SCIM の REST API エンドポイント
REST API を使って、SCIM で GitHub Organization メンバーのアクセス権を制御および管理します。
注: この操作により、SCIM を使用して GitHub Enterprise Cloud 上の organization へのアクセスをプロビジョニングできます。 この操作は、Enterprise Managed Users では使用できません。 SCIM を使用した マネージド ユーザー アカウント のプロビジョニングの詳細については、「SCIM の REST API エンドポイント」を参照してください。
SCIM について
Organization 向け SCIM プロビジョニング
これらのエンドポイントは、GitHub Enterprise Cloud Organization メンバーシップのプロビジョニングを自動化するために、SCIM を有効にした ID プロバイダー (IdP) によって使われ、SCIM 標準のバージョン 2.0 がベースになっています。 IdP では、GitHub Enterprise Cloud SCIM エンドポイントのベース URL https://api.github.com/scim/v2/organizations/{org}/
を使います。
注:
- これらのエンドポイントは、SAML SSO が有効になっている GitHub Enterprise Cloud を使っている個々の Organization でのみ使うことができます。 SCIM について詳しくは、「Organization の SCIM について」をご覧ください。 SAML SSO 組織のトークンの承認の詳細については、「REST API に対する認証」を参照してください。
- これらのエンドポイントは、Enterprise アカウントまたは マネージド ユーザーを含む Organization では使うことができません。
認証
これらのエンドポイントを使うには、GitHub Enterprise Cloud Organization の所有者として自分を認証する必要があります。 この REST API では、OAuth 2.0 ベアラー トークン (GitHub App ユーザー アクセス トークンなど) が Authorization
ヘッダーに含まれることを想定しています。 認証にpersonal access token (classic)を使う場合は、admin:org
スコープが設定されている必要があります。また、SAML SSO Organization での使用を承認する必要もあります。
SAML および SCIM データのマッピング
SAML IdP と SCIM クライアントでは、各ユーザーに同じ NameID
および userName
値を使用する必要があります。 これにより、SAML を介して認証するユーザを、プロビジョニングされた SCIM ID にリンクできます。
サポートされている SCIM ユーザ属性
名前 | 種類 | 説明 |
---|---|---|
userName | string | ユーザのユーザ名。 |
name.givenName | string | ユーザーの名。 |
name.familyName | string | ユーザーの姓。 |
emails | array | ユーザのメール一覧。 |
externalId | string | この識別子は SAML プロバイダによって生成され、GitHub ユーザと照合するためにSAML プロバイダによって一意の ID として使用されます。 ユーザの externalID は、SAML プロバイダー、または SCIM プロビジョニング済み ID の一覧表示エンドポイントを使用して、ユーザーの GitHub ユーザー名やメールアドレスなどの他の既知の属性でフィルターして見つけることができます。 |
id | string | GitHub SCIM エンドポイントによって生成された識別子。 |
active | boolean | ID がアクティブである(true)か、プロビジョニングを解除する必要がある(false)かを示すために使用する。 |
メモ: これらのエンドポイントでは、大文字と小文字を区別します。 たとえば、Users
エンドポイントの最初の文字は大文字にする必要があります。
GET /scim/v2/organizations/{org}/Users/{scim_user_id}
List SCIM provisioned identities
Retrieves a paginated list of all provisioned organization members, including pending invitations. If you provide the filter
parameter, the resources for all matching provisions members are returned.
When a user with a SAML-provisioned external identity leaves (or is removed from) an organization, the account's metadata is immediately removed. However, the returned list of user accounts might not always match the organization or enterprise member list you see on GitHub Enterprise Cloud. This can happen in certain cases where an external identity associated with an organization will not match an organization member:
- When a user with a SCIM-provisioned external identity is removed from an organization, the account's metadata is preserved to allow the user to re-join the organization in the future.
- When inviting a user to join an organization, you can expect to see their external identity in the results before they accept the invitation, or if the invitation is cancelled (or never accepted).
- When a user is invited over SCIM, an external identity is created that matches with the invitee's email address. However, this identity is only linked to a user account when the user accepts the invitation by going through SAML SSO.
The returned list of external identities can include an entry for a null
user. These are unlinked SAML identities that are created when a user goes through the following Single Sign-On (SSO) process but does not sign in to their GitHub Enterprise Cloud account after completing SSO:
-
The user is granted access by the IdP and is not a member of the GitHub Enterprise Cloud organization.
