SCIM inbound (server)
Provision and deprovision Obexal accounts from your enterprise IdP or HR system through the SCIM 2.0 Users endpoint.
Obexal exposes a SCIM 2.0 server (RFC 7643/7644) so an enterprise IdP (Okta, Microsoft Entra ID...) or an HR system can drive the account lifecycle of your organization: create users, update their profile, and deactivate them at offboarding.
What the SCIM server supports
The base URL is https://accounts.obexal.com/scim/v2 (your custom domain replaces the default one). The implementation is deliberately a well-supported subset:
- Users only: there is no
/Groupsresource and no bulk endpoint. This is a valid and common SCIM configuration; manage groups in the console or via the admin API. - Filtering supports the two forms provisioners actually use:
userName eq "..."andexternalId eq "..."(200 results max per page). GET /scim/v2/ServiceProviderConfigadvertises exactly this:patchsupported,bulk,sort,etagandchangePasswordnot supported.
Requests and responses use application/scim+json; errors come in the standard SCIM error envelope with a 401 for a missing or invalid token.
Create a provisioning token
Authentication is a per-organization bearer token. An admin creates it in the console or via the API (tenant management permission):
curl -sS -X POST https://accounts.obexal.com/v1/admin/scim/tokens \
-H "Authorization: Bearer $OBEXAL_API_TOKEN" \
-H 'Content-Type: application/json' \
-d '{"name":"Okta provisioning"}'
# 201 -> {"id":"...","name":"Okta provisioning","token":"<secret>","scimBaseUrl":"https://accounts.obexal.com/scim/v2"}The secret is returned once; only its SHA-256 hash is stored. Paste it into your IdP's SCIM connector as the bearer token. GET /v1/admin/scim/tokens lists tokens with lastUsedAt (updated on every use, so you can spot dead connectors), and DELETE /v1/admin/scim/tokens/{id} revokes one immediately. Creation and revocation are audited (scim.token.created, scim.token.revoked). Every SCIM call is scoped to the token's organization: cross-tenant access is impossible by construction.
Supported operations
| Method and path | Effect |
|---|---|
GET /scim/v2/Users | List, or resolve a filter (userName / externalId) |
POST /scim/v2/Users | Create a user (201; 409 if the email or externalId already exists) |
GET /scim/v2/Users/{id} | Read one user |
PUT /scim/v2/Users/{id} | Replace: applies active and the profile fields present in the body |
PATCH /scim/v2/Users/{id} | Partial update of active and profile fields (both Okta and Entra PatchOp styles) |
DELETE /scim/v2/Users/{id} | Deactivates the account (204); it is a soft delete, not an erasure |
Attribute mapping
| SCIM attribute | Obexal field |
|---|---|
userName | Email address (lowercased; the account identifier) |
externalId | Your IdP's stable id, stored and returned for correlation |
active | true = status active, false = status deactivated |
name.givenName / name.familyName | First and last name |
displayName (or name.formatted at creation) | Display name |
title | Job title |
urn:...:extension:enterprise:2.0:User department | Department |
locale | Preferred language |
emails | Derived from userName (single primary email) |
Create a user
curl -sS -X POST https://accounts.obexal.com/scim/v2/Users \
-H "Authorization: Bearer $SCIM_TOKEN" \
-H 'Content-Type: application/scim+json' \
-d '{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
"userName": "alice@example.eu",
"externalId": "00u1abcd",
"active": true,
"name": {"givenName": "Alice", "familyName": "Martin"},
"title": "CFO",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {"department": "Finance"},
"emails": [{"value": "alice@example.eu", "primary": true}]
}'{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
"id": "u_7f3a9c",
"userName": "alice@example.eu",
"externalId": "00u1abcd",
"active": true,
"name": {"givenName": "Alice", "familyName": "Martin", "formatted": "Alice Martin"},
"title": "CFO",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {"department": "Finance"},
"emails": [{"value": "alice@example.eu", "primary": true}],
"meta": {
"resourceType": "User",
"location": "https://accounts.obexal.com/scim/v2/Users/u_7f3a9c",
"created": "2026-07-02T09:30:00Z",
"lastModified": "2026-07-02T09:30:00Z"
}
}SCIM-created accounts start with email_verified=true: the enterprise IdP vouches for the identity, so no verification email is sent. The user signs in through SSO or sets a password via account recovery.
Deactivation is enforced
Setting active to false (via PATCH, PUT or DELETE) is a real offboarding, not a flag: the account status becomes deactivated, existing sessions stop working immediately (every authenticated request re-checks the status), and any new sign-in is refused. Setting active back to true restores access. All lifecycle changes land in the audit log: scim.user.provisioned, scim.user.deactivated, scim.user.reactivated, scim.user.profile_updated.
To push accounts in the other direction, from Obexal to your SaaS applications, see SCIM outbound.