Publicamos atualizações frequentes em nossa documentação, e a tradução desta página ainda pode estar em andamento. Para obter as informações mais recentes, acesse a documentação em inglês. Se houver problemas com a tradução desta página, entre em contato conosco.

SCIM

Neste artigo

Provisionamento de SCIM para Organizações

A API do SCIM é usada pelos provedores de identidade (IdPs) habilitados pelo SCIM para automatizar o provisionamento de integrantes da organização de GitHub. A API GitHub é baseada na versão 2.0 do padrão SCIM. O ponto de extremidade do SCIM do GitHub que um IdP deve usar é: https://api.github.com/scim/v2/organizations/{org}/.

Observação: A API do SCIM está disponível apenas para organizações em GitHub Enterprise Cloud com SSO de SAML habilitado. Para obter mais informações sobre o SCIM, consulte "Sobre o SCIM."

Autenticar chamadas para a API de SCIM

Você deve efetuar a autenticação como dono de uma organização do GitHub para usar sua API do SCIM. A API espera que um token OAuth 2.0 seja incluído no cabeçalho da Autorização. Você também pode usar um token de acesso pessoal, mas primeiro deve autorizá-lo para uso com sua organização SAML SSO.

Mapear dados do SAML e SCIM

O SAML IdP e o cliente SCIM devem usar valores correspondentes ao NameID e userName para cada usuário. Isso permite que um usuário que faz autenticação através do SAML seja vinculado à sua identidade SCIM provisionada.

Atributos de usuário de SCIM compatíveis

NomeTipoDescrição
userNamestringO nome de usuário para o usuário.
name.givenNamestringO primeiro nome do usuário.
name.lastNamestringO sobrenome do usuário.
emailsarrayLista de e-mails dos usuários.
externalIdstringEste identificador é gerado pelo provedor do SAML e é usado como um ID exclusivo pelo provedor do SAML para corresponder ao usuário do GitHub. Você pode encontrar o externalID para um usuário no provedor do SAML ou usar a listar identidades fornecidas pelo ponto de extremidade do SCIM e filtrar outros atributos conhecidos, como, por exemplo, o nome de usuário no GitHub ou endereço de e-mail de usuário.
idstringIdentificador gerado pelo ponto de extremidade do SCIM do GitHub.
ativobooleanUsado para indicar se a identidade está ativa (verdadeira) ou se deve ser desprovisionada (falso).

Observação: As URLs de Endpoint para a API SCIM são sensíveis a maiúsculas e minúsculas. Por exemplo, a primeira letra no endpoint Usuários deve ser maiúscula:

GET /scim/v2/organizations/{org}/Users/{scim_user_id}

List SCIM provisioned identities

Retrieves a paginated list of all provisioned organization members, including pending invitations. If you provide the filter parameter, the resources for all matching provisions members are returned.

When a user with a SAML-provisioned external identity leaves (or is removed from) an organization, the account's metadata is immediately removed. However, the returned list of user accounts might not always match the organization or enterprise member list you see on GitHub. This can happen in certain cases where an external identity associated with an organization will not match an organization member:

  • When a user with a SCIM-provisioned external identity is removed from an organization, the account's metadata is preserved to allow the user to re-join the organization in the future.
  • When inviting a user to join an organization, you can expect to see their external identity in the results before they accept the invitation, or if the invitation is cancelled (or never accepted).
  • When a user is invited over SCIM, an external identity is created that matches with the invitee's email address. However, this identity is only linked to a user account when the user accepts the invitation by going through SAML SSO.

The returned list of external identities can include an entry for a null user. These are unlinked SAML identities that are created when a user goes through the following Single Sign-On (SSO) process but does not sign in to their GitHub account after completing SSO:

  1. The user is granted access by the IdP and is not a member of the GitHub organization.

  2. The user attempts to access the GitHub organization and initiates the SAML SSO process, and is not currently signed in to their GitHub account.