-
The user attempts to access the GitHub Enterprise Cloud organization and initiates the SAML SSO process, and is not currently signed in to their GitHub Enterprise Cloud account.
-
After successfully authenticating with the SAML SSO IdP, the
null
external identity entry is created and the user is prompted to sign in to their GitHub Enterprise Cloud account:- If the user signs in, their GitHub Enterprise Cloud account is linked to this entry.
- If the user does not sign in (or does not create a new account when prompted), they are not added to the GitHub Enterprise Cloud organization, and the external identity
null
entry remains in place.
"List SCIM provisioned identities" のきめ細かいアクセス トークン
このエンドポイントは、次の粒度の細かいトークンの種類で動作します:
粒度の細かいトークンには次のアクセス許可セットが設定されている必要があります:
- "Members" organization permissions (read)
"List SCIM provisioned identities" のパラメーター
名前, Type, 説明 |
---|
accept string Setting to |
名前, Type, 説明 |
---|
org string 必須The organization name. The name is not case sensitive. |
名前, Type, 説明 |
---|
startIndex integer Used for pagination: the index of the first result to return. |
count integer Used for pagination: the number of results to return. |
filter string Filters results using the equals query parameter operator (
To filter results for the identity with the email
|
"List SCIM provisioned identities" の HTTP 応答状態コード
状態コード | 説明 |
---|---|
200 | OK |
304 | Not modified |
400 | Bad request |
403 | Forbidden |
404 | Resource not found |
429 | Too many requests |
"List SCIM provisioned identities" のコード サンプル
要求の例
curl -L \
-H "Accept: application/scim+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/scim/v2/organizations/ORG/Users
Response with filter
Status: 200
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"totalResults": 1,
"itemsPerPage": 1,
"startIndex": 1,
"Resources": [
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "5fc0c238-1112-11e8-8e45-920c87bdbd75",
"externalId": "00u1dhhb1fkIGP7RL1d8",
"userName": "octocat@github.com",
"displayName": "Mona Octocat",
"name": {
"givenName": "Mona",
"familyName": "Octocat",
"formatted": "Mona Octocat"
},
"emails": [
{
"value": "octocat@github.com",
"primary": true
}
],
"active": true,
"meta": {
"resourceType": "User",
"created": "2018-02-13T15:05:24.000-08:00",
"lastModified": "2018-02-13T15:05:55.000-08:00",
"location": "https://api.github.com/scim/v2/organizations/octo-org/Users/5fc0c238-1112-11e8-8e45-920c87bdbd75"
}
}
]
}
Provision and invite a SCIM user
Provisions organization membership for a user, and sends an activation email to the email address. If the user was previously a member of the organization, the invitation will reinstate any former privileges that the user had. For more information about reinstating former members, see "Reinstating a former member of your organization."
"Provision and invite a SCIM user" のきめ細かいアクセス トークン
このエンドポイントは、次の粒度の細かいトークンの種類で動作します:
粒度の細かいトークンには次のアクセス許可セットが設定されている必要があります:
- "Members" organization permissions (write)
"Provision and invite a SCIM user" のパラメーター
名前, Type, 説明 |
---|
accept string Setting to |
名前, Type, 説明 |
---|
org string 必須The organization name. The name is not case sensitive. |
名前, Type, 説明 | ||||
---|---|---|---|---|
userName string 必須Configured by the admin. Could be an email, login, or username | ||||
displayName string The name of the user, suitable for display to end-users | ||||
name object 必須 | ||||
Properties of |
名前, Type, 説明 |
---|
givenName string 必須 |
familyName string 必須 |
formatted string |
emails
array of objects 必須user emails
Properties of emails
名前, Type, 説明 |
---|
value string 必須 |
primary boolean |
type string |
schemas
array of strings externalId
string groups
array of strings active
boolean "Provision and invite a SCIM user" の HTTP 応答状態コード
状態コード | 説明 |
---|---|
201 | Created |
304 | Not modified |
400 | Bad request |
403 | Forbidden |
404 | Resource not found |
409 | Conflict |
500 | Internal server error |
"Provision and invite a SCIM user" のコード サンプル
要求の例
curl -L \
-X POST \
-H "Accept: application/scim+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/scim/v2/organizations/ORG/Users \
-d '{"userName":"octocat","name":"Monalisa Octocat","emails":[{"value":"mona.octocat@github.com","primary":true}]}'
Response
Status: 201
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "edefdfedf-050c-11e7-8d32",
"externalId": "a7d0f98382",
"userName": "mona.octocat@okta.example.com",
"displayName": "Monalisa Octocat",
"name": {
"givenName": "Monalisa",
"familyName": "Octocat",
"formatted": "Monalisa Octocat"
},
"emails": [
{
"value": "mona.octocat@okta.example.com",
"primary": true
},
{
"value": "monalisa@octocat.github.com"
}
],
"active": true,
"meta": {
"resourceType": "User",
"created": "2017-03-09T16:11:13-05:00",
"lastModified": "2017-03-09T16:11:13-05:00",
"location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
}
}
Get SCIM provisioning information for a user
Gets SCIM provisioning information for a user.
