SCIM
Utilisez l’API REST pour contrôler et gérer l’accès des membres de votre organisation GitHub avec SCIM.
À propos de SCIM
Approvisionnement de SCIM pour les organisations
Ces points de terminaison sont utilisés par les fournisseurs d’identité prenant en charge SCIM afin d’automatiser le provisionnement des membres de l’organisation GitHub Enterprise Cloud, et sont basés sur la version 2.0 du standard SCIM. Les fournisseurs d’identité doivent utiliser l’URL de base https://api.github.com/scim/v2/organizations/{org}/
pour les points de terminaison SCIM GitHub Enterprise Cloud.
Remarques :
- Ces points de terminaison sont uniquement disponibles pour les organisations qui utilisent GitHub Enterprise Cloud avec l’authentification unique SAML activée. Pour plus d’informations sur SCIM, consultez « À propos de SCIM pour les organisations ».
- Les points de terminaison ne peuvent pas être utilisés avec un compte d’entreprise ou avec une organization with managed users.
Authentification
Vous devez vous authentifier en tant que propriétaire d’une organisation GitHub Enterprise Cloud pour utiliser ces points de terminaison. L’API REST s’attend à ce qu’un jeton du porteur OAuth 2.0 soit inclus dans l’en-tête Authorization
. Si vous utilisez un personal access token (classic) pour l’authentification, celui-ci doit avoir l’étendue admin:org
. Vous devrez également autoriser son utilisation avec votre organisation SSO SAML.
Mappage des données SAML et SCIM
Le fournisseur d’identité SAML et le client SCIM doivent utiliser des valeurs NameID
et userName
correspondantes pour chaque utilisateur. Ce processus permet à un utilisateur s’authentifiant via SAML d’être lié à son identité SCIM approvisionnée.
Attributs utilisateur SCIM pris en charge
Nom | Type | Description |
---|---|---|
userName | string | Nom d’utilisateur de l’utilisateur. |
name.givenName | string | Prénom de l’utilisateur. |
name.familyName | string | Nom de l’utilisateur. |
emails | array | Liste des e-mails de l’utilisateur. |
externalId | string | Cet identificateur est généré par le fournisseur SAML, et utilisé comme ID unique par le fournisseur SAML pour établit une correspondance avec un utilisateur GitHub. Vous pouvez trouver l’externalID pour un utilisateur chez le fournisseur SAML ou en utilisant le point de terminaison Répertorier les identités approvisionnées SCIM et en filtrant sur d’autres attributs connus, tels que le nom d’utilisateur ou l’adresse e-mail GitHub d’un utilisateur. |
id | string | Identificateur généré par le point de terminaison SCIM GitHub. |
active | boolean | Utilisé pour indiquer si l’identité est active (true) ou devrait être déprovisionnée (false). |
Remarque : Ces points de terminaison respectent la casse. Par exemple, la première lettre du point de terminaison Users
doit être en majuscule :
GET /scim/v2/organizations/{org}/Users/{scim_user_id}
List SCIM provisioned identities
Retrieves a paginated list of all provisioned organization members, including pending invitations. If you provide the filter
parameter, the resources for all matching provisions members are returned.
When a user with a SAML-provisioned external identity leaves (or is removed from) an organization, the account's metadata is immediately removed. However, the returned list of user accounts might not always match the organization or enterprise member list you see on GitHub Enterprise Cloud. This can happen in certain cases where an external identity associated with an organization will not match an organization member:
- When a user with a SCIM-provisioned external identity is removed from an organization, the account's metadata is preserved to allow the user to re-join the organization in the future.
- When inviting a user to join an organization, you can expect to see their external identity in the results before they accept the invitation, or if the invitation is cancelled (or never accepted).
- When a user is invited over SCIM, an external identity is created that matches with the invitee's email address. However, this identity is only linked to a user account when the user accepts the invitation by going through SAML SSO.
