIM server."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For all new OIN app integrations, a PATCH method request is used to update a group object, for example:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"PATCH /scim/v2/Groups/abf4dd94-a4c0-4f67-89c9-76b03340cb9b HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n\n{\n \"schemas\": [\"urn:ietf:params:scim:api:messages:2.0:PatchOp\"],\n \"Operations\": [{\n \"op\": \"remove\",\n \"path\": \"members[value eq \\\"89bb1940-b905-4575-9e7f-6f887cfb368e\\\"]\"\n },\n {\n \"op\": \"add\",\n \"path\": \"members\",\n \"value\": [{\n \"value\": \"23a35c27-23d3-4c03-b4c5-6443c09e7173\",\n \"display\": \"test.user@okta.local\"\n }]\n }]\n}\n","lang":"http"},"children":[]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For custom app integrations created using the AIW, a PUT method request is used to update a group object, for example:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"PUT /scim/v2/Groups/abf4dd94-a4c0-4f67-89c9-76b03340cb9b HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n\n{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:Group\"],\n \"displayName\": \"Test SCIMv2\",\n \"members\": [\n {\n \"value\": \"23a35c27-23d3-4c03-b4c5-6443c09e7173\",\n \"display\": \"test.user@okta.local\"\n }\n ]\n}\n","lang":"http"},"children":[]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The SCIM server response returns the updated group object:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"HTTP/1.1 200 OK\nDate: Tue, 10 Sep 2019 05:06:25 GMT\nContent-Type: application/scim+json; charset=UTF-8\n\n{\n \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:Group\"],\n \"id\": \"abf4dd94-a4c0-4f67-89c9-76b03340cb9b\",\n \"displayName\": \"Test SCIMv20\",\n \"members\": [\n {\n \"value\": \"23a35c27-23d3-4c03-b4c5-6443c09e7173\",\n \"display\": \"test.user@okta.local\"\n }\n ],\n \"meta\": {\n \"resourceType\": \"Group\"\n }\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In this example, the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["members"]}," attribute returns a null value. Okta doesn't require the list of users to be returned, but it does require the other details about the group."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["You can also send a full push of the membership to the SCIM server using the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["replace"]}," operation. This operation replaces all the group members with the supplied object values."]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"PATCH /scim/v2/Groups/abf4dd94-a4c0-4f67-89c9-76b03340cb9b HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n\n{\n \"schemas\": [\n \"urn:ietf:params:scim:api:messages:2.0:PatchOp\"\n ],\n \"Operations\": [\n {\n \"op\": \"replace\",\n \"path\": \"members\",\n \"value\": [\n {\n \"value\": \"23a35c27-23d3-4c03-b4c5-6443c09e7173\",\n \"display\": \"test.user@okta.local\"\n },\n {\n \"value\": \"89bb1940-b905-4575-9e7f-6f887cfb368e\",\n \"display\": \"test.user@okta.local\"\n }\n ]\n }\n ]\n}\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note:"]}," The SCIM server response to PATCH method requests can also be an HTTP 204 response, with no body returned."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"delete-a-specific-group","__idx":20},"children":["Delete a specific group"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["DELETE"]}," /Groups/",{"$$mdtype":"Tag","name":"em","attributes":{},"children":["{groupID}"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Okta administrators can remove pushed groups from the Admin Console, under the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Push Groups"]}," tab of the SCIM integration."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["On the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Push Groups"]}," tab, click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Active"]}," then click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Unlink pushed group"]},". In the dialog box that appears, you can choose whether you want to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Delete the group in the target app"]}," or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Leave the group in the target app"]}," on the SCIM server."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When you select the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Delete the group in the target app"]}," option and click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Unlink"]},", Okta sends a DELETE method request:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"DELETE /scim/v2/Groups/abf4dd94-a4c0-4f67-89c9-76b03340cb9b HTTP/1.1\nUser-Agent: Okta SCIM Client 1.0.0\nAuthorization: \n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The SCIM server can return an empty response:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"http","header":{"controls":{"copy":{}}},"source":"HTTP/1.1 204 No Content\nDate: Tue, 10 Sep 2019 05:29:25 GMT\n","lang":"http"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"additional-references","__idx":21},"children":["Additional references"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://www.asqula.com/blog/2017/01/what-is-scim/"},"children":["What is SCIM?"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://developer.asqula.com/docs/concepts/scim/"},"children":["SCIM Provisioning using Okta Lifecycle Management"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://developer.asqula.com/docs/guides/scim-provisioning-integration-overview"},"children":["Build a SCIM provisioning integration"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://tools.ietf.org/html/rfc7643"},"children":["SCIM 2.0 RFC: Core Schema"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://tools.ietf.org/html/rfc7644"},"children":["SCIM 2.0 RFC: Protocol"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"https://tools.ietf.org/html/rfc7642"},"children":["SCIM 2.0 RFC: Definitions and Use Cases"]}]}]}]},"headings":[{"value":"Okta and SCIM Version 2.0","id":"okta-and-scim-version-20","depth":1},{"value":"SCIM user operations","id":"scim-user-operations","depth":2},{"value":"Create users","id":"create-users","depth":3},{"value":"Determine if the user already exists","id":"determine-if-the-user-already-exists","depth":4},{"value":"Create the user","id":"create-the-user","depth":4},{"value":"Retrieve users","id":"retrieve-users","depth":3},{"value":"Retrieve a specific user","id":"retrieve-a-specific-user","depth":3},{"value":"Update a specific user (PUT)","id":"update-a-specific-user-put","depth":3},{"value":"Retrieve the user","id":"retrieve-the-user","depth":4},{"value":"Update the user","id":"update-the-user","depth":4},{"value":"Update a specific user (PATCH)","id":"update-a-specific-user-patch","depth":3},{"value":"Delete users","id":"delete-users","depth":3},{"value":"SCIM group operations","id":"scim-group-operations","depth":2},{"value":"Create groups","id":"create-groups","depth":3},{"value":"Retrieve groups","id":"retrieve-groups","depth":3},{"value":"Retrieve specific groups","id":"retrieve-specific-groups","depth":3},{"value":"Update a specific group name","id":"update-a-specific-group-name","depth":3},{"value":"PATCH method request","id":"patch-method-request","depth":4},{"value":"PUT method request","id":"put-method-request","depth":4},{"value":"Update specific group membership","id":"update-specific-group-membership","depth":3},{"value":"Delete a specific group","id":"delete-a-specific-group","depth":3},{"value":"Additional references","id":"additional-references","depth":3}],"frontmatter":{"title":"SCIM 2.0 Protocol Reference","meta":[{"name":"description","content":"Your SCIM API must support specific SCIM 2.0 API endpoints to work with Okta. Those endpoints and their explanations are detailed here."}],"seo":{"title":"Okta and SCIM Version 2.0"}},"lastModified":"2025-12-05T19:05:32.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/openapi/okta-scim/guides/scim-20","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}