REST API endpoints for SCIM

Note

This operation allows you to provision access to an organization on GitHub Enterprise Cloud using SCIM. The operation is not available for use with Enterprise Managed Users. For more information about provisioning managed user accounts using SCIM, see REST API endpoints for SCIM.

About SCIM

SCIM Provisioning for Organizations

These endpoints are used by SCIM-enabled Identity Providers (IdPs) to automate provisioning of GitHub organization membership and are based on version 2.0 of the SCIM standard. IdPs should use the base URL https://api.github.com/scim/v2/organizations/{org}/ for GitHub SCIM endpoints.

Note

These endpoints are only available for individual organizations that use GitHub Enterprise Cloud with SAML SSO enabled. For more information about SCIM, see About SCIM for organizations. For more information about authorizing a token for a SAML SSO organization, see Authenticating to the REST API.
These endpoints cannot be used with an enterprise account or with an organization with managed users.

Authentication

You must authenticate as an owner of a GitHub organization to use these endpoints. The REST API expects an OAuth 2.0 Bearer token (for example, a GitHub App user access token) to be included in the Authorization header. If you use a personal access token (classic) for authentication, it must have the admin:org scope and you must also authorize it for use with your SAML SSO organization.

Matching SAML and SCIM attributes

To successfully link a GitHub user account to a SCIM identity in an organization, specific attributes from your Identity Provider's SAML response and SCIM API provisioning call must match for a user.

Microsoft Entra ID for SAML

When using Entra ID (previously known as Azure AD) for SAML, the following SAML attribute and SCIM attribute must match.

SAML attribute	Matching SCIM attribute
`http://schemas.microsoft.com/identity/claims/objectidentifier`	`externalId`

Other IdPs for SAML

When using other IdPs for SAML, the following SAML claims and SCIM attribute must match.

SAML attribute	Matching SCIM attribute
`NameID`	`userName`

There are two different ways a GitHub user account can get linked to a SCIM identity in an organization when these SAML/SCIM attributes match:

For users who are not yet members of the organization:
- The IdP sends a SCIM provisioning call to GitHub for a user who is not a member of an organization. This generates an organization invitation and an unlinked SCIM identity in the organization.
- User authenticates via SAML in the organization.
- GitHub automatically links the SAML and SCIM identity to the new user account in the organization.
For existing organization members:
- The IdP sends a SCIM provisioning call to GitHub for a user who is already a member of the organization.
- If the organization member does not have a linked SAML identity in the organization, this generates an organization invitation and an unlinked SCIM identity in the organization. User authenticates via SAML in the organization to link their SAML and SCIM identity.
- If the organization member has a linked SAML identity in the organization, GitHub automatically links the SCIM identity to the existing user account in the organization. No organization invite is created.

Ensuring that a user gets properly linked to their SCIM identity in the organization can help prevent unexpected issues with SCIM deprovisioning when the user's access to the app is removed on the IdP side. For more information on auditing the linked SCIM identities in an organization, see Troubleshooting identity and access management for your organization

Supported SCIM User attributes

Name	Type	Description
`userName`	`string`	The username for the user.
`name.givenName`	`string`	The first name of the user.
`name.familyName`	`string`	The last name of the user.
`emails`	`array`	List of user emails.
`externalId`	`string`	This identifier is generated by the SAML provider, and is used as a unique ID by the SAML provider to match against a GitHub user. You can find the `externalID` for a user either at the SAML provider, or using the List SCIM provisioned identities endpoint and filtering on other known attributes, such as a user's GitHub username or email address.
`id`	`string`	Identifier generated by the GitHub SCIM endpoint.
`active`	`boolean`	Used to indicate whether the identity is active (true) or should be deprovisioned (false).

Note

These endpoints are case sensitive. For example, the first letter in the Users endpoint must be capitalized:

GET /scim/v2/organizations/{org}/Users/{scim_user_id}

List SCIM provisioned identities

Retrieves a paginated list of all provisioned organization members, including pending invitations. If you provide the filter parameter, the resources for all matching provisions members are returned.