The returned list of external identities can include an entry for a null
user. These are unlinked SAML identities that are created when a user goes through the following Single Sign-On (SSO) process but does not sign in to their GitHub Enterprise Cloud account after completing SSO:
-
The user is granted access by the IdP and is not a member of the GitHub Enterprise Cloud organization.
-
The user attempts to access the GitHub Enterprise Cloud organization and initiates the SAML SSO process, and is not currently signed in to their GitHub Enterprise Cloud account.
-
After successfully authenticating with the SAML SSO IdP, the
null
external identity entry is created and the user is prompted to sign in to their GitHub Enterprise Cloud account:- If the user signs in, their GitHub Enterprise Cloud account is linked to this entry.
- If the user does not sign in (or does not create a new account when prompted), they are not added to the GitHub Enterprise Cloud organization, and the external identity
null
entry remains in place.
Parameters
Headers |
---|
Nom, Type, Description |
accept stringSetting to |
Path parameters |
Nom, Type, Description |
org stringRequiredThe organization name. The name is not case sensitive. |
Query parameters |
Nom, Type, Description |
startIndex integerUsed for pagination: the index of the first result to return. |
count integerUsed for pagination: the number of results to return. |
filter stringFilters results using the equals query parameter operator (
To filter results for the identity with the email
|
HTTP response status codes
Status code | Description |
---|---|
200 | OK |
304 | Not modified |
400 | Bad request |
403 | Forbidden |
404 | Resource not found |
429 | Too many requests |
Code samples
curl \
-H "Accept: application/scim+json" \
-H "Authorization: Bearer <YOUR-TOKEN>"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/scim/v2/organizations/ORG/Users
Response with filter
Status: 200
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 1,
"itemsPerPage": 1,
"startIndex": 1,
"Resources": [
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "5fc0c238-1112-11e8-8e45-920c87bdbd75",
"externalId": "00u1dhhb1fkIGP7RL1d8",
"userName": "octocat@github.com",
"displayName": "Mona Octocat",
"name": {
"givenName": "Mona",
"familyName": "Octocat",
"formatted": "Mona Octocat"
},
"emails": [
{
"value": "octocat@github.com",
"primary": true
}
],
"active": true,
"meta": {
"resourceType": "User",
"created": "2018-02-13T15:05:24.000-08:00",
"lastModified": "2018-02-13T15:05:55.000-08:00",
"location": "https://api.github.com/scim/v2/organizations/octo-org/Users/5fc0c238-1112-11e8-8e45-920c87bdbd75"
}
}
]
}
Provision and invite a SCIM user
Provisions organization membership for a user, and sends an activation email to the email address. If the user was previously a member of the organization, the invitation will reinstate any former privileges that the user had. For more information about reinstating former members, see "Reinstating a former member of your organization."
