SCIM

You can control and manage your GitHub organization members access using SCIM API.

About the SCIM API

SCIM Provisioning for Organizations

The SCIM API is used by SCIM-enabled Identity Providers (IdPs) to automate provisioning of GitHub Enterprise Cloud organization membership. The GitHub API is based on version 2.0 of the SCIM standard. The GitHub Enterprise Cloud SCIM endpoint that an IdP should use is: https://api.github.com/scim/v2/organizations/{org}/.

Notes:

The SCIM API is available only for individual organizations that use GitHub Enterprise Cloud with SAML SSO enabled. For more information about SCIM, see "About SCIM for organizations."
The SCIM API cannot be used with an enterprise account or with an organization with managed users.

Authenticating calls to the SCIM API

You must authenticate as an owner of a GitHub Enterprise Cloud organization to use its SCIM API. The API expects an OAuth 2.0 Bearer token to be included in the Authorization header. If you use a personal access token (classic) for authentication, it must have the admin:org scope and you must also authorize it for use with your SAML SSO organization.

Mapping of SAML and SCIM data

El IdP de SAML y el cliente de SCIM deben usar los mismos valores de NameID y userName para cada usuario. Esto le permite al usuario que se autentica mediante SAML el poder enlazarse con su identidad aprovisionada de SCIM.

Supported SCIM User attributes

Name	Type	Description
`userName`	`string`	The username for the user.
`name.givenName`	`string`	The first name of the user.
`name.familyName`	`string`	The last name of the user.
`emails`	`array`	List of user emails.
`externalId`	`string`	This identifier is generated by the SAML provider, and is used as a unique ID by the SAML provider to match against a GitHub user. You can find the `externalID` for a user either at the SAML provider, or using the List SCIM provisioned identities endpoint and filtering on other known attributes, such as a user's GitHub username or email address.
`id`	`string`	Identifier generated by the GitHub SCIM endpoint.
`active`	`boolean`	Used to indicate whether the identity is active (true) or should be deprovisioned (false).

Note: Endpoint URLs for the SCIM API are case sensitive. For example, the first letter in the Users endpoint must be capitalized:

GET /scim/v2/organizations/{org}/Users/{scim_user_id}

List SCIM provisioned identities

Works with GitHub Apps

Retrieves a paginated list of all provisioned organization members, including pending invitations. If you provide the filter parameter, the resources for all matching provisions members are returned.

When a user with a SAML-provisioned external identity leaves (or is removed from) an organization, the account's metadata is immediately removed. However, the returned list of user accounts might not always match the organization or enterprise member list you see on GitHub Enterprise Cloud. This can happen in certain cases where an external identity associated with an organization will not match an organization member:

When a user with a SCIM-provisioned external identity is removed from an organization, the account's metadata is preserved to allow the user to re-join the organization in the future.
When inviting a user to join an organization, you can expect to see their external identity in the results before they accept the invitation, or if the invitation is cancelled (or never accepted).
When a user is invited over SCIM, an external identity is created that matches with the invitee's email address. However, this identity is only linked to a user account when the user accepts the invitation by going through SAML SSO.

The returned list of external identities can include an entry for a null user. These are unlinked SAML identities that are created when a user goes through the following Single Sign-On (SSO) process but does not sign in to their GitHub Enterprise Cloud account after completing SSO:

The user is granted access by the IdP and is not a member of the GitHub Enterprise Cloud organization.
The user attempts to access the GitHub Enterprise Cloud organization and initiates the SAML SSO process, and is not currently signed in to their GitHub Enterprise Cloud account.
After successfully authenticating with the SAML SSO IdP, the null external identity entry is created and the user is prompted to sign in to their GitHub Enterprise Cloud account:
- If the user signs in, their GitHub Enterprise Cloud account is linked to this entry.
- If the user does not sign in (or does not create a new account when prompted), they are not added to the GitHub Enterprise Cloud organization, and the external identity null entry remains in place.

Parameters

Headers
Name, Type, Description
`accept`string Setting to `application/vnd.github+json` is recommended.
Path parameters
Name, Type, Description
`org`stringRequired The organization name. The name is not case sensitive.
Query parameters
Name, Type, Description
`startIndex`integer Used for pagination: the index of the first result to return.
`count`integer Used for pagination: the number of results to return.
`filter`string Filters results using the equals query parameter operator (`eq`). You can filter results that are equal to `id`, `userName`, `emails`, and `external_id`. For example, to search for an identity with the `userName` Octocat, you would use this query: `?filter=userName%20eq%20\"Octocat\"`. To filter results for the identity with the email `octocat@github.com`, you would use this query: `?filter=emails%20eq%20\"octocat@github.com\"`.