The returned list of SCIM provisioned identities from the GitHub Enterprise Cloud might not always match the organization or enterprise member list. Here is why that can occur:

When an organization invitation is generated by a SCIM integration, this creates an unlinked SCIM identity in the organization. When a user logs into their GitHub user account, visits the organization, and successfully authenticates via SAML, they get added as an organization member and linked to their SAML/SCIM identity in the organization. If the user does not do this, the SCIM identity will remain in the organization, not linked to any organization member.
A user's organization membership (inviting and removing a user to/from the organization) should only be managed by a SCIM integration when this is configured for a GitHub organization. If a GitHub user who has a linked SCIM identity is removed from the organization using the GitHub UI or non-SCIM API, as opposed to the SCIM integration, this can leave behind a stale SAML/SCIM identity in the organization for the user.

Fine-grained access tokens for "List SCIM provisioned identities"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

"Members" organization permissions (read)

Parameters for "List SCIM provisioned identities"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`org` string Required The organization name. The name is not case sensitive.

Query parameters
Name, Type, Description
`startIndex` integer Used for pagination: the index of the first result to return.
`count` integer Used for pagination: the number of results to return.
`filter` string Filters results using the equals query parameter operator (`eq`). You can filter results that are equal to `id`, `userName`, `emails`, and `externalId`. For example, to search for an identity with the `userName` Octocat, you would use this query: `?filter=userName%20eq%20\"Octocat\"`. To filter results for the identity with the email `octocat@github.com`, you would use this query: `?filter=emails%20eq%20\"octocat@github.com\"`.

HTTP response status codes for "List SCIM provisioned identities"

Status code	Description
`200`	OK
`304`	Not modified
`400`	Bad request
`403`	Forbidden
`404`	Resource not found
`429`	Too many requests

Code samples for "List SCIM provisioned identities"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request examples

Select the example type

get/scim/v2/organizations/{org}/Users

curl -L \
  -H "Accept: application/scim+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/scim/v2/organizations/ORG/Users

Response with filter

Status: 200

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "totalResults": 1,
  "itemsPerPage": 1,
  "startIndex": 1,
  "Resources": [
    {
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "id": "5fc0c238-1112-11e8-8e45-920c87bdbd75",
      "externalId": "00u1dhhb1fkIGP7RL1d8",
      "userName": "octocat@github.com",
      "displayName": "Mona Octocat",
      "name": {
        "givenName": "Mona",
        "familyName": "Octocat",
        "formatted": "Mona Octocat"
      },
      "emails": [
        {
          "value": "octocat@github.com",
          "primary": true
        }
      ],
      "active": true,
      "meta": {
        "resourceType": "User",
        "created": "2018-02-13T15:05:24.000-08:00",
        "lastModified": "2018-02-13T15:05:55.000-08:00",
        "location": "https://api.github.com/scim/v2/organizations/octo-org/Users/5fc0c238-1112-11e8-8e45-920c87bdbd75"
      }
    }
  ]
}

Provision and invite a SCIM user

Provisions organization membership for a user, and sends an activation email to the email address. If the user was previously a member of the organization, the invitation will reinstate any former privileges that the user had. For more information about reinstating former members, see "Reinstating a former member of your organization."

Fine-grained access tokens for "Provision and invite a SCIM user"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

"Members" organization permissions (write)

Parameters for "Provision and invite a SCIM user"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`org` string Required The organization name. The name is not case sensitive.

