This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Using the SCIM 2.0 REST APIs

The System for Cross-domain Identity Management (SCIM) is a specification that is designed to manage user identities in cloud-based applications and services in a standardized way to enable interoperability, security, and scalability. It is an emerging open standard which provides RESTful APIs for easier, cheaper, and faster way for creating, provisioning, and maintaining identities. The latest version SCIM 2.0 was released as IETF RFC in September 2015.

Prior to IS 5.4.0, SCIM 2.0 was supported as an external connector that could be plugged in to WSO2 Identity Server. From 5.4.0 onwards, SCIM 2.0 is supported OOTB with WSO2 IS.

Enabling SCIM 2.0
  1. Disable the SCIM 1.0 listener whereĀ orderId=90Ā by setting the enable parameter toĀ falseĀ in theĀ identity.xmlĀ file found in theĀ <IS_HOME>/repository/conf/identityĀ folder.Ā 
  2. Enable the SCIM 2.0 listener whereĀ orderid=93Ā by setting the enable parameter toĀ true.Ā 

    <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.scim.common.listener.SCIMUserOperationListener" orderId="90" enable="false" />
    
    <!-- Enable the following SCIM2 event listener and disable the above SCIM event listener if SCIM2 is used. -->
    
    <EventListener type="org.wso2.carbon.user.core.listener.UserOperationEventListener" name="org.wso2.carbon.identity.scim2.common.listener.SCIMUserOperationListener" orderId="93" enable="true" />

Tip: For sample cURL commands and more information on user and tenant management using SCIM 2.0 REST APIs, see theĀ REST API swagger docs for SCIM APIs.

The default permissions required to access each resource in SCIM 2.0 are given below.

EndpointHTTP MethodPermission
/scim2/Users
POST
/permission/admin/manage/identity/usermgt/create
/scim2/Users
GET
/permission/admin/manage/identity/usermgt/list
/scim2/Groups
POST
/permission/admin/manage/identity/rolemgt/create
/scim2/Groups
GET
/permission/admin/manage/identity/rolemgt/view
/scim2/Users/(.*)
GET
/permission/admin/manage/identity/usermgt/view
/scim2/Users/(.*)
PUT
/permission/admin/manage/identity/usermgt/update
/scim2/Users/(.*)
PATCH
/permission/admin/manage/identity/usermgt/update
/scim2/Users/(.*)
DELETE
/permission/admin/manage/identity/usermgt/delete
/scim2/Groups/(.*)
GET
/permission/admin/manage/identity/rolemgt/view
/scim2/Groups/(.*)
PUT
/permission/admin/manage/identity/rolemgt/update
/scim2/Groups/(.*)
PATCH
/permission/admin/manage/identity/rolemgt/update
/scim2/Groups/(.*)
DELETE
/permission/admin/manage/identity/rolemgt/delete
/scim2/Me
GET
/permission/admin/login
/scim2/Me
DELETE
/permission/admin/login
/scim2/Me
PUT
/permission/admin/login
/scim2/Me
PATCH
/permission/admin/login
/scim2/Me
POST
/permission/admin/manage/identity/usermgt/create
/scim2/ServiceProviderConfig
all-
/scim2/ResourceType
all-
/scim2/Bulk
all
/permission/admin/manage/identity/usermgt

More information about how to secure the REST APIs and configure authorization level can be found from Authenticating and Authorizing REST APIs