Parameters
Headers | |||||||
---|---|---|---|---|---|---|---|
Nom, Type, Description | |||||||
accept stringSetting to | |||||||
Path parameters | |||||||
Nom, Type, Description | |||||||
org stringRequiredThe organization name. The name is not case sensitive. | |||||||
Body parameters | |||||||
Nom, Type, Description | |||||||
userName stringRequiredConfigured by the admin. Could be an email, login, or username | |||||||
displayName stringThe name of the user, suitable for display to end-users | |||||||
name objectRequired | |||||||
Properties of |
Nom, Type, Description |
---|
givenName stringRequired |
familyName stringRequired |
formatted string |
emails
array of objectsRequireduser emails
Properties of emails
Nom, Type, Description |
---|
value stringRequired |
primary boolean |
type string |
schemas
array of stringsexternalId
stringgroups
array of stringsactive
booleanHTTP response status codes
Status code | Description |
---|---|
201 | Created |
304 | Not modified |
400 | Bad request |
403 | Forbidden |
404 | Resource not found |
409 | Conflict |
500 | Internal server error |
Code samples
curl \
-X POST \
-H "Accept: application/scim+json" \
-H "Authorization: Bearer <YOUR-TOKEN>"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/scim/v2/organizations/ORG/Users \
-d '{"userName":"octocat","name":"Monalisa Octocat","emails":[{"value":"mona.octocat@github.com","primary":true}]}'
Response
Status: 201
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "edefdfedf-050c-11e7-8d32",
"externalId": "a7d0f98382",
"userName": "mona.octocat@okta.example.com",
"displayName": "Monalisa Octocat",
"name": {
"givenName": "Monalisa",
"familyName": "Octocat",
"formatted": "Monalisa Octocat"
},
"emails": [
{
"value": "mona.octocat@okta.example.com",
"primary": true
},
{
"value": "monalisa@octocat.github.com"
}
],
"active": true,
"meta": {
"resourceType": "User",
"created": "2017-03-09T16:11:13-05:00",
"lastModified": "2017-03-09T16:11:13-05:00",
"location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
}
}
Get SCIM provisioning information for a user
Parameters
Headers |
---|
Nom, Type, Description |
accept stringSetting to |
Path parameters |
Nom, Type, Description |
org stringRequiredThe organization name. The name is not case sensitive. |
scim_user_id stringRequiredThe unique identifier of the SCIM user. |
HTTP response status codes
Status code | Description |
---|---|
200 | OK |
304 | Not modified |
403 | Forbidden |
404 | Resource not found |
Code samples
curl \
-H "Accept: application/scim+json" \
-H "Authorization: Bearer <YOUR-TOKEN>"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID
Response
Status: 200
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "edefdfedf-050c-11e7-8d32",
"externalId": "a7d0f98382",
"userName": "mona.octocat@okta.example.com",
"displayName": "Monalisa Octocat",
"name": {
"givenName": "Monalisa",
"familyName": "Octocat",
"formatted": "Monalisa Octocat"
},
"emails": [
{
"value": "mona.octocat@okta.example.com",
"primary": true
},
{
"value": "monalisa@octocat.github.com"
}
],
"active": true,
"meta": {
"resourceType": "User",
"created": "2017-03-09T16:11:13-05:00",
"lastModified": "2017-03-09T16:11:13-05:00",
"location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
}
}
Update a provisioned organization membership
Replaces an existing provisioned user's information. You must provide all the information required for the user as if you were provisioning them for the first time. Any existing user information that you don't provide will be removed. If you want to only update a specific attribute, use the Update an attribute for a SCIM user endpoint instead.
You must at least provide the required values for the user: userName
, name
, and emails
.
Warning: Setting active: false
removes the user from the organization, deletes the external identity, and deletes the associated {scim_user_id}
.
Parameters
Headers | |||||||
---|---|---|---|---|---|---|---|
Nom, Type, Description | |||||||
accept stringSetting to | |||||||
Path parameters | |||||||
Nom, Type, Description | |||||||
org stringRequiredThe organization name. The name is not case sensitive. | |||||||
scim_user_id stringRequiredThe unique identifier of the SCIM user. | |||||||
Body parameters | |||||||
Nom, Type, Description | |||||||
schemas array of strings | |||||||
displayName stringThe name of the user, suitable for display to end-users | |||||||
externalId string | |||||||
groups array of strings | |||||||
active boolean | |||||||
userName stringRequiredConfigured by the admin. Could be an email, login, or username | |||||||
name objectRequired | |||||||
Properties of |
Nom, Type, Description |
---|
givenName stringRequired |
familyName stringRequired |
formatted string |
emails
array of objectsRequireduser emails
Properties of emails
Nom, Type, Description |
---|
type string |
value stringRequired |
primary boolean |
HTTP response status codes
Status code | Description |
---|---|
200 | OK |
304 | Not modified |
403 | Forbidden |
404 | Resource not found |
Code samples
curl \
-X PUT \
-H "Accept: application/scim+json" \
-H "Authorization: Bearer <YOUR-TOKEN>"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID \
-d '{"userName":"octocat","name":"Monalisa Octocat","emails":[{"value":"mona.octocat@github.com","primary":true}]}'
Response
Status: 200
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "edefdfedf-050c-11e7-8d32",
"externalId": "a7d0f98382",
"userName": "mona.octocat@okta.example.com",
"displayName": "Monalisa Octocat",
"name": {
"givenName": "Monalisa",
"familyName": "Octocat",
"formatted": "Monalisa Octocat"
},
"emails": [
{
"value": "mona.octocat@okta.example.com",
"primary": true
},
{
"value": "monalisa@octocat.github.com"
}
],
"active": true,
"meta": {
"resourceType": "User",
"created": "2017-03-09T16:11:13-05:00",
"lastModified": "2017-03-09T16:11:13-05:00",
"location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
}
}
Update an attribute for a SCIM user
Allows you to change a provisioned user's individual attributes. To change a user's values, you must provide a specific Operations
JSON format that contains at least one of the add
, remove
, or replace
operations. For examples and more information on the SCIM operations format, see the SCIM specification.