Name, Type, Description

userName string Required

Configured by the admin. Could be an email, login, or username

displayName string

The name of the user, suitable for display to end-users

name object Required

Properties of name

Name, Type, Description
`givenName` string Required
`familyName` string Required
`formatted` string

emails array of objects Required

user emails

Properties of emails

Name, Type, Description
`value` string Required
`primary` boolean
`type` string

schemas array of strings

externalId string

groups array of strings

active boolean

HTTP response status codes for "Provision and invite a SCIM user"

Status code	Description
`201`	Created
`304`	Not modified
`400`	Bad request
`403`	Forbidden
`404`	Resource not found
`409`	Conflict
`500`	Internal server error

Code samples for "Provision and invite a SCIM user"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

post/scim/v2/organizations/{org}/Users

curl -L \
  -X POST \
  -H "Accept: application/scim+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/scim/v2/organizations/ORG/Users \
  -d '{"userName":"octocat","name":"Monalisa Octocat","emails":[{"value":"mona.octocat@github.com","primary":true}]}'

Response

Status: 201

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "edefdfedf-050c-11e7-8d32",
  "externalId": "a7d0f98382",
  "userName": "mona.octocat@okta.example.com",
  "displayName": "Monalisa Octocat",
  "name": {
    "givenName": "Monalisa",
    "familyName": "Octocat",
    "formatted": "Monalisa Octocat"
  },
  "emails": [
    {
      "value": "mona.octocat@okta.example.com",
      "primary": true
    },
    {
      "value": "monalisa@octocat.github.com"
    }
  ],
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00",
    "location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
  }
}

Get SCIM provisioning information for a user

Gets SCIM provisioning information for a user.

Fine-grained access tokens for "Get SCIM provisioning information for a user"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

"Members" organization permissions (read)

Parameters for "Get SCIM provisioning information for a user"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`org` string Required The organization name. The name is not case sensitive.
`scim_user_id` string Required The unique identifier of the SCIM user.

HTTP response status codes for "Get SCIM provisioning information for a user"

Status code	Description
`200`	OK
`304`	Not modified
`403`	Forbidden
`404`	Resource not found

Code samples for "Get SCIM provisioning information for a user"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

get/scim/v2/organizations/{org}/Users/{scim_user_id}

curl -L \
  -H "Accept: application/scim+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID

Response

Status: 200

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "edefdfedf-050c-11e7-8d32",
  "externalId": "a7d0f98382",
  "userName": "mona.octocat@okta.example.com",
  "displayName": "Monalisa Octocat",
  "name": {
    "givenName": "Monalisa",
    "familyName": "Octocat",
    "formatted": "Monalisa Octocat"
  },
  "emails": [
    {
      "value": "mona.octocat@okta.example.com",
      "primary": true
    },
    {
      "value": "monalisa@octocat.github.com"
    }
  ],
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00",
    "location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
  }
}

Update a provisioned organization membership

Replaces an existing provisioned user's information. You must provide all the information required for the user as if you were provisioning them for the first time. Any existing user information that you don't provide will be removed. If you want to only update a specific attribute, use the Update an attribute for a SCIM user endpoint instead.

You must at least provide the required values for the user: userName, name, and emails.

Warning

Setting active: false removes the user from the organization, deletes the external identity, and deletes the associated {scim_user_id}.

Fine-grained access tokens for "Update a provisioned organization membership"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

"Members" organization permissions (write)

Parameters for "Update a provisioned organization membership"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`org` string Required The organization name. The name is not case sensitive.
`scim_user_id` string Required The unique identifier of the SCIM user.

Name, Type, Description

schemas array of strings

displayName string

The name of the user, suitable for display to end-users

externalId string

groups array of strings

active boolean

userName string Required

Configured by the admin. Could be an email, login, or username

name object Required

Properties of name

Name, Type, Description
`givenName` string Required
`familyName` string Required
`formatted` string

emails array of objects Required

user emails

Properties of emails

Name, Type, Description
`type` string
`value` string Required
`primary` boolean

HTTP response status codes for "Update a provisioned organization membership"

Status code	Description
`200`	OK
`304`	Not modified
`403`	Forbidden
`404`	Resource not found

Code samples for "Update a provisioned organization membership"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

put/scim/v2/organizations/{org}/Users/{scim_user_id}

curl -L \
  -X PUT \
  -H "Accept: application/scim+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID \
  -d '{"userName":"octocat","name":"Monalisa Octocat","emails":[{"value":"mona.octocat@github.com","primary":true}]}'

