SCIM
You can control and manage your GitHub organization members access using SCIM API.
About the SCIM API
Aprovisionamiento de SCIM para las Organizaciones
Los proveedores de identidad (IdP) habilitados para SCIM utilizan la API de SCIM para automatizar el aprovisionamiento de la membrecía de las organizaciones de GitHub Enterprise Cloud. La API de GitHub se basa en la versión 2.0 del SCIM estándar. La terminal de SCIM de GitHub Enterprise Cloud que deben utilizar los IdP es: https://api.github.com/scim/v2/organizations/{org}/
.
Notas:
- The SCIM API is available only for individual organizations that use Nube de GitHub Enterprise with SAML SSO enabled. Para obtener más información sobre SCIM, consulta la sección "Acerca de SCIM para las organizaciones".
- The SCIM API cannot be used with an enterprise account or with an organización con usuarios administrados.
Autenticar las llamadas a la API de SCIM
Debes autenticarte como un propietario de una organización de GitHub Enterprise Cloud para utilizar la API de SCIM. La API espera que se incluya un token Portador de OAuth 2.0 en el encabezado Authorization
. También puedes utilizar un token de acceso personal, pero primero debes autorizarlo para su uso con tu orgnización que cuenta con el SSO de SAML.
Mapeo de los datos de SAML y de SCIM
El IdP de SAML y el cliente de SCIM deben utilizar valores coincidentes de NameID
y userName
para cada usuario. Esto le permite al usuario que se autentica mediante SAML el poder enlazarse con su identidad aprovisionada de SCIM.
Atributos de Usuario de SCIM compatibles
Nombre | Tipo | Descripción |
---|---|---|
userName | secuencia | El nombre de usuario para el usuario. |
name.givenName | secuencia | El primer nombre del usuario. |
name.familyName | secuencia | El apellido del usuario. |
emails | arreglo | Lista de correos electrónicos del usuario. |
externalId | secuencia | El proveedor de SAML genera este identificador, el cual utiliza como una ID única para empatarla contra un usuario de GitHub. Puedes encontrar la externalID de un usuario ya sea con el proveedor de SAML, o utilizando la terminal de Listar las identidades aprovisionadas de SCIM y filtrando otros atributos conocidos, tales como el nombre de usuario de GitHub o la dirección de correo electrónico de un usuario. |
id | secuencia | Identificador que genera la terminal de SCIM de GitHub. |
active | boolean | Se utiliza para indicar si la identidad está activa (true) o si debe desaprovisionarse (false). |
Nota: Las URL de terminal para la API de SCIM distinguen entre mayúsculas y minúsculas. Por ejemplo, la primera letra en la terminal Users
debe ponerse en mayúscula:
GET /scim/v2/organizations/{org}/Users/{scim_user_id}
List SCIM provisioned identities
Retrieves a paginated list of all provisioned organization members, including pending invitations. If you provide the filter
parameter, the resources for all matching provisions members are returned.
When a user with a SAML-provisioned external identity leaves (or is removed from) an organization, the account's metadata is immediately removed. However, the returned list of user accounts might not always match the organization or enterprise member list you see on GitHub. This can happen in certain cases where an external identity associated with an organization will not match an organization member:
- When a user with a SCIM-provisioned external identity is removed from an organization, the account's metadata is preserved to allow the user to re-join the organization in the future.
- When inviting a user to join an organization, you can expect to see their external identity in the results before they accept the invitation, or if the invitation is cancelled (or never accepted).
- When a user is invited over SCIM, an external identity is created that matches with the invitee's email address. However, this identity is only linked to a user account when the user accepts the invitation by going through SAML SSO.
The returned list of external identities can include an entry for a null
user. These are unlinked SAML identities that are created when a user goes through the following Single Sign-On (SSO) process but does not sign in to their GitHub account after completing SSO:
-
The user is granted access by the IdP and is not a member of the GitHub organization.
-
The user attempts to access the GitHub organization and initiates the SAML SSO process, and is not currently signed in to their GitHub account.
-
After successfully authenticating with the SAML SSO IdP, the
null
external identity entry is created and the user is prompted to sign in to their GitHub account:- If the user signs in, their GitHub account is linked to this entry.
- If the user does not sign in (or does not create a new account when prompted), they are not added to the GitHub organization, and the external identity
null
entry remains in place.
