SCIM endpoint STACKIT IdP
You can use the System for Cross-domain Identity Management (SCIM) to synchronize users and groups from your organization to the STACKIT Identity Provider (STACKIT IdP). This helps you efficiently manage user access across different systems. The STACKIT IdP supports the SCIMv2 standard (RFC7642). SCIMv1 is not supported.
Technical details
Section titled “Technical details”Use the following details to configure your SCIM provisioning client:
- Base URL:
https://accounts.stackit.cloud/scim/v2/ - Provider configuration URL:
https://accounts.stackit.cloud/scim/v2/ServiceProviderConfig - Authentication: Use a Bearer token for authentication. The token requires
scim.readorscim.writepermissions for provisioning. Discovery endpoints do not require authentication. - Supported resources: The STACKIT IdP supports these resources as defined at https://accounts.stackit.cloud/scim/v2/ResourceTypes:
- Users:
https://accounts.stackit.cloud/scim/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User - Groups:
https://accounts.stackit.cloud/scim/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group
- Users:
- Supported features:
- Filtering RFC7644 - 3.4.2.2.: Provisioning clients can use the filter parameter when listing resources.
- PATCH RFC7644 - 3.5.2.: You can make multiple changes to a resource using the
PATCHmethod. This is especially useful for managing group memberships.
User resource
Section titled “User resource”A user resource is the minimum representation of a functional user in the STACKIT IdP.
The IdP supports the default urn:ietf:params:scim:schemas:core:2.0:User SCIM schema along with the standard extension urn:ietf:params:scim:schemas:extension:enterprise:2.0:User. Keep in mind that the STACKIT IdP may not use certain fields in the SCIM schema.
You can find more information in the SCIM schema documentation.
Attribute mapping and examples
Section titled “Attribute mapping and examples”The STACKIT IdP includes an additional extension for the user resource: urn:schwarz:params:scim:schemas:extension:notifications:2.0:User. This extension lets you decide whether to send an invitation email when a user is created during provisioning.
For users who don’t authenticate with your organization’s Single Sign-On (SSO), you can provide a plain password when creating the user. This password can’t be updated or retrieved through provisioning after the user is created. If you don’t provide a password, the user must activate their account by email when they first try to log in.
When a user’s active status is set to false, they can’t authenticate. This is true whether they use a password or an external identity provider. Also, deactivated users are automatically logged out, and all their access tokens are revoked.
Example user resource
Section titled “Example user resource”{ "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:schwarz:params:scim:schemas:extension:notifications:2.0:User" ], "externalId": "scimUser", "urn:schwarz:params:scim:schemas:extension:notifications:2.0:User": { "sendInvitation": true }, "userName": "username", "active": true, "name": { "familyName": "Scim", "givenName": "User" }, "displayName": "display", "password": "plain password", "nickName": "nick", "preferredLanguage": "en", "emails": [ { "type": "work", "primary": true, "value": "scim@example.com" } ]}Group resource
Section titled “Group resource”The group resource supports the default urn:ietf:params:scim:schemas:core:2.0:Group SCIM schema.
This resource lets you use multiple Add and Remove operations with the PATCH method on the members field. This makes it easy to add or remove user memberships in a group.
You can find more details in the Group schema documentation.
Example group resource
Section titled “Example group resource”{ "externalId": "externalID", "displayName": "Group name", "members": [ { "value": "userID" } ]}Synchronization behavior
Section titled “Synchronization behavior”Provisioning clients can list and synchronize configured resources once they are set up. However, when users authenticate through an external Identity Provider (IdP), resources may become inconsistent with the provisioning client. You’re responsible for making sure your synchronization strategy maintains data consistency.