Response

Status: 200

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "edefdfedf-050c-11e7-8d32",
  "externalId": "a7d0f98382",
  "userName": "mona.octocat@okta.example.com",
  "displayName": "Monalisa Octocat",
  "name": {
    "givenName": "Monalisa",
    "familyName": "Octocat",
    "formatted": "Monalisa Octocat"
  },
  "emails": [
    {
      "value": "mona.octocat@okta.example.com",
      "primary": true
    },
    {
      "value": "monalisa@octocat.github.com"
    }
  ],
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00",
    "location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
  }
}

Update an attribute for a SCIM user

Allows you to change a provisioned user's individual attributes. To change a user's values, you must provide a specific Operations JSON format that contains at least one of the add, remove, or replace operations. For examples and more information on the SCIM operations format, see the SCIM specification.

Note

Complicated SCIM path selectors that include filters are not supported. For example, a path selector defined as "path": "emails[type eq \"work\"]" will not work.

Warning

If you set active:false using the replace operation (as shown in the JSON example below), it removes the user from the organization, deletes the external identity, and deletes the associated :scim_user_id.

{
  "Operations":[{
    "op":"replace",
    "value":{
      "active":false
    }
  }]
}

Fine-grained access tokens for "Update an attribute for a SCIM user"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

"Members" organization permissions (write)

Parameters for "Update an attribute for a SCIM user"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`org` string Required The organization name. The name is not case sensitive.
`scim_user_id` string Required The unique identifier of the SCIM user.

Name, Type, Description

schemas array of strings

Operations array of objects Required

Set of operations to be performed

Properties of Operations

Name, Type, Description
`op` string Required Can be one of: `add`, `remove`, `replace`
`path` string
`value` object or array or string

HTTP response status codes for "Update an attribute for a SCIM user"

Status code	Description
`200`	OK
`304`	Not modified
`400`	Bad request
`403`	Forbidden
`404`	Resource not found
`429`	Too Many Requests

Code samples for "Update an attribute for a SCIM user"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

patch/scim/v2/organizations/{org}/Users/{scim_user_id}

curl -L \
  -X PATCH \
  -H "Accept: application/scim+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID \
  -d '{"Operations":[{"op":"replace","value":{"displayName":"Octocat"}}]}'

Response

Status: 200

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "edefdfedf-050c-11e7-8d32",
  "externalId": "a7d0f98382",
  "userName": "mona.octocat@okta.example.com",
  "displayName": "Monalisa Octocat",
  "name": {
    "givenName": "Monalisa",
    "familyName": "Octocat",
    "formatted": "Monalisa Octocat"
  },
  "emails": [
    {
      "value": "mona.octocat@okta.example.com",
      "primary": true
    },
    {
      "value": "monalisa@octocat.github.com"
    }
  ],
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00",
    "location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
  }
}

Delete a SCIM user from an organization

Deletes a SCIM user from an organization.

Fine-grained access tokens for "Delete a SCIM user from an organization"

This endpoint works with the following fine-grained token types:

The fine-grained token must have the following permission set:

"Members" organization permissions (write)

Parameters for "Delete a SCIM user from an organization"

Headers
Name, Type, Description
`accept` string Setting to `application/vnd.github+json` is recommended.

Path parameters
Name, Type, Description
`org` string Required The organization name. The name is not case sensitive.
`scim_user_id` string Required The unique identifier of the SCIM user.

HTTP response status codes for "Delete a SCIM user from an organization"

Status code	Description
`204`	No Content
`304`	Not modified
`403`	Forbidden
`404`	Resource not found

Code samples for "Delete a SCIM user from an organization"

If you access GitHub at GHE.com, replace api.github.com with your enterprise's dedicated subdomain at api.SUBDOMAIN.ghe.com.

Request example

delete/scim/v2/organizations/{org}/Users/{scim_user_id}

curl -L \
  -X DELETE \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID

Response

Status: 204