Obexal Docs

Docs/Directory and provisioning/SCIM inbound (server)

SCIM inbound (server)

Provision and deprovision Obexal accounts from your enterprise IdP or HR system through the SCIM 2.0 Users endpoint.

Obexal exposes a SCIM 2.0 server (RFC 7643/7644) so an enterprise IdP (Okta, Microsoft Entra ID...) or an HR system can drive the account lifecycle of your organization: create users, update their profile, and deactivate them at offboarding.

What the SCIM server supports

The base URL is https://accounts.obexal.com/scim/v2 (your custom domain replaces the default one). The implementation is deliberately a well-supported subset:

  • Users only: there is no /Groups resource and no bulk endpoint. This is a valid and common SCIM configuration; manage groups in the console or via the admin API.
  • Filtering supports the two forms provisioners actually use: userName eq "..." and externalId eq "..." (200 results max per page).
  • GET /scim/v2/ServiceProviderConfig advertises exactly this: patch supported, bulk, sort, etag and changePassword not supported.

Requests and responses use application/scim+json; errors come in the standard SCIM error envelope with a 401 for a missing or invalid token.

Create a provisioning token

Authentication is a per-organization bearer token. An admin creates it in the console or via the API (tenant management permission):

curl -sS -X POST https://accounts.obexal.com/v1/admin/scim/tokens \
  -H "Authorization: Bearer $OBEXAL_API_TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{"name":"Okta provisioning"}'
# 201 -> {"id":"...","name":"Okta provisioning","token":"<secret>","scimBaseUrl":"https://accounts.obexal.com/scim/v2"}

The secret is returned once; only its SHA-256 hash is stored. Paste it into your IdP's SCIM connector as the bearer token. GET /v1/admin/scim/tokens lists tokens with lastUsedAt (updated on every use, so you can spot dead connectors), and DELETE /v1/admin/scim/tokens/{id} revokes one immediately. Creation and revocation are audited (scim.token.created, scim.token.revoked). Every SCIM call is scoped to the token's organization: cross-tenant access is impossible by construction.

Supported operations

Method and pathEffect
GET /scim/v2/UsersList, or resolve a filter (userName / externalId)
POST /scim/v2/UsersCreate a user (201; 409 if the email or externalId already exists)
GET /scim/v2/Users/{id}Read one user
PUT /scim/v2/Users/{id}Replace: applies active and the profile fields present in the body
PATCH /scim/v2/Users/{id}Partial update of active and profile fields (both Okta and Entra PatchOp styles)
DELETE /scim/v2/Users/{id}Deactivates the account (204); it is a soft delete, not an erasure

Attribute mapping

SCIM attributeObexal field
userNameEmail address (lowercased; the account identifier)
externalIdYour IdP's stable id, stored and returned for correlation
activetrue = status active, false = status deactivated
name.givenName / name.familyNameFirst and last name
displayName (or name.formatted at creation)Display name
titleJob title
urn:...:extension:enterprise:2.0:User departmentDepartment
localePreferred language
emailsDerived from userName (single primary email)

Create a user

curl -sS -X POST https://accounts.obexal.com/scim/v2/Users \
  -H "Authorization: Bearer $SCIM_TOKEN" \
  -H 'Content-Type: application/scim+json' \
  -d '{
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User",
                "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
    "userName": "alice@example.eu",
    "externalId": "00u1abcd",
    "active": true,
    "name": {"givenName": "Alice", "familyName": "Martin"},
    "title": "CFO",
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {"department": "Finance"},
    "emails": [{"value": "alice@example.eu", "primary": true}]
  }'
{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User",
              "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
  "id": "u_7f3a9c",
  "userName": "alice@example.eu",
  "externalId": "00u1abcd",
  "active": true,
  "name": {"givenName": "Alice", "familyName": "Martin", "formatted": "Alice Martin"},
  "title": "CFO",
  "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {"department": "Finance"},
  "emails": [{"value": "alice@example.eu", "primary": true}],
  "meta": {
    "resourceType": "User",
    "location": "https://accounts.obexal.com/scim/v2/Users/u_7f3a9c",
    "created": "2026-07-02T09:30:00Z",
    "lastModified": "2026-07-02T09:30:00Z"
  }
}
Note

SCIM-created accounts start with email_verified=true: the enterprise IdP vouches for the identity, so no verification email is sent. The user signs in through SSO or sets a password via account recovery.

Deactivation is enforced

Setting active to false (via PATCH, PUT or DELETE) is a real offboarding, not a flag: the account status becomes deactivated, existing sessions stop working immediately (every authenticated request re-checks the status), and any new sign-in is refused. Setting active back to true restores access. All lifecycle changes land in the audit log: scim.user.provisioned, scim.user.deactivated, scim.user.reactivated, scim.user.profile_updated.

To push accounts in the other direction, from Obexal to your SaaS applications, see SCIM outbound.