"Get SCIM provisioning information for a user" のきめ細かいアクセス トークン
このエンドポイントは、次の粒度の細かいトークンの種類で動作します:
粒度の細かいトークンには次のアクセス許可セットが設定されている必要があります:
- "Members" organization permissions (read)
"Get SCIM provisioning information for a user" のパラメーター
名前, Type, 説明 |
---|
accept string Setting to |
名前, Type, 説明 |
---|
org string 必須The organization name. The name is not case sensitive. |
scim_user_id string 必須The unique identifier of the SCIM user. |
"Get SCIM provisioning information for a user" の HTTP 応答状態コード
状態コード | 説明 |
---|---|
200 | OK |
304 | Not modified |
403 | Forbidden |
404 | Resource not found |
"Get SCIM provisioning information for a user" のコード サンプル
要求の例
curl -L \
-H "Accept: application/scim+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID
Response
Status: 200
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "edefdfedf-050c-11e7-8d32",
"externalId": "a7d0f98382",
"userName": "mona.octocat@okta.example.com",
"displayName": "Monalisa Octocat",
"name": {
"givenName": "Monalisa",
"familyName": "Octocat",
"formatted": "Monalisa Octocat"
},
"emails": [
{
"value": "mona.octocat@okta.example.com",
"primary": true
},
{
"value": "monalisa@octocat.github.com"
}
],
"active": true,
"meta": {
"resourceType": "User",
"created": "2017-03-09T16:11:13-05:00",
"lastModified": "2017-03-09T16:11:13-05:00",
"location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
}
}
Update a provisioned organization membership
Replaces an existing provisioned user's information. You must provide all the information required for the user as if you were provisioning them for the first time. Any existing user information that you don't provide will be removed. If you want to only update a specific attribute, use the Update an attribute for a SCIM user endpoint instead.
You must at least provide the required values for the user: userName
, name
, and emails
.
Warning
Setting active: false
removes the user from the organization, deletes the external identity, and deletes the associated {scim_user_id}
.
"Update a provisioned organization membership" のきめ細かいアクセス トークン
このエンドポイントは、次の粒度の細かいトークンの種類で動作します:
粒度の細かいトークンには次のアクセス許可セットが設定されている必要があります:
- "Members" organization permissions (write)
"Update a provisioned organization membership" のパラメーター
名前, Type, 説明 |
---|
accept string Setting to |
名前, Type, 説明 |
---|
org string 必須The organization name. The name is not case sensitive. |
scim_user_id string 必須The unique identifier of the SCIM user. |
名前, Type, 説明 | ||||
---|---|---|---|---|
schemas array of strings | ||||
displayName string The name of the user, suitable for display to end-users | ||||
externalId string | ||||
groups array of strings | ||||
active boolean | ||||
userName string 必須Configured by the admin. Could be an email, login, or username | ||||
name object 必須 | ||||
Properties of |
名前, Type, 説明 |
---|
givenName string 必須 |
familyName string 必須 |
formatted string |
emails
array of objects 必須user emails
Properties of emails
名前, Type, 説明 |
---|
type string |
value string 必須 |
primary boolean |
"Update a provisioned organization membership" の HTTP 応答状態コード
状態コード | 説明 |
---|---|
200 | OK |
304 | Not modified |
403 | Forbidden |
404 | Resource not found |
"Update a provisioned organization membership" のコード サンプル
要求の例
curl -L \
-X PUT \
-H "Accept: application/scim+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID \
-d '{"userName":"octocat","name":"Monalisa Octocat","emails":[{"value":"mona.octocat@github.com","primary":true}]}'
Response
Status: 200
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "edefdfedf-050c-11e7-8d32",
"externalId": "a7d0f98382",
"userName": "mona.octocat@okta.example.com",
"displayName": "Monalisa Octocat",
"name": {
"givenName": "Monalisa",
"familyName": "Octocat",
"formatted": "Monalisa Octocat"
},
"emails": [
{
"value": "mona.octocat@okta.example.com",
"primary": true
},
{
"value": "monalisa@octocat.github.com"
}
],
"active": true,
"meta": {
"resourceType": "User",
"created": "2017-03-09T16:11:13-05:00",
"lastModified": "2017-03-09T16:11:13-05:00",
"location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
}
}
Update an attribute for a SCIM user
Allows you to change a provisioned user's individual attributes. To change a user's values, you must provide a specific Operations
JSON format that contains at least one of the add
, remove
, or replace
operations. For examples and more information on the SCIM operations format, see the SCIM specification.