Parámetros
Encabezados |
---|
Nombre, Tipo, Descripción |
accept stringSetting to |
Parámetros de ruta |
Nombre, Tipo, Descripción |
org stringRequeridoThe organization name. The name is not case sensitive. |
Parámetros de consulta |
Nombre, Tipo, Descripción |
startIndex integerUsed for pagination: the index of the first result to return. |
count integerUsed for pagination: the number of results to return. |
filter stringFilters results using the equals query parameter operator (
To filter results for the identity with the email
|
Códigos de estado de respuesta HTTP
Código de estado | Descripción |
---|---|
200 | OK |
304 | Not modified |
400 | Bad Request |
403 | Forbidden |
404 | Resource not found |
429 | Too Many Requests |
Ejemplos de código
curl \
-H "Accept: application/scim+json" \
-H "Authorization: token <TOKEN>" \
https://api.github.com/scim/v2/organizations/ORG/Users
Response with filter
Status: 200
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 1,
"itemsPerPage": 1,
"startIndex": 1,
"Resources": [
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "5fc0c238-1112-11e8-8e45-920c87bdbd75",
"externalId": "00u1dhhb1fkIGP7RL1d8",
"userName": "octocat@github.com",
"displayName": "Mona Octocat",
"name": {
"givenName": "Mona",
"familyName": "Octocat",
"formatted": "Mona Octocat"
},
"emails": [
{
"value": "octocat@github.com",
"primary": true
}
],
"active": true,
"meta": {
"resourceType": "User",
"created": "2018-02-13T15:05:24.000-08:00",
"lastModified": "2018-02-13T15:05:55.000-08:00",
"location": "https://api.github.com/scim/v2/organizations/octo-org/Users/5fc0c238-1112-11e8-8e45-920c87bdbd75"
}
}
]
}
Provision and invite a SCIM user
Provision organization membership for a user, and send an activation email to the email address.
Parámetros
Encabezados | |||||||
---|---|---|---|---|---|---|---|
Nombre, Tipo, Descripción | |||||||
accept stringSetting to | |||||||
Parámetros de ruta | |||||||
Nombre, Tipo, Descripción | |||||||
org stringRequeridoThe organization name. The name is not case sensitive. | |||||||
Parámetros de cuerpo | |||||||
Nombre, Tipo, Descripción | |||||||
userName stringRequeridoConfigured by the admin. Could be an email, login, or username | |||||||
displayName stringThe name of the user, suitable for display to end-users | |||||||
name objectRequerido | |||||||
Properties of the |
Nombre, Tipo, Descripción |
---|
givenName stringRequerido |
familyName stringRequerido |
formatted string |
emails
array of objectsRequeridouser emails
Properties of theemails
items
Nombre, Tipo, Descripción |
---|
value stringRequerido |
primary boolean |
type string |
schemas
array of stringsexternalId
stringgroups
array of stringsactive
booleanCódigos de estado de respuesta HTTP
Código de estado | Descripción |
---|---|
201 | Created |
304 | Not modified |
400 | Bad Request |
403 | Forbidden |
404 | Resource not found |
409 | Conflict |
500 | Internal Error |
Ejemplos de código
curl \
-X POST \
-H "Accept: application/scim+json" \
-H "Authorization: token <TOKEN>" \
https://api.github.com/scim/v2/organizations/ORG/Users
Response
Status: 201
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "edefdfedf-050c-11e7-8d32",
"externalId": "a7d0f98382",
"userName": "mona.octocat@okta.example.com",
"displayName": "Monalisa Octocat",
"name": {
"givenName": "Monalisa",
"familyName": "Octocat",
"formatted": "Monalisa Octocat"
},
"emails": [
{
"value": "mona.octocat@okta.example.com",
"primary": true
},
{
"value": "monalisa@octocat.github.com"
}
],
"active": true,
"meta": {
"resourceType": "User",
"created": "2017-03-09T16:11:13-05:00",
"lastModified": "2017-03-09T16:11:13-05:00",
"location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
}
}
Get SCIM provisioning information for a user
Parámetros
Encabezados |
---|
Nombre, Tipo, Descripción |
accept stringSetting to |
Parámetros de ruta |
Nombre, Tipo, Descripción |
org stringRequeridoThe organization name. The name is not case sensitive. |
scim_user_id stringRequeridoThe unique identifier of the SCIM user. |
Códigos de estado de respuesta HTTP
Código de estado | Descripción |
---|---|
200 | OK |
304 | Not modified |
403 | Forbidden |
404 | Resource not found |
Ejemplos de código
curl \
-H "Accept: application/scim+json" \
-H "Authorization: token <TOKEN>" \
https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID
Response
Status: 200
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "edefdfedf-050c-11e7-8d32",
"externalId": "a7d0f98382",
"userName": "mona.octocat@okta.example.com",
"displayName": "Monalisa Octocat",
"name": {
"givenName": "Monalisa",
"familyName": "Octocat",
"formatted": "Monalisa Octocat"
},
"emails": [
{
"value": "mona.octocat@okta.example.com",
"primary": true
},
{
"value": "monalisa@octocat.github.com"
}
],
"active": true,
"meta": {
"resourceType": "User",
"created": "2017-03-09T16:11:13-05:00",
"lastModified": "2017-03-09T16:11:13-05:00",
"location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
}
}
Update a provisioned organization membership
Replaces an existing provisioned user's information. You must provide all the information required for the user as if you were provisioning them for the first time. Any existing user information that you don't provide will be removed. If you want to only update a specific attribute, use the Update an attribute for a SCIM user endpoint instead.
You must at least provide the required values for the user: userName
, name
, and emails
.
Warning: Setting active: false
removes the user from the organization, deletes the external identity, and deletes the associated {scim_user_id}
.
