SCIM reference
The inbound SCIM 2.0 API: operations on /scim/v2/Users, supported attributes, filters, response codes and honest limits.
Obexal exposes a SCIM 2.0 provider (RFC 7643/7644) so your enterprise IdP (Okta, Entra ID, or any SCIM client) can provision and deprovision users. For the setup walkthrough, see Inbound SCIM; this page is the wire-level reference.
Base URL and authentication
The base URL is https://accounts.obexal.com/scim/v2 (a custom domain replaces the host). Every request, including ServiceProviderConfig, requires a SCIM token, a per-tenant bearer secret generated in the console or via POST /v1/admin/scim/tokens:
curl https://accounts.obexal.com/scim/v2/Users \
-H "Authorization: Bearer $SCIM_TOKEN"There are no cookies and no CSRF; all operations are scoped to the token's tenant. Responses use Content-Type: application/scim+json.
Supported operations
Only the Users resource exists:
| Method | Path | Effect |
|---|---|---|
| GET | /scim/v2/ServiceProviderConfig | Capabilities document (patch supported, bulk not, filter capped at 200) |
| GET | /scim/v2/Users | List users, optionally filtered (?filter=, ?count=) |
| POST | /scim/v2/Users | Provision a user (userName required) |
| GET | /scim/v2/Users/{id} | Read one user |
| PUT | /scim/v2/Users/{id} | Replace: applies active and the profile fields from the body |
| PATCH | /scim/v2/Users/{id} | Partial update: active and profile fields, both PatchOp styles (with path or with a partial object) |
| DELETE | /scim/v2/Users/{id} | Deactivate (returns 204) |
Deprovisioning is a soft deactivation, never a deletion: DELETE and active: false set the account to deactivated, existing sessions are terminated and sign-in is refused. Users created through SCIM arrive with a verified e-mail (the enterprise IdP vouches for the identity) and no password: they sign in through SSO, passkeys or a reset flow. Passwords are never provisioned.
curl -X POST https://accounts.obexal.com/scim/v2/Users \
-H "Authorization: Bearer $SCIM_TOKEN" \
-H "Content-Type: application/scim+json" \
-d '{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "alice@example.eu",
"externalId": "00u1abcd",
"name": {"givenName": "Alice", "familyName": "Martin"},
"title": "CTO",
"active": true
}'
# 201 -> the created resource, with "id" and "meta.location"Attribute mapping
| SCIM attribute | Obexal field | Notes |
|---|---|---|
userName | E-mail (sign-in identifier) | Set at creation; cannot be changed through SCIM |
externalId | External mapping ID | Unique per tenant; used for reconciliation |
active | Account status | true = active, false = deactivated |
name.givenName | First name | |
name.familyName | Last name | |
name.formatted | Display name (fallback) | Used only when displayName is absent |
displayName | Display name | |
title | Job title | |
locale | Interface language | |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User department | Department | Enterprise extension; its schema URN is included in schemas when present |
emails | Derived from userName | Read only, a single primary entry |
meta.created, meta.lastModified | Timestamps | RFC 3339 |
Filtering and pagination
Exactly two filters are recognized, in the form attribute eq "value" (attribute names are case-insensitive):
GET /scim/v2/Users?filter=userName eq "alice@example.eu"
GET /scim/v2/Users?filter=externalId eq "00u1abcd"Each returns zero or one result. Any other filter expression is ignored and the request falls back to the plain list. ?count= defaults to 200 and is capped at 200; startIndex is not honored (responses always report startIndex: 1, and totalResults equals the number of returned resources).
Response codes
| Status | Meaning |
|---|---|
| 200 | Read or update succeeded |
| 201 | User created |
| 204 | User deactivated (DELETE) |
| 400 | Invalid JSON or missing userName |
| 401 | Missing, unknown or revoked SCIM token |
| 404 | User not found in this tenant |
| 409 | userName or externalId already exists in the tenant |
| 500 | Internal error |
Errors use the standard SCIM error body:
{"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"], "status": "409", "detail": "utilisateur déjà existant"}What is not implemented
- No
/Groups,/Bulk,/Schemas,/ResourceTypesor/Meresources. Group membership is managed in the console or through the admin API: see Groups and app access. - No sorting, no ETags, no password sync (
sort,etagandchangePasswordare advertised as unsupported inServiceProviderConfig). - No
userNamerename and no e-mail change through SCIM. - No
startIndexpagination; list pages are capped at 200 resources.
Outbound SCIM
Obexal is also a SCIM client: it can push user lifecycle events (create, update, deactivate) to downstream applications that expose their own SCIM endpoint. Targets are configured per application under /v1/admin/scim-targets, with per-target sync. See Outbound SCIM.