Service Provider
This feature is only available in the Enterprise plan. Please visit our pricing page to learn more.
Overview
This API is used to retrieve information about the configuration of the FusionAuth SCIM Service Provider as specified in the RFC.
Retrieve Resource Types
Request
GET /api/scim/resource/v2/ResourceTypes
GET /api/scim/resource/v2/ResourceTypes/{resourceTypeId}
Request Parameters
resourceTypeIdStringThe unique Resource Type Id, such as User.
Response
The response for this API contains the ResourceType(s) in standard SCIM schema.
Response Codes| Code | Description |
|---|---|
| 200 | The request was successful. The response will contain a JSON body. |
| 400 | The request was invalid and/or malformed. The response will contain a SCIM Error JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
| 401 | You did not supply a valid JWT in your Authorization header. The response will be empty. Ensure you've correctly set up Entities and performed a Client Credentials grant. |
| 404 | The object doesn't exist. The response will be empty. |
| 500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
| 503 | The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
| 504 | One or more Webhook endpoints returned an invalid response or were unreachable. Based on the transaction configuration for this event your action cannot be completed. A stack trace is provided and logged in the FusionAuth log files. |
For FusionAuth SCIM endpoints, any error responses will be returned in standard SCIM schema. See more details in the SCIM API Overview.
The SCIM specification allows for customization of the schemas using extensions. Therefore, it is not possible to accurately document all the possible variations.
The following is the default response body. However, you can customize the schemas portion of the response by modifying the schemas setting.
This is taken from the SCIM RFC describing a SCIM ResourceTypes schema. For the full specification you can find the RFC.
Response Body
Default Response JSON
{
"itemsPerPage": 10,
"Resources": [
{
"description": "User Account",
"endpoint": "/Users",
"id": "User",
"meta": {
"location": "https://piedpiper.com/api/scim/v2/ResourceTypes/User",
"resourceType": "ResourceType"
},
"name": "User",
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"schemaExtensions": [
{
"required": true,
"schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
]
},
{
"description": "Group",
"endpoint": "/Groups",
"id": "Group",
"meta": {
"location": "https://piedpiper.com/api/scim/v2/ResourceTypes/Group",
"resourceType": "ResourceType"
},
"name": "Group",
"schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
]
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"startIndex": 1,
"totalResults": 2
}Retrieve Schemas
Request
GET /api/scim/resource/v2/Schemas
GET /api/scim/resource/v2/Schemas/{schemaId}
Request Parameters
schemaIdStringThe unique Schema Id, such as urn:ietf:params:scim:schemas:core:2.0:User.
Response
The response for this API contains the Schema definition(s) in standard SCIM schema.
Response Codes| Code | Description |
|---|---|
| 200 | The request was successful. The response will contain a JSON body. |
| 400 | The request was invalid and/or malformed. The response will contain a SCIM Error JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
| 401 | You did not supply a valid JWT in your Authorization header. The response will be empty. Ensure you've correctly set up Entities and performed a Client Credentials grant. |
| 404 | The object doesn't exist. The response will be empty. |
| 500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
| 503 | The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
| 504 | One or more Webhook endpoints returned an invalid response or were unreachable. Based on the transaction configuration for this event your action cannot be completed. A stack trace is provided and logged in the FusionAuth log files. |
For FusionAuth SCIM endpoints, any error responses will be returned in standard SCIM schema. See more details in the SCIM API Overview.
The SCIM specification allows for customization of the schemas using extensions. Therefore, it is not possible to accurately document all the possible variations.
The following is the default response body. However, you can customize this response by modifying the Tenant’s schemas setting.
This example is taken from RFC 7643 section #7.
