# Points de terminaison d’API REST pour SCIM Utilisez l'API REST pour contrôler et gérer l'accès des membres de votre organisation GitHub avec SCIM. > \[!NOTE] > Cette opération vous permet de provisionner l’accès à une organisation sur GitHub Enterprise Cloud à l’aide de SCIM. L’opération n’est pas disponible pour une utilisation avec Enterprise Managed Users. Pour plus d’informations sur l’approvisionnement de comptes d’utilisateur managés à l’aide de SCIM, consultez [Points de terminaison d’API REST pour SCIM](/fr/enterprise-cloud@latest/rest/enterprise-admin/scim). ## À propos de SCIM ### Approvisionnement de SCIM pour les organisations Ces points de terminaison sont utilisés par les fournisseurs d’identité prenant en charge SCIM pour automatiser l’approvisionnement de l’appartenance à l’organisation GitHub et sont basés sur la version 2.0 de la [norme SCIM](http://www.simplecloud.info/). Les IdPs doivent utiliser l'URL de base `https://api.github.com/scim/v2/organizations/{org}/` pour les endpoints SCIM GitHub. > \[!NOTE] > > * Ces points de terminaison sont disponibles uniquement pour les organisations individuelles qui utilisent GitHub Enterprise Cloud l’authentification unique SAML activée. Pour plus d’informations sur SCIM, consultez [À propos de SCIM pour les organisations](/fr/enterprise-cloud@latest/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations). Pour plus d’informations sur l’autorisation d’un jeton dans une organisation avec authentification unique SAML, consultez [Authentification auprès de l’API REST](/fr/enterprise-cloud@latest/rest/overview/authenticating-to-the-rest-api). > * Ces points de terminaison ne peuvent pas être utilisés avec un compte d’entreprise ou avec un organisation avec utilisateurs managés. ### Authentification Vous devez vous authentifier en tant que propriétaire d’une GitHub organisation pour utiliser ces points de terminaison. L’API REST s’attend à ce qu’un jeton du porteur OAuth 2.0 (par exemple, un GitHub App jeton d’accès utilisateur) soit inclus dans l’en-tête `Authorization` . Si vous utilisez un personal access token (classic) pour l'authentification, il doit avoir le scope `admin:org` et vous devez également [l'autoriser à être utilisé avec votre organisation SAML SSO](/fr/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on). ### Correspondance des attributs SAML et SCIM Pour lier un compte d’utilisateur GitHub à une identité SCIM dans une organisation, des attributs spécifiques de la réponse SAML de votre fournisseur d’identité et de l’appel d’approvisionnement d’API SCIM doivent correspondre pour un utilisateur. #### Microsoft Entra ID pour SAML Lors de l’utilisation de l’ID Entra (précédemment appelé Azure AD) pour SAML, l’attribut SAML et l’attribut SCIM suivants doivent correspondre. | Attribut SAML | Attribut SCIM correspondant | | :-------------------------------------------------------------- | :-------------------------- | | `http://schemas.microsoft.com/identity/claims/objectidentifier` | `externalId` | #### Autres fournisseurs d’identité pour SAML Lors de l’utilisation d’autres fournisseurs d’identité pour SAML, les déclarations SAML et l’attribut SCIM suivant doivent correspondre. | Attribut SAML | Attribut SCIM correspondant | | :------------ | :-------------------------- | | `NameID` | `userName` | Il existe deux façons différentes pour un GitHub compte d’utilisateur d’être lié à une identité SCIM dans une organisation lorsque ces attributs SAML/SCIM correspondent : 1. Pour les utilisateurs qui ne sont pas encore membres de l’organisation : * Le fournisseur d’identité envoie un appel d’approvisionnement SCIM pour GitHub, concernant un utilisateur qui n’est pas membre d’une organisation. Cela génère une invitation à rejoindre l’organisation et une identité SCIM non liée dans l’organisation. * L’utilisateur s’authentifie via SAML dans l’organisation. * GitHub lie automatiquement l’identité SAML et SCIM au nouveau compte d’utilisateur de l’organisation. 2. Pour les membres de l’organisation existants : * Le fournisseur d’identité envoie un appel de provisionnement SCIM à GitHub pour un utilisateur qui est déjà membre de l’organisation. * Si le membre de l’organisation ne dispose pas d’une identité SAML liée dans l’organisation, cela génère une invitation de l’organisation et une identité SCIM non liée dans l’organisation. L’utilisateur s’authentifie via SAML dans l’organisation pour lier son identité SAML et SCIM. * Si le membre de l’organisation a une identité SAML liée dans l’organisation, GitHub lie automatiquement l’identité SCIM au compte d’utilisateur existant de l’organisation. Aucune invitation d'organisation n'a été créée. S’assurer qu’un utilisateur est correctement lié à son identité SCIM dans l’organisation peut aider à prévenir les problèmes inattendus de déprovisionnement SCIM lorsque l'accès de l'utilisateur à l'application est supprimé côté IdP. Pour plus d'informations sur l’audit des identités SCIM