Obexal Docs

Docs/Reference/SCIM reference

SCIM reference

The inbound SCIM 2.0 API: operations on /scim/v2/Users, supported attributes, filters, response codes and honest limits.

Obexal exposes a SCIM 2.0 provider (RFC 7643/7644) so your enterprise IdP (Okta, Entra ID, or any SCIM client) can provision and deprovision users. For the setup walkthrough, see Inbound SCIM; this page is the wire-level reference.

Base URL and authentication

The base URL is https://accounts.obexal.com/scim/v2 (a custom domain replaces the host). Every request, including ServiceProviderConfig, requires a SCIM token, a per-tenant bearer secret generated in the console or via POST /v1/admin/scim/tokens:

curl https://accounts.obexal.com/scim/v2/Users \
  -H "Authorization: Bearer $SCIM_TOKEN"

There are no cookies and no CSRF; all operations are scoped to the token's tenant. Responses use Content-Type: application/scim+json.

Supported operations

Only the Users resource exists:

MethodPathEffect
GET/scim/v2/ServiceProviderConfigCapabilities document (patch supported, bulk not, filter capped at 200)
GET/scim/v2/UsersList users, optionally filtered (?filter=, ?count=)
POST/scim/v2/UsersProvision a user (userName required)
GET/scim/v2/Users/{id}Read one user
PUT/scim/v2/Users/{id}Replace: applies active and the profile fields from the body
PATCH/scim/v2/Users/{id}Partial update: active and profile fields, both PatchOp styles (with path or with a partial object)
DELETE/scim/v2/Users/{id}Deactivate (returns 204)

Deprovisioning is a soft deactivation, never a deletion: DELETE and active: false set the account to deactivated, existing sessions are terminated and sign-in is refused. Users created through SCIM arrive with a verified e-mail (the enterprise IdP vouches for the identity) and no password: they sign in through SSO, passkeys or a reset flow. Passwords are never provisioned.

curl -X POST https://accounts.obexal.com/scim/v2/Users \
  -H "Authorization: Bearer $SCIM_TOKEN" \
  -H "Content-Type: application/scim+json" \
  -d '{
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
    "userName": "alice@example.eu",
    "externalId": "00u1abcd",
    "name": {"givenName": "Alice", "familyName": "Martin"},
    "title": "CTO",
    "active": true
  }'
# 201 -> the created resource, with "id" and "meta.location"

Attribute mapping

SCIM attributeObexal fieldNotes
userNameE-mail (sign-in identifier)Set at creation; cannot be changed through SCIM
externalIdExternal mapping IDUnique per tenant; used for reconciliation
activeAccount statustrue = active, false = deactivated
name.givenNameFirst name
name.familyNameLast name
name.formattedDisplay name (fallback)Used only when displayName is absent
displayNameDisplay name
titleJob title
localeInterface language
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User departmentDepartmentEnterprise extension; its schema URN is included in schemas when present
emailsDerived from userNameRead only, a single primary entry
meta.created, meta.lastModifiedTimestampsRFC 3339

Filtering and pagination

Exactly two filters are recognized, in the form attribute eq "value" (attribute names are case-insensitive):

GET /scim/v2/Users?filter=userName eq "alice@example.eu"
GET /scim/v2/Users?filter=externalId eq "00u1abcd"

Each returns zero or one result. Any other filter expression is ignored and the request falls back to the plain list. ?count= defaults to 200 and is capped at 200; startIndex is not honored (responses always report startIndex: 1, and totalResults equals the number of returned resources).

Response codes

StatusMeaning
200Read or update succeeded
201User created
204User deactivated (DELETE)
400Invalid JSON or missing userName
401Missing, unknown or revoked SCIM token
404User not found in this tenant
409userName or externalId already exists in the tenant
500Internal error

Errors use the standard SCIM error body:

{"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"], "status": "409", "detail": "utilisateur déjà existant"}

What is not implemented

  • No /Groups, /Bulk, /Schemas, /ResourceTypes or /Me resources. Group membership is managed in the console or through the admin API: see Groups and app access.
  • No sorting, no ETags, no password sync (sort, etag and changePassword are advertised as unsupported in ServiceProviderConfig).
  • No userName rename and no e-mail change through SCIM.
  • No startIndex pagination; list pages are capped at 200 resources.

Outbound SCIM

Obexal is also a SCIM client: it can push user lifecycle events (create, update, deactivate) to downstream applications that expose their own SCIM endpoint. Targets are configured per application under /v1/admin/scim-targets, with per-target sync. See Outbound SCIM.