HTTP response status codes

Status code	Description
`200`	OK
`304`	Not modified
`400`	Bad request
`403`	Forbidden
`404`	Resource not found
`429`	Too many requests

Code samples

get/scim/v2/organizations/{org}/Users

curl \
  -H "Accept: application/scim+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>"\
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/scim/v2/organizations/ORG/Users

Response with filter

Status: 200

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "totalResults": 1,
  "itemsPerPage": 1,
  "startIndex": 1,
  "Resources": [
    {
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "id": "5fc0c238-1112-11e8-8e45-920c87bdbd75",
      "externalId": "00u1dhhb1fkIGP7RL1d8",
      "userName": "octocat@github.com",
      "displayName": "Mona Octocat",
      "name": {
        "givenName": "Mona",
        "familyName": "Octocat",
        "formatted": "Mona Octocat"
      },
      "emails": [
        {
          "value": "octocat@github.com",
          "primary": true
        }
      ],
      "active": true,
      "meta": {
        "resourceType": "User",
        "created": "2018-02-13T15:05:24.000-08:00",
        "lastModified": "2018-02-13T15:05:55.000-08:00",
        "location": "https://api.github.com/scim/v2/organizations/octo-org/Users/5fc0c238-1112-11e8-8e45-920c87bdbd75"
      }
    }
  ]
}

Provision and invite a SCIM user

Works with GitHub Apps

Provisions organization membership for a user, and sends an activation email to the email address. If the user was previously a member of the organization, the invitation will reinstate any former privileges that the user had. For more information about reinstating former members, see "Reinstating a former member of your organization."

Parameters

Headers

Name, Type, Description

acceptstring

Setting to application/vnd.github+json is recommended.

Path parameters

Name, Type, Description

orgstringRequired

The organization name. The name is not case sensitive.

Body parameters

Name, Type, Description

userNamestringRequired

Configured by the admin. Could be an email, login, or username

displayNamestring

The name of the user, suitable for display to end-users

nameobjectRequired

Properties of name

Name, Type, Description
`givenName`stringRequired
`familyName`stringRequired
`formatted`string

emailsarray of objectsRequired

user emails

Properties of emails

Name, Type, Description
`value`stringRequired
`primary`boolean
`type`string

schemasarray of strings

externalIdstring

groupsarray of strings

activeboolean

HTTP response status codes

Status code	Description
`201`	Created
`304`	Not modified
`400`	Bad request
`403`	Forbidden
`404`	Resource not found
`409`	Conflict
`500`	Internal server error

Code samples

post/scim/v2/organizations/{org}/Users

curl \
  -X POST \
  -H "Accept: application/scim+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>"\
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/scim/v2/organizations/ORG/Users \
  -d '{"userName":"octocat","name":"Monalisa Octocat","emails":[{"value":"mona.octocat@github.com","primary":true}]}'

Response

Status: 201

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "edefdfedf-050c-11e7-8d32",
  "externalId": "a7d0f98382",
  "userName": "mona.octocat@okta.example.com",
  "displayName": "Monalisa Octocat",
  "name": {
    "givenName": "Monalisa",
    "familyName": "Octocat",
    "formatted": "Monalisa Octocat"
  },
  "emails": [
    {
      "value": "mona.octocat@okta.example.com",
      "primary": true
    },
    {
      "value": "monalisa@octocat.github.com"
    }
  ],
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00",
    "location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
  }
}

Get SCIM provisioning information for a user

Works with GitHub Apps

Parameters

Headers
Name, Type, Description
`accept`string Setting to `application/vnd.github+json` is recommended.
Path parameters
Name, Type, Description
`org`stringRequired The organization name. The name is not case sensitive.
`scim_user_id`stringRequired The unique identifier of the SCIM user.

HTTP response status codes

Status code	Description
`200`	OK
`304`	Not modified
`403`	Forbidden
`404`	Resource not found

Code samples

get/scim/v2/organizations/{org}/Users/{scim_user_id}

curl \
  -H "Accept: application/scim+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>"\
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID

Response

Status: 200

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "edefdfedf-050c-11e7-8d32",
  "externalId": "a7d0f98382",
  "userName": "mona.octocat@okta.example.com",
  "displayName": "Monalisa Octocat",
  "name": {
    "givenName": "Monalisa",
    "familyName": "Octocat",
    "formatted": "Monalisa Octocat"
  },
  "emails": [
    {
      "value": "mona.octocat@okta.example.com",
      "primary": true
    },
    {
      "value": "monalisa@octocat.github.com"
    }
  ],
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00",
    "location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
  }
}

Update a provisioned organization membership

Works with GitHub Apps

Replaces an existing provisioned user's information. You must provide all the information required for the user as if you were provisioning them for the first time. Any existing user information that you don't provide will be removed. If you want to only update a specific attribute, use the Update an attribute for a SCIM user endpoint instead.

You must at least provide the required values for the user: userName, name, and emails.