liées dans une organisation, consultez [Dépannage de la gestion des identités et des accès pour votre organisation](/fr/enterprise-cloud@latest/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization#auditing-organization-members-on-github) ### Attributs utilisateur SCIM pris en charge | Nom | Type | Description | | ----------------- | --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `userName` | `string` | Nom d’utilisateur de l’utilisateur. | | `name.givenName` | `string` | Prénom de l’utilisateur. | | `name.familyName` | `string` | Nom de l’utilisateur. | | `emails` | `array` | Liste des e-mails de l’utilisateur. | | `externalId` | `string` | Cet identificateur est généré par le fournisseur SAML et est utilisé comme ID unique par le fournisseur SAML pour correspondre à un utilisateur GitHub. Vous pouvez trouver le `externalID` pour un utilisateur soit chez le fournisseur SAML, soit en utilisant le point de terminaison [List SCIM provisioned identities](#list-scim-provisioned-identities) et en filtrant sur d'autres attributs connus, tels que le nom d'utilisateur GitHub ou l'adresse e-mail d'un utilisateur. | | `id` | `string` | Identificateur généré par le point de terminaison SCIM GitHub. | | `active` | `boolean` | Utilisé pour indiquer si l’identité est active (vrai) ou doit être désactivée (faux). | > \[!NOTE] > Ces points de terminaison respectent la casse. Par exemple, la première lettre du point de terminaison `Users` doit être en majuscule : > > ```shell > GET /scim/v2/organizations/{org}/Users/{scim_user_id} > ``` > \[!NOTE] > Most endpoints use `Authorization: Bearer ` and `Accept: application/vnd.github+json` headers, plus `X-GitHub-Api-Version: 2022-11-28`. Curl examples below omit these standard headers for brevity. ## List SCIM provisioned identities ``` GET /scim/v2/organizations/{org}/Users ``` Retrieves a paginated list of all provisioned organization members, including pending invitations. If you provide the filter parameter, the resources for all matching provisions members are returned. The returned list of SCIM provisioned identities from the GitHub Enterprise Cloud might not always match the organization or enterprise member list. Here is why that can occur: When an organization invitation is generated by a SCIM integration, this creates an unlinked SCIM identity in the organization. When a user logs into their GitHub user account, visits the organization, and successfully authenticates via SAML, they get added as an organization member and linked to their SAML/SCIM identity in the organization. If the user does not do this, the SCIM identity will remain in the organization, not linked to any organization member. A user's organization membership (inviting and removing a user to/from the organization) should only be managed by a SCIM integration when this is configured for a GitHub organization. If a GitHub user who has a linked SCIM identity is removed from the organization using the GitHub UI or non-SCIM API, as opposed to the SCIM integration, this can leave behind a stale SAML/SCIM identity in the organization for the user. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`org`** (string) (required) The organization name. The name is not case sensitive. * **`startIndex`** (integer) Used for pagination: the index of the first result to return. * **`count`** (integer) Used for pagination: the number of results to return. * **`filter`** (string) Filters results using the equals query parameter operator (eq). You can filter results that are equal to id, userName, emails, and externalId. For example, to search for an identity with the userName Octocat, you would use this query: ?filter=userName%20eq%20"Octocat". To filter results for the identity with the email , you would use this query: ?filter=emails%20eq%20"". ### HTTP response status codes * **200** - OK * **304** - Not modified * **400** - Bad request * **403** - Forbidden * **404** - Resource not found * **429** - Too many requests ### Code examples #### Example 1: Status Code 200 **Request:** ```curl curl -L \ -X GET \ https://api.github.com/scim/v2/organizations/ORG/Users ``` **Response schema (Status: 200):** * `schemas`: required, array of string * `totalResults`: required, integer * `itemsPerPage`: required, integer * `startIndex`: required, integer * `Resources`: required, array of `SCIM /Users`: * `schemas`: required, array of string * `id`: required, string * `externalId`: string or null * `userName`: string or null * `displayName`: string or null * `name`: object: * `givenName`: string or null * `familyName`: string or null * `formatted`: string or null * `emails`: required, array of objects: * `value`: required, string * `primary`: boolean * `type`: string * `active`: required, boolean * `meta`: required, object: * `resourceType`: string * `created`: string, format: date-time * `lastModified`: string, format: date-time * `location`: string, format: uri * `organization_id`: integer * `operations`: array of objects: * `op`: required, string, enum: `add`, `remove`, `replace` * `path`: string * `value`: one of: * **string** * **object** * **array** * `groups`: array of objects: * `value`: string * `display`: string * `roles`: array of objects: * `value`: string * `primary`: boolean * `type`: string * `display`: string #### Example 2: Status Code 200 **Request:** ```curl curl -L \ -X GET \ https://api.github.com/scim/v2/organizations/ORG/Users ``` **Response schema (Status: 200):** * `schemas`: required, array of string * `totalResults`: required, integer * `itemsPerPage`: required, integer * `startIndex`: required, integer * `Resources`: required, array of `SCIM /Users`: * `schemas`: required, array of string * `id`: required, string * `externalId`: string or null * `userName`: string or null * `displayName`: string or null * `name`: object: * `givenName`: string or null * `familyName`: string or null * `formatted`: string or null * `emails`: required, array of objects: * `value`: required, string * `primary`: boolean * `type`: string * `active`: required, boolean * `meta`: required, object: * `resourceType`: string * `created`: string, format: date-time * `lastModified`: string, format: date-time * `location`: string, format: uri * `organization_id`: integer * `operations`: array of objects: * `op`: required, string, enum: `add`, `remove`, `replace` * `path`: string * `value`: one of: * **string** * **object** * **array** * `groups`: array of objects: * `value`: string * `display`: string * `roles`: array of objects: * `value`: string * `primary`: boolean * `type`: string * `display`: string ## Provision and invite a SCIM user ``` POST /scim/v2/organizations/{org}/Users ``` Provisions organization membership for a user, and sends an activation email to the email address. If the user was previously a member of the organization, the invitation will reinstate any former privileges that the user had. For more information about reinstating former members, see "Reinstating a former member of your organization." ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`org`** (string) (required) The organization name. The name is not case sensitive. #### Body parameters * **`userName`** (string) (required) Configured by the admin. Could be an email, login, or username * **`displayName`** (string) The name of the user, suitable for display to end-users * **`name`** (object) (required) * **`givenName`** (string) (required) * **`familyName`** (string) (required) * **`formatted`** (string) * **`emails`** (array of objects) (required) user emails * **`value`** (string) (required) * **`primary`** (boolean) * **`type`** (string) * **`schemas`** (array of strings) * **`externalId`** (string) * **`groups`** (array of strings) * **`active`** (boolean) ### HTTP response status codes * **201** - Created * **304** - Not modified * **400** - Bad request * **403** - Forbidden * **404** - Resource not found * **409** - Conflict * **500** - Internal server error ### Code examples #### Example **Request:** ```curl curl -L \ -X POST \ https://api.github.com/scim/v2/organizations/ORG/Users \ -d '{ "userName": "mona.octocat@okta.example.com", "externalId": "a7d0f98382", "name": { "givenName": "Monalisa", "familyName": "Octocat", "formatted": "Monalisa Octocat" }, "emails": [ { "value": "mona.octocat@okta.example.com", "primary": true }, { "value": "monalisa@octocat.github.com" } ] }' ``` **Response schema (Status: 201):** * `schemas`: required, array of string * `id`: required, string * `externalId`: string or null * `userName`: string or null * `displayName`: string or null * `name`: object: * `givenName`: string or null * `familyName`: string or null * `formatted`: string or null * `emails`: required, array of objects: * `value`: required, string * `primary`: boolean * `type`: string * `active`: required, boolean * `meta`: required, object: * `resourceType`: string * `created`: string, format: date-time * `lastModified`: string, format: date-time * `location`: string, format: uri * `organization_id`: integer * `operations`: array of objects: * `op`: required, string, enum: `add`, `remove`, `replace` * `path`: string * `value`: one of: * **string** * **object** * **array** * `groups`: array of objects: * `value`: string * `display`: string * `roles`: array of objects: * `value`: string * `primary`: boolean * `type`: string * `display`: string ## Get SCIM provisioning information for a user ``` GET /scim/v2/organizations/{org}/Users/{scim_user_id} ``` Gets SCIM provisioning information for a user. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`org`** (string) (required) The organization name. The name is not case sensitive. * **`scim_user_id`** (string) (required) The unique identifier of the SCIM user. ### HTTP response status codes * **200** - OK * **304** - Not modified * **403** - Forbidden * **404** - Resource not found ### Code examples #### Example **Request:** ```curl curl -L \ -X GET \ https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID ``` **Response schema (Status: 200):** Same response schema as [Provision and invite a SCIM user](#provision-and-invite-a-scim-user). ## Update a provisioned organization membership ``` PUT /scim/v2/organizations/{org}/Users/{scim_user_id} ``` Replaces an existing provisioned user's information. You must provide all the information required for the user as if you were provisioning them for the first time. Any existing user information that you don't provide will be removed. If you want to only update a specific attribute, use the Update an attribute for a SCIM user endpoint instead. You must at least provide the required values for the user: userName, name, and emails. Warning Setting active: false removes the user from the organization, deletes the external identity, and deletes the associated {scim\_user\_id}. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`org`** (string) (required) The organization name. The name is not case sensitive. * **`scim_user_id`** (string) (required) The unique identifier of the SCIM user. #### Body parameters * **`schemas`** (array of strings) * **`displayName`** (string) The name of the user, suitable for display to end-users * **`externalId`** (string) * **`groups`** (array of strings) * **`active`** (boolean) * **`userName`** (string) (required) Configured by the admin. Could be an email, login, or username * **`name`** (object) (required) * **`givenName`** (string) (required) * **`familyName`** (string) (required) * **`formatted`** (string) * **`emails`** (array of objects) (required) user emails * **`type`** (string) * **`value`** (string) (required) * **`primary`** (boolean) ### HTTP response status codes * **200** - OK * **304** - Not modified * **403** - Forbidden * **404** - Resource not found ### Code examples #### Example **Request:** ```curl curl -L \ -X PUT \ https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID \ -d '{ "userName": "mona.octocat@okta.example.com", "externalId": "a7d0f98382", "name": { "givenName": "Monalisa", "familyName": "Octocat", "formatted": "Monalisa Octocat" }, "emails": [ { "value": "mona.octocat@okta.example.com", "primary": true } ] }' ``` **Response schema (Status: 200):** Same response schema as [Provision and invite a SCIM user](#provision-and-invite-a-scim-user). ## Update an attribute for a SCIM user ``` PATCH /scim/v2/organizations/{org}/Users/{scim_user_id} ``` Allows you to change a provisioned user's individual attributes. To change a user's values, you must provide a specific Operations JSON format that contains at least one of the add, remove, or replace operations. For examples and more information on the SCIM operations format, see the SCIM specification. Note Complicated SCIM path selectors that include filters are not supported. For example, a path selector defined as "path": "emails\[type eq "work"]" will not work. Warning If you set active:false using the replace operation (as shown in the JSON example below), it removes the user from the organization, deletes the external identity, and deletes the associated :scim\_user\_id. { "Operations":\[{ "op":"replace", "value":{ "active":false } }] } ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`org`** (string) (required) The organization name. The name is not case sensitive. * **`scim_user_id`** (string) (required) The unique identifier of the SCIM user. #### Body parameters * **`schemas`** (array of strings) * **`Operations`** (array of objects) (required) Set of operations to be performed * **`op`** (string) (required) Can be one of: `add`, `remove`, `replace` * **`path`** (string) * **`value`** (object or array or string) ### HTTP response status codes * **200** - OK * **304** - Not modified * **400** - Bad request * **403** - Forbidden * **404** - Resource not found * **429** - Too Many Requests ### Code examples #### Example **Request:** ```curl curl -L \ -X PATCH \ https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID \ -d '{ "Operations": [ { "op": "replace", "value": { "displayName": "Octocat" } } ] }' ``` **Response schema (Status: 200):** Same response schema as [Provision and invite a SCIM user](#provision-and-invite-a-scim-user). ## Delete a SCIM user from an organization ``` DELETE /scim/v2/organizations/{org}/Users/{scim_user_id} ``` Deletes a SCIM user from an organization. ### Parameters #### Headers * **`accept`** (string) Setting to `application/vnd.github+json` is recommended. #### Path and query parameters * **`org`** (string) (required) The organization name. The name is not case sensitive. * **`scim_user_id`** (string) (required) The unique identifier of the SCIM user. ### HTTP response status codes * **204** - No Content * **304** - Not modified * **403** - Forbidden * **404** - Resource not found ### Code examples #### Example **Request:** ```curl curl -L \ -X DELETE \ https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID ``` **Response schema (Status: 204):**