# Puntos de conexión de API de REST para SCIM Use la API REST para controlar y administrar el acceso de los miembros de la organización GitHub con SCIM. > \[!NOTE] > Esta operación permite aprovisionar el acceso a una organización en GitHub Enterprise Cloud mediante SCIM. La operación no está disponible para su uso con Enterprise Managed Users. Para más información sobre el aprovisionamiento de cuentas de usuario administradas, mediante SCIM, consulta [Puntos de conexión de API de REST para SCIM](/es/enterprise-cloud@latest/rest/enterprise-admin/scim). ## Acerca de SCIM ### Aprovisionamiento de SCIM para las Organizaciones Estos puntos de conexión los usan los proveedores de identidades habilitados para SCIM para automatizar el aprovisionamiento de la pertenencia a GitHub la organización y se basan en la versión 2.0 del [estándar SCIM](http://www.simplecloud.info/). Los IdP deben usar la URL base `https://api.github.com/scim/v2/organizations/{org}/` para los puntos de conexión SCIM GitHub. > \[!NOTE] > > * Estos endpoints solo están disponibles para organizaciones individuales que usan GitHub Enterprise Cloud con SSO de SAML habilitado. Para más información sobre SCIM, consulta [Acerca de SCIM para las organizaciones](/es/enterprise-cloud@latest/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations). Para obtener más información sobre cómo autorizar un token para una organización de SSO de SAML, consulta [Autenticación en la API REST](/es/enterprise-cloud@latest/rest/overview/authenticating-to-the-rest-api). > * Estos puntos de conexión no se pueden usar con una cuenta de empresa o con un organización con usuarios administrados. ### Autenticación Debe autenticarse como propietario de una GitHub organización para usar estos puntos de conexión. La API REST espera que se incluya un token de portador de OAuth 2.0 (por ejemplo, un GitHub App token de acceso de usuario) en el encabezado `Authorization`. Si utiliza un personal access token (classic) para la autenticación, debe tener el ámbito `admin:org` y también debe autorizarlo para su uso con su organización SAML SSO. ### Coincidencia de atributos de SAML y SCIM Para vincular con éxito una GitHub cuenta de usuario a una identidad SCIM en una organización, los atributos específicos de la respuesta SAML del proveedor de identidades y de la llamada de aprovisionamiento de la API SCIM deben coincidir para un usuario determinado. #### Microsoft Entra ID compatible con SAML Al usar Entra ID (anteriormente conocido como Azure AD) para SAML, el siguiente atributo SAML y el atributo SCIM deben coincidir. | Atributo de SAML | Coincidencia de atributo SCIM | | :-------------------------------------------------------------- | :---------------------------- | | `http://schemas.microsoft.com/identity/claims/objectidentifier` | `externalId` | #### Otros IdP para SAML Al usar otros IdP para SAML, deben coincidir las siguientes declaraciones de SAML y los atributos SCIM. | Atributo de SAML | Coincidencia de atributo SCIM | | :--------------- | :---------------------------- | | `NameID` | `userName` | Hay dos maneras diferentes en que una GitHub cuenta de usuario puede vincularse a una identidad SCIM en una organización cuando coinciden estos atributos SAML/SCIM: 1. Para los usuarios que aún no son miembros de la organización: * El IdP envía una llamada de aprovisionamiento SCIM a GitHub para un usuario que no pertenece a ninguna organización. Esto genera una invitación para la organización y crea una identidad de SCIM no vinculada dentro de la organización. * El usuario se autentica mediante SAML en la organización. * GitHub vincula automáticamente la identidad de SAML y SCIM a la nueva cuenta de usuario de la organización. 2. Para los miembros de la organización existentes: * El IdP envía una llamada de aprovisionamiento SCIM a GitHub para un usuario que ya es miembro de la organización. * Si el miembro de la organización no tiene una identidad de SAML vinculada en la organización, se genera una invitación a la organización y una identidad de SCIM desvinculada en la organización. El usuario se autentica mediante SAML en la organización para vincular su identidad de SAML y SCIM. * Si el miembro de la organización tiene una identidad SAML vinculada en la organización, GitHub vincula automáticamente la identidad de SCIM a la cuenta de usuario existente de la organización. No se crea ninguna invitación de la organización. Asegurarse de que un usuario se vincula correctamente a su identidad de SCIM en la organización puede ayudar a evitar problemas inesperados con el desaprovisionamiento de SCIM cuando se quita el acceso del usuario a la aplicación en el lado del IdP. Para más información sobre la auditoría de las identidades SCIM vinculadas de una organización, consulta [Solución de problemas de administración de acceso e identidad para la