SCIM for Identity-Federated Workspaces

SCIM API for Identity-Federated Workspaces is similar to the regular workspace SCIM API. Notable differences are:

New users/groups/service principals cannot be created through POST requests if they are not already part of the account.
Group membership cannot be updated through PATCH/PUT requests.
To create a new service principal in AWS, you must specify a UUID instead of a display name.

Me

Get me

Method	GET
Endpoint	{workspace_domain}/api/2.0/preview/scim/v2/Me
Request example
Response example	200: { "emails": [ { "type": "work", "value": "user@example.com", "primary": true } ], "displayName": "John Doe", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:workspace:2.0:User:permissionLevel" ], "name": { "familyName": "Doe", "givenName": "John" }, "active": true, "groups": [], "id": "100000", "userName": "user@example.com" }

Users

Create user

Method	POST
Endpoint	{workspace_domain}/api/2.0/preview/scim/v2/Users
Request example	{ "schemas":[ "urn:ietf:params:scim:schemas:core:2.0:User" ], "userName":"user@example.com", "displayName": "John Doe" }
Response example	201: { "emails": [ { "type": "work", "value": "user@example.com", "primary": true } ], "displayName": "John Doe", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:workspace:2.0:User:permissionLevel" ], "name": { "familyName": "Doe", "givenName": "John" }, "active": true, "groups": [], "id": "100000", "userName": "user@example.com" } 404: { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:Error" ], "detail": "Account user with name not-user@example.com not found.", "status": "404" }

Get user by ID

Method	GET
Endpoint	{workspace_domain}/api/2.0/preview/scim/v2/Users/{user_id}
Request example
Response example	200: { "emails": [ { "type": "work", "value": "user@example.com", "primary": true } ], "displayName": "John Doe", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:workspace:2.0:User:permissionLevel" ], "name": { "familyName": "Doe", "givenName": "John" }, "active": true, "groups": [], "id": "100000", "userName": "user@example.com" }

List users

Method	GET
Endpoint	{workspace_domain}/api/2.0/preview/scim/v2/Users
Request example	GET /api/2.0/accounts/{account_id}/scim/v2/Users?filter=userName+eq+user@example.com
Response example	200: { "totalResults": 1, "startIndex": 1, "itemsPerPage": 1, "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "Resources": [ { "emails": [ { "type": "work", "value": "user@example.com", "primary": true } ], "displayName": "John Doe", "name": { "familyName": "Doe", "givenName": "John" }, "active": true, "groups": [], "id": "100000", "userName": "user@example.com" } ] }

Assign/unassign roles to user (PATCH)

Method	PATCH
Endpoint	{workspace_domain}/api/2.0/preview/scim/v2/Users/{user_id}
Request example	// assign role { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ], "Operations": [ { "op": "add", "path": "entitlements", "value": [ { "value": "allow-cluster-create" } ] } ] } // unassign role { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ], "Operations": [ { "op": "remove", "path": "entitlements[value eq \"allow-cluster-create\"]" } ] }
Response example	200: { "emails": [ { "type": "work", "value": "user@example.com", "primary": true } ], "entitlements": [ { "value": "allow-cluster-create" } ], "displayName": "John Doe", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:workspace:2.0:User:permissionLevel" ], "name": { "familyName": "Doe", "givenName": "John" }, "active": true, "groups": [], "id": "10000", "userName": "user@example.com" }

Assign/unassign roles to user (PUT)

Method	PUT
Endpoint	{workspace_domain}/api/2.0/preview/scim/v2/Users/{user_id}
Request example	// assign role { "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "userName": "user@example.com", "entitlements": [ { "value": "allow-cluster-create" } ] } // unassign role { "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "userName": "user@example.com", "entitlements": [] }
Response example	200: { "emails": [ { "type": "work", "value": "user@example.com", "primary": true } ], "entitlements": [ { "value": "allow-cluster-create" } ], "displayName": "John Doe", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:workspace:2.0:User:permissionLevel" ], "name": { "familyName": "Doe", "givenName": "John" }, "active": true, "groups": [], "id": "10000", "userName": "user@example.com" }

Delete user

Method	DELETE
Endpoint	{workspace_domain}/api/2.0/preview/scim/v2/Users/{user_id}
Request example
Response example	204: {}

Groups

Create group

Method	POST
Endpoint	{workspace_domain}/api/2.0/preview/scim/v2/Groups
Request example	{ "schemas":[ "urn:ietf:params:scim:schemas:core:2.0:Group" ], "displayName":"newgroup" }
Response example	201: { "displayName": "newgroup", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:Group" ], "members": [ { "display": "User 1", "value": "200000", "$ref": "Users/200000" }, { "display": "User 2", "value": "200001", "$ref": "Users/200001" } ], "groups": [], "id": "100000" } 400: { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:Error" ], "scimType": "Members attribute not supported for current workspace.", "detail": "Request is unparsable, syntactically incorrect, or violates schema.", "status": "400" }