Note: Complicated SCIM path
selectors that include filters are not supported. For example, a path
selector defined as "path": "emails[type eq \"work\"]"
will not work.
Warning: If you set active:false
using the replace
operation (as shown in the JSON example below), it removes the user from the organization, deletes the external identity, and deletes the associated :scim_user_id
.
{
"Operations":[{
"op":"replace",
"value":{
"active":false
}
}]
}
Parameters
Headers | |||||||
---|---|---|---|---|---|---|---|
Nom, Type, Description | |||||||
accept stringSetting to | |||||||
Path parameters | |||||||
Nom, Type, Description | |||||||
org stringRequiredThe organization name. The name is not case sensitive. | |||||||
scim_user_id stringRequiredThe unique identifier of the SCIM user. | |||||||
Body parameters | |||||||
Nom, Type, Description | |||||||
schemas array of strings | |||||||
Operations array of objectsRequiredSet of operations to be performed | |||||||
Properties of |
Nom, Type, Description |
---|
op stringRequiredCan be one of: |
path string |
value object or array or string |
HTTP response status codes
Status code | Description |
---|---|
200 | OK |
304 | Not modified |
400 | Bad request |
403 | Forbidden |
404 | Resource not found |
429 | Too Many Requests |
Code samples
curl \
-X PATCH \
-H "Accept: application/scim+json" \
-H "Authorization: Bearer <YOUR-TOKEN>"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID \
-d '{"Operations":[{"op":"replace","value":{"displayName":"Octocat"}}]}'
Response
Status: 200
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "edefdfedf-050c-11e7-8d32",
"externalId": "a7d0f98382",
"userName": "mona.octocat@okta.example.com",
"displayName": "Monalisa Octocat",
"name": {
"givenName": "Monalisa",
"familyName": "Octocat",
"formatted": "Monalisa Octocat"
},
"emails": [
{
"value": "mona.octocat@okta.example.com",
"primary": true
},
{
"value": "monalisa@octocat.github.com"
}
],
"active": true,
"meta": {
"resourceType": "User",
"created": "2017-03-09T16:11:13-05:00",
"lastModified": "2017-03-09T16:11:13-05:00",
"location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
}
}
Delete a SCIM user from an organization
Parameters
Headers |
---|
Nom, Type, Description |
accept stringSetting to |
Path parameters |
Nom, Type, Description |
org stringRequiredThe organization name. The name is not case sensitive. |
scim_user_id stringRequiredThe unique identifier of the SCIM user. |
HTTP response status codes
Status code | Description |
---|---|
204 | No Content |
304 | Not modified |
403 | Forbidden |
404 | Resource not found |
Code samples
curl \
-X DELETE \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>"\
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID
Response
Status: 204