organización](/es/enterprise-cloud@latest/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization#auditing-organization-members-on-github) ### Atributos de Usuario de SCIM compatibles | Nombre | Tipo | Descripción | | ----------------- | --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `userName` | `string` | El nombre de usuario para el usuario. | | `name.givenName` | `string` | El nombre de pila del usuario. | | `name.familyName` | `string` | Los apellidos del usuario. | | `emails` | `array` | Lista de correos electrónicos del usuario. | | `externalId` | `string` | El proveedor SAML genera este identificador y el proveedor de SAML lo usa como identificador único para que coincida con un usuario de GitHub. Puede encontrar el `externalID` de un usuario en el proveedor SAML o usando el punto de conexión [List SCIM provisioned identities](#list-scim-provisioned-identities) y aplicando filtros en otros atributos conocidos, como el nombre de usuario de GitHub o la dirección de correo electrónico de un usuario. | | `id` | `string` | Identificador generado por el extremo SCIM de GitHub. | | `active` | `boolean` | Se utiliza para indicar si la identidad está activa (true) o si debe ser desaprovisionada (false). | > \[!NOTE] > Estos puntos de conexión distinguen mayúsculas de minúsculas. Por ejemplo, la primera letra del punto de conexión `Users` debe ser mayúscula: > > ```shell > GET /scim/v2/organizations/{org}/Users/{scim_user_id} > ``` > \[!NOTE] > Most endpoints use `Authorization: Bearer ` and `Accept: application/vnd.github+json` headers, plus `X-GitHub-Api-Version: 2022-11-28`. Curl examples below omit these standard headers for brevity. ## List SCIM provisioned identities ``` GET /scim/v2/organizations/{org}/Users ``` Retrieves a paginated list of all provisioned organization members, including pending invitations. If you provide the filter parameter, the resources for all matching provisions members are returned. The returned list of SCIM provisioned identities from the GitHub Enterprise Cloud might not always match the organization or enterprise member list. Here is why that can occur: When an organization invitation is generated by a SCIM integration, this creates an unlinked SCIM identity in the organization. When a user logs into their GitHub user account, visits the organization, and successfully authenticates via SAML, they get added as an organization member and linked to their SAML/SCIM identity in the organization. If the user does not do this, the SCIM identity will remain in the organization, not linked to any organization member. A user's organization membership (inviting and removing a user to/from the organization) should only be managed by a SCIM integration when this is configured for a GitHub organization. If a GitHub user who has a linked SCIM identity is removed from the organization using the GitHub UI or non-SCIM API, as opposed to the SCIM integration, this can leave behind a stale SAML/SCIM identity in the organization for the user. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`org`** (string) (required) The organization name. The name is not case sensitive. * **`startIndex`** (integer) Used for pagination: the index of the first result to return. * **`count`** (integer) Used for pagination: the number of results to return. * **`filter`** (string) Filters results using the equals query parameter operator (eq). You can filter results that are equal to id, userName, emails, and externalId. For example, to search for an identity with the userName Octocat, you would use this query: ?filter=userName%20eq%20"Octocat". To filter results for the identity with the email , you would use this query: ?filter=emails%20eq%20"". ### HTTP response status codes * **200** - OK * **304** - Not modified * **400** - Bad request * **403** - Forbidden * **404** - Resource not found * **429** - Too many requests ### Code examples #### Example 1: Status Code 200 **Request:** ```curl curl -L \ -X GET \ https://api.github.com/scim/v2/organizations/ORG/Users ``` **Response schema (Status: 200):** * `schemas`: required, array of string * `totalResults`: required, integer * `itemsPerPage`: required, integer * `startIndex`: required, integer * `Resources`: required, array of `SCIM /Users`: * `schemas`: required, array of string * `id`: required, string * `externalId`: string or null * `userName`: string or null * `displayName`: string or null * `name`: object: * `givenName`: string or null * `familyName`: string or null * `formatted`: string or null * `emails`: required, array of objects: * `value`: required, string * `primary`: boolean * `type`: string * `active`: required, boolean * `meta`: required, object: * `resourceType`: string * `created`: string, format: date-time * `lastModified`: string, format: date-time * `location`: string, format: uri * `organization_id`: integer * `operations`: array of objects: * `op`: required, string, enum: `add`, `remove`, `replace` * `path`: string * `value`: one of: * **string** * **object** * **array** * `groups`: array of objects: * `value`: string * `display`: string * `roles`: array of objects: * `value`: string * `primary`: boolean * `type`: string * `display`: string #### Example 2: Status Code 200 **Request:** ```curl curl -L \ -X GET \ https://api.github.com/scim/v2/organizations/ORG/Users ``` **Response schema (Status: 200):** * `schemas`: required, array of string * `totalResults`: required, integer * `itemsPerPage`: required, integer * `startIndex`: required, integer * `Resources`: required, array of `SCIM /Users`: * `schemas`: required, array of string * `id`: required, string * `externalId`: string or null * `userName`: string or null * `displayName`: string or null * `name`: object: * `givenName`: string or null * `familyName`: string or null * `formatted`: string or null * `emails`: required, array of objects: * `value`: required, string * `primary`: boolean * `type`: string * `active`: required, boolean * `meta`: required, object: * `resourceType`: string * `created`: string, format: date-time * `lastModified`: string, format: date-time * `location`: string, format: uri * `organization_id`: integer * `operations`: array of objects: * `op`: required, string, enum: `add`, `remove`, `replace` * `path`: string * `value`: one of: * **string** * **object** * **array** * `groups`: array of objects: * `value`: string * `display`: string * `roles`: array of objects: * `value`: string * `primary`: boolean * `type`: string * `display`: string ## Provision and invite a SCIM user ``` POST /scim/v2/organizations/{org}/Users ``` Provisions organization membership for a user, and sends an activation email to the email address. If the user was previously a member of the organization, the invitation will reinstate any former privileges that the user had. For more information about reinstating former members, see "Reinstating a former member of your organization." ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`org`** (string) (required) The organization name. The name is not case sensitive. #### Body parameters * **`userName`** (string) (required) Configured by the admin. Could be an email, login, or username * **`displayName`** (string) The name of the user, suitable for display to end-users * **`name`** (object) (required) * **`givenName`** (string) (required) * **`familyName`** (string) (required) * **`formatted`** (string) * **`emails`** (array of objects) (required) user emails * **`value`** (string) (required) * **`primary`** (boolean) * **`type`** (string) * **`schemas`** (array of strings) * **`externalId`** (string) * **`groups`** (array of strings) * **`active`** (boolean) ### HTTP response status codes * **201** - Created * **304** - Not modified * **400** - Bad request * **403** - Forbidden * **404** - Resource not found * **409** - Conflict * **500** - Internal server error ### Code examples #### Example **Request:** ```curl curl -L \ -X POST \ https://api.github.com/scim/v2/organizations/ORG/Users \ -d '{ "userName": "mona.octocat@okta.example.com", "externalId": "a7d0f98382", "name": { "givenName": "Monalisa", "familyName": "Octocat", "formatted": "Monalisa Octocat" }, "emails": [ { "value": "mona.octocat@okta.example.com", "primary": true }, { "value": "monalisa@octocat.github.com" } ] }' ``` **Response schema (Status: 201):** * `schemas`: required, array of string * `id`: required, string * `externalId`: string or null * `userName`: string or null * `displayName`: string or null * `name`: object: * `givenName`: string or null * `familyName`: string or null * `formatted`: string or null * `emails`: required, array of objects: * `value`: required, string * `primary`: boolean * `type`: string * `active`: required, boolean * `meta`: required, object: * `resourceType`: string * `created`: string, format: date-time * `lastModified`: string, format: date-time * `location`: string, format: uri * `organization_id`: integer * `operations`: array of objects: * `op`: required, string, enum: `add`, `remove`, `replace` * `path`: string * `value`: one of: * **string** * **object** * **array** * `groups`: array of objects: * `value`: string * `display`: string * `roles`: array of objects: * `value`: string * `primary`: boolean * `type`: string * `display`: string ## Get SCIM provisioning information for a user ``` GET /scim/v2/organizations/{org}/Users/{scim_user_id} ``` Gets SCIM provisioning information for a user. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`org`** (string) (required) The organization name. The name is not case sensitive. * **`scim_user_id`** (string) (required) The unique identifier of the SCIM user. ### HTTP response status codes * **200** - OK * **304** - Not modified * **403** - Forbidden * **404** - Resource not found ### Code examples #### Example **Request:** ```curl curl -L \ -X GET \ https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID ``` **Response schema (Status: 200):** Same response schema as [Provision and invite a SCIM user](#provision-and-invite-a-scim-user). ## Update a provisioned organization membership ``` PUT /scim/v2/organizations/{org}/Users/{scim_user_id} ``` Replaces an existing provisioned user's information. You must provide all the information required for the user as if you were provisioning them for the first time. Any existing user information that you don't provide will be removed. If you want to only update a specific attribute, use the Update an attribute for a SCIM user endpoint instead. You must at least provide the required values for the user: userName, name, and emails. Warning Setting active: false removes the user from the organization, deletes the external identity, and deletes the associated {scim\_user\_id}. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`org`** (string) (required) The organization name. The name is not case sensitive. * **`scim_user_id`** (string) (required) The unique identifier of the SCIM user. #### Body parameters * **`schemas`** (array of strings) * **`displayName`** (string) The name of the user, suitable for display to end-users * **`externalId`** (string) * **`groups`** (array of strings) * **`active`** (boolean) * **`userName`** (string) (required) Configured by the admin. Could be an email, login, or username * **`name`** (object) (required) * **`givenName`** (string) (required) * **`familyName`** (string) (required) * **`formatted`** (string) * **`emails`** (array of objects) (required) user emails * **`type`** (string) * **`value`** (string) (required) * **`primary`** (boolean) ### HTTP response status codes * **200** - OK * **304** - Not modified * **403** - Forbidden * **404** - Resource not found ### Code examples #### Example **Request:** ```curl curl -L \ -X PUT \ https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID \ -d '{ "userName": "mona.octocat@okta.example.com", "externalId": "a7d0f98382", "name": { "givenName": "Monalisa", "familyName": "Octocat", "formatted": "Monalisa Octocat" }, "emails": [ { "value": "mona.octocat@okta.example.com", "primary": true } ] }' ``` **Response schema (Status: 200):** Same response schema as [Provision and invite a SCIM user](#provision-and-invite-a-scim-user). ## Update an attribute for a SCIM user ``` PATCH /scim/v2/organizations/{org}/Users/{scim_user_id} ``` Allows you to change a provisioned user's individual attributes. To change a user's values, you must provide a specific Operations JSON format that contains at least one of the add, remove, or replace operations. For examples and more information on the SCIM operations format, see the SCIM specification. Note Complicated SCIM path selectors that include filters are not supported. For example, a path selector defined as "path": "emails\[type eq "work"]" will not work. Warning If you set active:false using the replace operation (as shown in the JSON example below), it removes the user from the organization, deletes the external identity, and deletes the associated :scim\_user\_id. { "Operations":\[{ "op":"replace", "value":{ "active":false } }] } ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`org`** (string) (required) The organization name. The name is not case sensitive. * **`scim_user_id`** (string) (required) The unique identifier of the SCIM user. #### Body parameters * **`schemas`** (array of strings) * **`Operations`** (array of objects) (required) Set of operations to be performed * **`op`** (string) (required) Can be one of: `add`, `remove`, `replace` * **`path`** (string) * **`value`** (object or array or string) ### HTTP response status codes * **200** - OK * **304** - Not modified * **400** - Bad request * **403** - Forbidden * **404** - Resource not found * **429** - Too Many Requests ### Code examples #### Example **Request:** ```curl curl -L \ -X PATCH \ https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID \ -d '{ "Operations": [ { "op": "replace", "value": { "displayName": "Octocat" } } ] }' ``` **Response schema (Status: 200):** Same response schema as [Provision and invite a SCIM user](#provision-and-invite-a-scim-user). ## Delete a SCIM user from an organization ``` DELETE /scim/v2/organizations/{org}/Users/{scim_user_id} ``` Deletes a SCIM user from an organization. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`org`** (string) (required) The organization name. The name is not case sensitive. * **`scim_user_id`** (string) (required) The unique identifier of the SCIM user. ### HTTP response status codes * **204** - No Content * **304** - Not modified * **403** - Forbidden * **404** - Resource not found ### Code examples #### Example **Request:** ```curl curl -L \ -X DELETE \ https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID ``` **Response schema (Status: 204):**