Get group by ID

Method	GET
Endpoint	{workspace_domain}/api/2.0/preview/scim/v2/Groups/{group_id}
Request example
Response example	200: { "displayName": "newgroup", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:Group" ], "members": [ { "display": "User 1", "value": "200000", "$ref": "Users/200000" }, { "display": "User 2", "value": "200001", "$ref": "Users/200001" } ], "groups": [], "id": "100000" }

List groups

Method	GET
Endpoint	{workspace_domain}/api/2.0/preview/scim/v2/Groups
Request example
Response example	200: { "totalResults": 1, "startIndex": 1, "itemsPerPage": 1, "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "Resources": [ { { "displayName": "newgroup", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:Group" ], "members": [ { "display": "User 1", "value": "200000", "$ref": "Users/200000" }, { "display": "User 2", "value": "200001", "$ref": "Users/200001" } ], "groups": [], "id": "100000" } ] }

Add member to group (NOT SUPPORTED)

Method	PATCH
Endpoint	{workspace_domain}/api/2.0/preview/scim/v2/Groups/{group_id}
Request example	{ "schemas":[ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ], "Operations":[ { "op":"add", "value":{ "members":[ { "value":"10000" } ] } } ] }
Response example	400: { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:Error" ], "scimType": "invalidSyntax", "detail": "Members attribute cannot be updated as group newgroup can only be managed in account.", "status": "400" }

Remove member from group (NOT SUPPORTED)

Method	PATCH
Endpoint	{workspace_domain}/api/2.0/preview/scim/v2/Groups/{group_id}
Request example	{ "schemas":[ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ], "Operations":[ { "op":"remove", "path":"members[value eq \"100000\"]" } ] }
Response example	200: { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:Error" ], "scimType": "invalidSyntax", "detail": "Members attribute cannot be updated as group newgroup can only be managed in account.", "status": "400" }

Delete group

Method	DELETE
Endpoint	{workspace_domain}/api/2.0/preview/scim/v2/Groups/{group_id}
Request example
Response example	204: {}

Service Principals

Create service principal

Method	POST
Endpoint	{workspace_domain}/api/2.0/preview/scim/v2/ServicePrincipals
Request example	{ "schemas":[ "urn:ietf:params:scim:schemas:core:2.0:ServicePrincipal" ], "applicationId":"<uuid>" }
Response example	201: { "displayName": "new service principal", "groups": [], "id": "10000", "applicationId": "<uuid>", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:ServicePrincipal" ], "active": true } 400: { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:Error" ], "scimType": "Required attribute applicationID is missing in the SCIM Object.", "detail": "Request is unparsable, syntactically incorrect, or violates schema.", "status": "400" } { "schemas": [ "urn:ietf:params:scim:api:messages:2.0:Error" ], "scimType": "serviceprincipal", "detail": "Account service principal with applicationId <uuid> not found.", "status": "400" }

Get service principal by ID

Method	GET
Endpoint	{workspace_domain}/api/2.0/preview/scim/v2/ServicePrincipals/{id}
Request example
Response example	200: { "displayName": "new service principal", "groups": [], "id": "10000", "applicationId": "<uuid>", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:ServicePrincipal" ], "active": true }

List service principal

Method	GET
Endpoint	{workspace_domain}/api/2.0/preview/scim/v2/ServicePrincipals
Request example
Response example	200: { "Resources": [ { "displayName": "new service principal", "groups": [], "id": "10000", "applicationId": "<uuid>", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:ServicePrincipal" ], "active": true } ], "totalResults": 5, "startIndex": 1, "itemsPerPage": 1, "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ] }

Update service principal

Method	PATCH
Endpoint	{workspace_domain}/api/2.0/preview/scim/v2/ServicePrincipals/{id}
Request example	{ "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ], "Operations": [ { "op": "add", "path": "entitlements", "value": [ { "value": "allow-cluster-create" } ] } ] }
Response example	200: { "displayName": "new service principal", "groups": [], "id": "10000", "applicationId": "<uuid>", "entitlements": [ { "value": "allow-cluster-create" } ], "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:ServicePrincipal" ], "active": true }

Delete service principal

Method	DELETE
Endpoint	{workspace_domain}/api/2.0/preview/scim/v2/ServicePrincipals/{id}
Request example
Response example	204: {}