Note
Complicated SCIM path
selectors that include filters are not supported. For example, a path
selector defined as "path": "emails[type eq \"work\"]"
will not work.
Warning
If you set active:false
using the replace
operation (as shown in the JSON example below), it removes the user from the organization, deletes the external identity, and deletes the associated :scim_user_id
.
{
"Operations":[{
"op":"replace",
"value":{
"active":false
}
}]
}
"Update an attribute for a SCIM user" のきめ細かいアクセス トークン
このエンドポイントは、次の粒度の細かいトークンの種類で動作します:
粒度の細かいトークンには次のアクセス許可セットが設定されている必要があります:
- "Members" organization permissions (write)
"Update an attribute for a SCIM user" のパラメーター
名前, Type, 説明 |
---|
accept string Setting to |
名前, Type, 説明 |
---|
org string 必須The organization name. The name is not case sensitive. |
scim_user_id string 必須The unique identifier of the SCIM user. |
名前, Type, 説明 | ||||
---|---|---|---|---|
schemas array of strings | ||||
Operations array of objects 必須Set of operations to be performed | ||||
Properties of |
名前, Type, 説明 |
---|
op string 必須次のいずれかにできます: |
path string |
value object or array or string |
"Update an attribute for a SCIM user" の HTTP 応答状態コード
状態コード | 説明 |
---|---|
200 | OK |
304 | Not modified |
400 | Bad request |
403 | Forbidden |
404 | Resource not found |
429 | Too Many Requests |
"Update an attribute for a SCIM user" のコード サンプル
要求の例
curl -L \
-X PATCH \
-H "Accept: application/scim+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID \
-d '{"Operations":[{"op":"replace","value":{"displayName":"Octocat"}}]}'
Response
Status: 200
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"id": "edefdfedf-050c-11e7-8d32",
"externalId": "a7d0f98382",
"userName": "mona.octocat@okta.example.com",
"displayName": "Monalisa Octocat",
"name": {
"givenName": "Monalisa",
"familyName": "Octocat",
"formatted": "Monalisa Octocat"
},
"emails": [
{
"value": "mona.octocat@okta.example.com",
"primary": true
},
{
"value": "monalisa@octocat.github.com"
}
],
"active": true,
"meta": {
"resourceType": "User",
"created": "2017-03-09T16:11:13-05:00",
"lastModified": "2017-03-09T16:11:13-05:00",
"location": "https://api.github.com/scim/v2/organizations/octo-org/Users/edefdfedf-050c-11e7-8d32"
}
}
Delete a SCIM user from an organization
Deletes a SCIM user from an organization.
"Delete a SCIM user from an organization" のきめ細かいアクセス トークン
このエンドポイントは、次の粒度の細かいトークンの種類で動作します:
粒度の細かいトークンには次のアクセス許可セットが設定されている必要があります:
- "Members" organization permissions (write)
"Delete a SCIM user from an organization" のパラメーター
名前, Type, 説明 |
---|
accept string Setting to |
名前, Type, 説明 |
---|
org string 必須The organization name. The name is not case sensitive. |
scim_user_id string 必須The unique identifier of the SCIM user. |
"Delete a SCIM user from an organization" の HTTP 応答状態コード
状態コード | 説明 |
---|---|
204 | No Content |
304 | Not modified |
403 | Forbidden |
404 | Resource not found |
"Delete a SCIM user from an organization" のコード サンプル
要求の例
curl -L \
-X DELETE \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID
Response
Status: 204