Warning: Setting active: false removes the user from the organization, deletes the external identity, and deletes the associated {scim_user_id}.

Parameters

Headers

Name, Type, Description

acceptstring

Setting to application/vnd.github+json is recommended.

Path parameters

Name, Type, Description

orgstringRequired

The organization name. The name is not case sensitive.

scim_user_idstringRequired

The unique identifier of the SCIM user.

Body parameters

Name, Type, Description

schemasarray of strings

displayNamestring

The name of the user, suitable for display to end-users

externalIdstring

groupsarray of strings

activeboolean

userNamestringRequired

Configured by the admin. Could be an email, login, or username

nameobjectRequired

Properties of name

Name, Type, Description
`givenName`stringRequired
`familyName`stringRequired
`formatted`string

emailsarray of objectsRequired

user emails

Properties of emails

Name, Type, Description
`type`string
`value`stringRequired
`primary`boolean

HTTP response status codes

Status code	Description
`200`	OK
`304`	Not modified
`403`	Forbidden
`404`	Resource not found

Code samples

put/scim/v2/organizations/{org}/Users/{scim_user_id}

curl \
  -X PUT \
  -H "Accept: application/scim+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>"\
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID \
  -d '{"userName":"octocat","name":"Monalisa Octocat","emails":[{"value":"mona.octocat@github.com","primary":true}]}'

Response

Status: 200

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "edefdfedf-050c-11e7-8d32",
  "externalId": "a7d0f98382",
  "userName": "mona.octocat@okta.example.com",
  "displayName": "Monalisa Octocat",
  "name": {
    "givenName": "Monalisa",
    "familyName": "Octocat",
    "formatted": "Monalisa Octocat"
  },
  "emails": [
    {
      "value": "mona.octocat@okta.example.com",
      "primary": true
    },
    {
      "value": "monalisa@octocat.github.com"
    }
  ],
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00",
    "location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
  }
}

Update an attribute for a SCIM user

Works with GitHub Apps

Allows you to change a provisioned user's individual attributes. To change a user's values, you must provide a specific Operations JSON format that contains at least one of the add, remove, or replace operations. For examples and more information on the SCIM operations format, see the SCIM specification.

Note: Complicated SCIM path selectors that include filters are not supported. For example, a path selector defined as "path": "emails[type eq \"work\"]" will not work.

Warning: If you set active:false using the replace operation (as shown in the JSON example below), it removes the user from the organization, deletes the external identity, and deletes the associated :scim_user_id.

{
  "Operations":[{
    "op":"replace",
    "value":{
      "active":false
    }
  }]
}

Parameters

Headers

Name, Type, Description

acceptstring

Setting to application/vnd.github+json is recommended.

Path parameters

Name, Type, Description

orgstringRequired

The organization name. The name is not case sensitive.

scim_user_idstringRequired

The unique identifier of the SCIM user.

Body parameters

Name, Type, Description

schemasarray of strings

Operationsarray of objectsRequired

Set of operations to be performed

Properties of Operations

Name, Type, Description
`op`stringRequired Can be one of: `add`, `remove`, `replace`
`path`string
`value`object or array or string

HTTP response status codes

Status code	Description
`200`	OK
`304`	Not modified
`400`	Bad request
`403`	Forbidden
`404`	Resource not found
`429`	Too Many Requests

Code samples

patch/scim/v2/organizations/{org}/Users/{scim_user_id}

curl \
  -X PATCH \
  -H "Accept: application/scim+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>"\
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID \
  -d '{"Operations":[{"op":"replace","value":{"displayName":"Octocat"}}]}'

Response

Status: 200

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "edefdfedf-050c-11e7-8d32",
  "externalId": "a7d0f98382",
  "userName": "mona.octocat@okta.example.com",
  "displayName": "Monalisa Octocat",
  "name": {
    "givenName": "Monalisa",
    "familyName": "Octocat",
    "formatted": "Monalisa Octocat"
  },
  "emails": [
    {
      "value": "mona.octocat@okta.example.com",
      "primary": true
    },
    {
      "value": "monalisa@octocat.github.com"
    }
  ],
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2017-03-09T16:11:13-05:00",
    "lastModified": "2017-03-09T16:11:13-05:00",
    "location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
  }
}

Delete a SCIM user from an organization

Works with GitHub Apps

Parameters

Headers
Name, Type, Description
`accept`string Setting to `application/vnd.github+json` is recommended.
Path parameters
Name, Type, Description
`org`stringRequired The organization name. The name is not case sensitive.
`scim_user_id`stringRequired The unique identifier of the SCIM user.

HTTP response status codes

Status code	Description
`204`	No Content
`304`	Not modified
`403`	Forbidden
`404`	Resource not found

Code samples

delete/scim/v2/organizations/{org}/Users/{scim_user_id}

curl \
  -X DELETE \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>"\
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID

Response

Status: 204