  3. After successfully authenticating with the SAML SSO IdP, the null external identity entry is created and the user is prompted to sign in to their GitHub account:

    • If the user signs in, their GitHub account is linked to this entry.
    • If the user does not sign in (or does not create a new account when prompted), they are not added to the GitHub organization, and the external identity null entry remains in place.
get /scim/v2/organizations/{org}/Users

Parâmetros

Name Type In Description
accept string header

Setting to application/vnd.github.v3+json is recommended.

org string path
startIndex integer query

Used for pagination: the index of the first result to return.

count integer query

Used for pagination: the number of results to return.

filter string query

Filters results using the equals query parameter operator (eq). You can filter results that are equal to id, userName, emails, and external_id. For example, to search for an identity with the userName Octocat, you would use this query:

?filter=userName%20eq%20\"Octocat\".

To filter results for for the identity with the email octocat@github.com, you would use this query:

?filter=emails%20eq%20\"octocat@github.com\".

Amostras de código

Shell
curl \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/scim/v2/organizations/ORG/Users
JavaScript (@octokit/core.js)
await octokit.request('GET /scim/v2/organizations/{org}/Users', {
  org: 'org'
})

Response

Status: 200 OK

Not modified

Status: 304 Not Modified

Bad request

Status: 400 Bad Request

Forbidden

Status: 403 Forbidden

Resource not found

Status: 404 Not Found

Notes


Provision and invite a SCIM user

Provision organization membership for a user, and send an activation email to the email address.

post /scim/v2/organizations/{org}/Users

Parâmetros

Name Type In Description
accept string header

Setting to application/vnd.github.v3+json is recommended.

org string path
userName string body

Required. Configured by the admin. Could be an email, login, or username

displayName string body

The name of the user, suitable for display to end-users

name object body

Required. undefined

Properties of the name object

givenName (string)

Required. undefined

familyName (string)

Required. undefined

formatted (string)

undefined

emails array of objects body

Required. user emails

Properties of the emails items

value (string)

Required. undefined

primary (boolean)

undefined

type (string)

undefined

schemas array of strings body

undefined

externalId string body

undefined

groups array of strings body

undefined

active boolean body

undefined

Amostras de código

Shell
curl \
  -X POST \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/scim/v2/organizations/ORG/Users \
  -d '{"userName":"userName","name":{"givenName":"givenName","familyName":"familyName","formatted":"formatted"},"emails":["octocat@github.com"]}'
JavaScript (@octokit/core.js)
await octokit.request('POST /scim/v2/organizations/{org}/Users', {
  org: 'org',
  userName: 'userName',
  name: {
    givenName: 'givenName',
    familyName: 'familyName',
    formatted: 'formatted'
  },
  emails: [
    'octocat@github.com'
  ]
})

Response

Status: 201 Created

Not modified

Status: 304 Not Modified

Bad request

Status: 400 Bad Request

Forbidden

Status: 403 Forbidden

Resource not found

Status: 404 Not Found

Conflict

Status: 409 Conflict

Internal error

Status: 500 Internal Server Error

Notes


get /scim/v2/organizations/{org}/Users/{scim_user_id}

Parâmetros

Name Type In Description
accept string header

Setting to application/vnd.github.v3+json is recommended.

org string path
scim_user_id string path

scim_user_id parameter

Amostras de código

Shell
curl \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID
JavaScript (@octokit/core.js)
await octokit.request('GET /scim/v2/organizations/{org}/Users/{scim_user_id}', {
  org: 'org',
  scim_user_id: 'scim_user_id'
})

Response

Status: 200 OK

Not modified

Status: 304 Not Modified

Forbidden

Status: 403 Forbidden

Resource not found

Status: 404 Not Found

Notes


Update a provisioned organization membership

Replaces an existing provisioned user's information. You must provide all the information required for the user as if you were provisioning them for the first time. Any existing user information that you don't provide will be removed. If you want to only update a specific attribute, use the Update an attribute for a SCIM user endpoint instead.

You must at least provide the required values for the user: userName, name, and emails.