Response Body
Default Response JSON
{
"itemsPerPage": 4,
"Resources": [
{
"attributes": [],
"description": "Enterprise User",
"id": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"meta": {
"location": "https://piedpiper.com/api/scim/resource/v2/Schemas/v2/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"resourceType": "Schema"
},
"name": "EnterpriseUser"
},
{
"attributes": [
{
"caseExact": false,
"description": "A human-readable name for the Group. REQUIRED.",
"multiValued": false,
"mutability": "readWrite",
"name": "displayName",
"required": false,
"returned": "default",
"type": "string",
"uniqueness": "none"
},
{
"description": "A list of members of the Group.",
"multiValued": true,
"mutability": "readWrite",
"name": "members",
"required": false,
"returned": "default",
"subAttributes": [
{
"caseExact": false,
"description": "Identifier of the member of this Group.",
"multiValued": false,
"mutability": "immutable",
"name": "value",
"required": false,
"returned": "default",
"type": "string",
"uniqueness": "none"
},
{
"caseExact": false,
"description": "The URI corresponding to a SCIM resource that is a member of this Group.",
"multiValued": false,
"mutability": "immutable",
"name": "$ref",
"referenceTypes": [
"Group",
"User"
],
"required": false,
"returned": "default",
"type": "reference",
"uniqueness": "none"
}
],
"type": "complex"
}
],
"description": "Group",
"id": "urn:ietf:params:scim:schemas:core:2.0:Group",
"meta": {
"location": "https://piedpiper.com/api/scim/resource/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group",
"resourceType": "Schema"
},
"name": "Group"
},
{
"attributes": [
{
"caseExact": false,
"description": "Unique identifier for the User, typically used by the user to directly authenticate to the service provider. Each User MUST include a non-empty userName value. REQUIRED.",
"multiValued": false,
"mutability": "readWrite",
"name": "userName",
"required": true,
"returned": "default",
"type": "string",
"uniqueness": "server"
},
{
"description": "A Boolean value indicating the User's administrative status.",
"multiValued": false,
"mutability": "readWrite",
"name": "active",
"required": false,
"returned": "default",
"type": "boolean"
}
],
"description": "User Account",
"id": "urn:ietf:params:scim:schemas:core:2.0:User",
"meta": {
"location": "https://piedpiper.com/api/scim/resource/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User",
"resourceType": "Schema"
},
"name": "User"
},
{
"attributes": [
{
"description": "A list of field errors.",
"multiValued": true,
"mutability": "immutable",
"name": "fieldErrors",
"required": false,
"returned": "default",
"subAttributes": [
{
"attributes": [
{
"caseExact": false,
"description": "The Fusion Auth error code",
"multiValued": false,
"mutability": "immutable",
"name": "code",
"required": false,
"returned": "default",
"type": "string",
"uniqueness": "none"
},
{
"caseExact": false,
"description": "The Fusion Auth error message",
"multiValued": false,
"mutability": "immutable",
"name": "message",
"required": false,
"returned": "default",
"type": "string",
"uniqueness": "none"
}
],
"description": "A list of field errors.",
"multiValued": true,
"mutability": "immutable",
"name": "object.fieldName",
"required": false,
"returned": "default"
}
],
"type": "complex"
},
{
"description": "A list of general errors.",
"multiValued": true,
"mutability": "immutable",
"name": "generalErrors",
"required": false,
"returned": "default",
"subAttributes": [
{
"caseExact": false,
"description": "The Fusion Auth error code",
"multiValued": false,
"mutability": "immutable",
"name": "code",
"required": false,
"returned": "default",
"type": "string",
"uniqueness": "none"
},
{
"caseExact": false,
"description": "The Fusion Auth error data",
"multiValued": true,
"mutability": "immutable",
"name": "data",
"required": false,
"returned": "default",
"type": "complex",
"uniqueness": "none"
},
{
"caseExact": false,
"description": "The Fusion Auth error message",
"multiValued": false,
"mutability": "immutable",
"name": "message",
"required": false,
"returned": "default",
"type": "string",
"uniqueness": "none"
}
],
"type": "complex"
}
],
"description": "FusionAuth Errors",
"id": "urn:ietf:params:scim:schemas:extension:fusionauth:2.0:Error",
"meta": {
"location": "https://piedpiper.com/api/scim/resource/v2/Schemas/urn:ietf:params:scim:schemas:extension:fusionauth:2.0:Error",
"resourceType": "Schema"
},
"name": "FusionAuthError"
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"startIndex": 1,
"totalResults": 4
}Retrieve Service Provider Configuration
Request
GET /api/scim/resource/v2/ServiceProviderConfig
Response
The response for this API contains the Service Provider Configuration in standard SCIM schema.
Response Codes| Code | Description |
|---|---|
| 200 | The request was successful. The response will contain a JSON body. |
| 400 | The request was invalid and/or malformed. The response will contain a SCIM Error JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
| 401 | You did not supply a valid JWT in your Authorization header. The response will be empty. Ensure you've correctly set up Entities and performed a Client Credentials grant. |
| 404 | The object doesn't exist. The response will be empty. |
| 500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
| 503 | The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
| 504 | One or more Webhook endpoints returned an invalid response or were unreachable. Based on the transaction configuration for this event your action cannot be completed. A stack trace is provided and logged in the FusionAuth log files. |
For FusionAuth SCIM endpoints, any error responses will be returned in standard SCIM schema. See more details in the SCIM API Overview.
The SCIM specification allows for customization of the schemas using extensions. Therefore, it is not possible to accurately document all the possible variations.
The following response body is taken from the SCIM RFC describing a SCIM Service Provider Configuration schema. For the full specification you can find the RFC.
Response Body
Response JSON
{
"authenticationSchemes": [
{
"description": "Authentication scheme using the OAuth Bearer Token Standard",
"name": "OAuth2 Bearer Token",
"primary": true,
"specUri": "http://www.rfc-editor.org/info/rfc6750",
"type": "oauthbearertoken"
}
],
"bulk": {
"supported": false
},
"changePassword": {
"supported": true
},
"etag": {
"supported": false
},
"filter": {
"maxResults": 500,
"supported": false
},
"meta": {
"location": "https://piedpiper.com/api/scim/resource/v2/ServiceProviderConfig",
"resourceType": "ServiceProviderConfig"
},
"patch": {
"supported": false
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
],
"sort": {
"supported": false
}
}