Parámetros
Encabezados | |||||||
---|---|---|---|---|---|---|---|
Nombre, Tipo, Descripción | |||||||
accept stringSetting to | |||||||
Parámetros de ruta | |||||||
Nombre, Tipo, Descripción | |||||||
org stringRequeridoThe organization name. The name is not case sensitive. | |||||||
scim_user_id stringRequeridoThe unique identifier of the SCIM user. | |||||||
Parámetros de cuerpo | |||||||
Nombre, Tipo, Descripción | |||||||
schemas array of strings | |||||||
displayName stringThe name of the user, suitable for display to end-users | |||||||
externalId string | |||||||
groups array of strings | |||||||
active boolean | |||||||
userName stringRequeridoConfigured by the admin. Could be an email, login, or username | |||||||
name objectRequerido | |||||||
Properties of the |
Nombre, Tipo, Descripción |
---|
givenName stringRequerido |
familyName stringRequerido |
formatted string |
emails
array of objectsRequeridouser emails
Properties of theemails
items
Nombre, Tipo, Descripción |
---|
type string |
value stringRequerido |
primary boolean |
Códigos de estado de respuesta HTTP
Código de estado | Descripción |
---|---|
200 | OK |
304 | Not modified |
403 | Forbidden |
404 | Resource not found |
Ejemplos de código
curl \
-X PUT \
-H "Accept: application/scim+json" \
-H "Authorization: token <TOKEN>" \
https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID
Response
Status: 200
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "edefdfedf-050c-11e7-8d32",
"externalId": "a7d0f98382",
"userName": "mona.octocat@okta.example.com",
"displayName": "Monalisa Octocat",
"name": {
"givenName": "Monalisa",
"familyName": "Octocat",
"formatted": "Monalisa Octocat"
},
"emails": [
{
"value": "mona.octocat@okta.example.com",
"primary": true
},
{
"value": "monalisa@octocat.github.com"
}
],
"active": true,
"meta": {
"resourceType": "User",
"created": "2017-03-09T16:11:13-05:00",
"lastModified": "2017-03-09T16:11:13-05:00",
"location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
}
}
Update an attribute for a SCIM user
Allows you to change a provisioned user's individual attributes. To change a user's values, you must provide a specific Operations
JSON format that contains at least one of the add
, remove
, or replace
operations. For examples and more information on the SCIM operations format, see the SCIM specification.
Note: Complicated SCIM path
selectors that include filters are not supported. For example, a path
selector defined as "path": "emails[type eq \"work\"]"
will not work.
Warning: If you set active:false
using the replace
operation (as shown in the JSON example below), it removes the user from the organization, deletes the external identity, and deletes the associated :scim_user_id
.
{
"Operations":[{
"op":"replace",
"value":{
"active":false
}
}]
}
Parámetros
Encabezados | |||||||
---|---|---|---|---|---|---|---|
Nombre, Tipo, Descripción | |||||||
accept stringSetting to | |||||||
Parámetros de ruta | |||||||
Nombre, Tipo, Descripción | |||||||
org stringRequeridoThe organization name. The name is not case sensitive. | |||||||
scim_user_id stringRequeridoThe unique identifier of the SCIM user. | |||||||
Parámetros de cuerpo | |||||||
Nombre, Tipo, Descripción | |||||||
schemas array of strings | |||||||
Operations array of objectsRequeridoSet of operations to be performed | |||||||
Properties of the |
Nombre, Tipo, Descripción |
---|
op stringRequeridoPuede ser una de las siguientes: |
path string |
value object or array or string or |
Códigos de estado de respuesta HTTP
Código de estado | Descripción |
---|---|
200 | OK |
304 | Not modified |
400 | Bad Request |
403 | Forbidden |
404 | Resource not found |
429 | Too Many Requests |
Ejemplos de código
curl \
-X PATCH \
-H "Accept: application/scim+json" \
-H "Authorization: token <TOKEN>" \
https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID
Response
Status: 200
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "edefdfedf-050c-11e7-8d32",
"externalId": "a7d0f98382",
"userName": "mona.octocat@okta.example.com",
"displayName": "Monalisa Octocat",
"name": {
"givenName": "Monalisa",
"familyName": "Octocat",
"formatted": "Monalisa Octocat"
},
"emails": [
{
"value": "mona.octocat@okta.example.com",
"primary": true
},
{
"value": "monalisa@octocat.github.com"
}
],
"active": true,
"meta": {
"resourceType": "User",
"created": "2017-03-09T16:11:13-05:00",
"lastModified": "2017-03-09T16:11:13-05:00",
"location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
}
}
Delete a SCIM user from an organization
Parámetros
Encabezados |
---|
Nombre, Tipo, Descripción |
accept stringSetting to |
Parámetros de ruta |
Nombre, Tipo, Descripción |
org stringRequeridoThe organization name. The name is not case sensitive. |
scim_user_id stringRequeridoThe unique identifier of the SCIM user. |
Códigos de estado de respuesta HTTP
Código de estado | Descripción |
---|---|
204 | No Content |
304 | Not modified |
403 | Forbidden |
404 | Resource not found |
Ejemplos de código
curl \
-X DELETE \
-H "Accept: application/vnd.github.v3+json" \
-H "Authorization: token <TOKEN>" \
https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID
Response
Status: 204