Warning: Setting active: false removes the user from the organization, deletes the external identity, and deletes the associated {scim_user_id}.

put /scim/v2/organizations/{org}/Users/{scim_user_id}

Parâmetros

Name Type In Description
accept string header

Setting to application/vnd.github.v3+json is recommended.

org string path
scim_user_id string path

scim_user_id parameter

schemas array of strings body

undefined

displayName string body

The name of the user, suitable for display to end-users

externalId string body

undefined

groups array of strings body

undefined

active boolean body

undefined

userName string body

Required. Configured by the admin. Could be an email, login, or username

name object body

Required. undefined

Properties of the name object

givenName (string)

Required. undefined

familyName (string)

Required. undefined

formatted (string)

undefined

emails array of objects body

Required. user emails

Properties of the emails items

type (string)

undefined

value (string)

Required. undefined

primary (boolean)

undefined

Amostras de código

Shell
curl \
  -X PUT \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID \
  -d '{"userName":"userName","name":{"givenName":"givenName","familyName":"familyName","formatted":"formatted"},"emails":["octocat@github.com"]}'
JavaScript (@octokit/core.js)
await octokit.request('PUT /scim/v2/organizations/{org}/Users/{scim_user_id}', {
  org: 'org',
  scim_user_id: 'scim_user_id',
  userName: 'userName',
  name: {
    givenName: 'givenName',
    familyName: 'familyName',
    formatted: 'formatted'
  },
  emails: [
    'octocat@github.com'
  ]
})

Response

Status: 200 OK

Not modified

Status: 304 Not Modified

Forbidden

Status: 403 Forbidden

Resource not found

Status: 404 Not Found

Notes


Update an attribute for a SCIM user

Allows you to change a provisioned user's individual attributes. To change a user's values, you must provide a specific Operations JSON format that contains at least one of the add, remove, or replace operations. For examples and more information on the SCIM operations format, see the SCIM specification.

Note: Complicated SCIM path selectors that include filters are not supported. For example, a path selector defined as "path": "emails[type eq \"work\"]" will not work.

Warning: If you set active:false using the replace operation (as shown in the JSON example below), it removes the user from the organization, deletes the external identity, and deletes the associated :scim_user_id.

{
  "Operations":[{
    "op":"replace",
    "value":{
      "active":false
    }
  }]
}
patch /scim/v2/organizations/{org}/Users/{scim_user_id}

Parâmetros

Name Type In Description
accept string header

Setting to application/vnd.github.v3+json is recommended.

org string path
scim_user_id string path

scim_user_id parameter

schemas array of strings body

undefined

Operations array of objects body

Required. Set of operations to be performed

Properties of the Operations items

op (string)

Required. undefined

path (string)

undefined

value ()

undefined

Amostras de código

Shell
curl \
  -X PATCH \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID \
  -d '{"Operations":[{"op":"op","path":"path","value":{"active":true,"userName":"userName","externalId":"externalId","givenName":"givenName","familyName":"familyName"}}]}'
JavaScript (@octokit/core.js)
await octokit.request('PATCH /scim/v2/organizations/{org}/Users/{scim_user_id}', {
  org: 'org',
  scim_user_id: 'scim_user_id',
  Operations: [
    {
      op: 'op',
      path: 'path',
      value: {
        active: true,
        userName: 'userName',
        externalId: 'externalId',
        givenName: 'givenName',
        familyName: 'familyName'
      }
    }
  ]
})

Response

Status: 200 OK

Not modified

Status: 304 Not Modified

Bad request

Status: 400 Bad Request

Forbidden

Status: 403 Forbidden

Resource not found

Status: 404 Not Found

Too many requests

Status: 429 Too Many Requests

Notes


delete /scim/v2/organizations/{org}/Users/{scim_user_id}

Parâmetros

Name Type In Description
accept string header

Setting to application/vnd.github.v3+json is recommended.

org string path
scim_user_id string path

scim_user_id parameter

Amostras de código

Shell
curl \
  -X DELETE \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID
JavaScript (@octokit/core.js)
await octokit.request('DELETE /scim/v2/organizations/{org}/Users/{scim_user_id}', {
  org: 'org',
  scim_user_id: 'scim_user_id'
})

Default Response

Status: 204 No Content

Not modified

Status: 304 Not Modified

Forbidden

Status: 403 Forbidden

Resource not found

Status: 404 Not Found

Notes


Esse documento ajudou você?

Privacy policy

Ajude-nos a tornar esses documentos ótimos!

Todos os documentos do GitHub são de código aberto. Você percebeu que algo que está errado ou não está claro? Envie um pull request.

Faça uma contribuição

Ou, aprenda como contribuir.