SCIM 2.0 API Reference
Base URL:
https://auth.calimatic.com/scim/v2System for Cross-domain Identity Management (SCIM) 2.0 endpoints for automated user provisioning and deprovisioning.
Prerequisites
- An organization with SCIM provisioning enabled by a Calimatic administrator
- A SCIM Bearer token generated for your organization
- An identity provider that supports SCIM 2.0 (e.g., Azure AD, Okta, OneLogin, JumpCloud)
Overview
SCIM provides a standardized protocol for identity providers to automatically:
- Create users when they are assigned to your application in the IdP
- Update user profiles when changes are made in the IdP
- Deactivate users when they are unassigned or removed from the IdP
- Manage groups for role-based access control
Supported SCIM Endpoints
| Method | Endpoint | Description |
|---|---|---|
GET | /scim/v2/ServiceProviderConfig | SCIM service provider capabilities |
GET | /scim/v2/Schemas | Supported SCIM schemas |
GET | /scim/v2/ResourceTypes | Available resource types |
GET | /scim/v2/Users | List/search users |
GET | /scim/v2/Users/{id} | Get a single user |
POST | /scim/v2/Users | Create a user |
PUT | /scim/v2/Users/{id} | Replace a user |
PATCH | /scim/v2/Users/{id} | Update specific user attributes |
DELETE | /scim/v2/Users/{id} | Delete a user |
GET | /scim/v2/Groups | List/search groups |
GET | /scim/v2/Groups/{id} | Get a single group |
POST | /scim/v2/Groups | Create a group |
PUT | /scim/v2/Groups/{id} | Replace a group |
PATCH | /scim/v2/Groups/{id} | Update group membership |
DELETE | /scim/v2/Groups/{id} | Delete a group |
Authentication
All SCIM endpoints require a Bearer token:
Authorization: Bearer scim_your_organization_token
The token is scoped to a specific organization. Only users within that organization are visible and manageable.
Obtaining a SCIM Token
Contact your Calimatic administrator or generate one from the admin dashboard:
- Go to Admin > Organizations > [Your Org] > SCIM Provisioning
- Click Generate Token
- Copy and store the token securely (it is shown only once)
ServiceProviderConfig
GET /scim/v2/ServiceProviderConfig
Returns the SCIM service provider configuration document describing supported features.
Response
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
"documentationUri": "https://auth.calimatic.com/docs/api-reference/scim",
"patch": { "supported": true },
"bulk": { "supported": false, "maxOperations": 0, "maxPayloadSize": 0 },
"filter": { "supported": true, "maxResults": 100 },
"changePassword": { "supported": false },
"sort": { "supported": false },
"etag": { "supported": false },
"authenticationSchemes": [
{
"type": "oauthbearertoken",
"name": "OAuth Bearer Token",
"description": "Authentication using a Bearer token",
"specUri": "https://tools.ietf.org/html/rfc6750"
}
]
}
Schemas
GET /scim/v2/Schemas
Returns the list of supported SCIM schemas.
ResourceTypes
GET /scim/v2/ResourceTypes
Returns the resource types supported by this SCIM server (Users and Groups).
Users
User Schema Mapping
| SCIM Attribute | Calimatic Auth Field | Type | Required |
|---|---|---|---|
userName | email | string | Yes |
name.givenName | firstName | string | Yes |
name.familyName | lastName | string | Yes |
name.formatted | displayName | string | No |
emails[0].value | email | string | Yes |
emails[0].primary | -- | boolean | No |
active | status (active/deactivated) | boolean | No |
externalId | externalId (metadata) | string | No |
displayName | displayName | string | No |
phoneNumbers[0].value | phone | string | No |
locale | locale | string | No |
timezone | timezone | string | No |
photos[0].value | avatarUrl | string | No |
List Users
GET /scim/v2/Users
Query Parameters
| Parameter | Type | Description |
|---|---|---|
filter | string | SCIM filter expression (e.g., userName eq "jane@example.com") |
startIndex | number | 1-based starting index for pagination (default: 1) |
count | number | Number of results per page (default: 20, max: 100) |
Supported Filter Operators
| Operator | Example |
|---|---|
eq | userName eq "jane@example.com" |
co | name.familyName co "Smi" |
sw | userName sw "jane" |
and | active eq true and name.familyName eq "Smith" |
Example Request
curl "https://auth.calimatic.com/scim/v2/Users?filter=userName%20eq%20%22jane%40example.com%22&count=10" \
-H "Authorization: Bearer scim_your_token"
Response
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": 1,
"startIndex": 1,
"itemsPerPage": 10,
"Resources": [
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"id": "f1g2h3i4-j5k6-7890-lmno-pq1234567890",
"externalId": "usr_12345",
"userName": "jane@example.com",
"name": {
"givenName": "Jane",
"familyName": "Smith",
"formatted": "Jane Smith"
},
"displayName": "Jane Smith",
"emails": [
{
"value": "jane@example.com",
"type": "work",
"primary": true
}
],
"active": true,
"meta": {
"resourceType": "User",
"created": "2025-01-10T10:00:00.000Z",
"lastModified": "2025-01-15T14:30:00.000Z",
"location": "https://auth.calimatic.com/scim/v2/Users/f1g2h3i4-j5k6-7890-lmno-pq1234567890"
}
}
]
}
Get a Single User
GET /scim/v2/Users/{id}
Returns the full SCIM User resource.
Create a User
POST /scim/v2/Users
Content-Type: application/scim+json
Example Request
curl -X POST https://auth.calimatic.com/scim/v2/Users \
-H "Authorization: Bearer scim_your_token" \
-H "Content-Type: application/scim+json" \
-d '{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "bob@example.com",
"name": {
"givenName": "Bob",
"familyName": "Jones"
},
"emails": [
{
"value": "bob@example.com",
"type": "work",
"primary": true
}
],
"active": true,
"externalId": "okta_user_12345"
}'
Response (201 Created)
Returns the created SCIM User resource with the id assigned by Calimatic Auth.
Replace a User
PUT /scim/v2/Users/{id}
Content-Type: application/scim+json
Replaces all user attributes with the provided values. Attributes not included are cleared to defaults.
Update a User (PATCH)
PATCH /scim/v2/Users/{id}
Content-Type: application/scim+json
Update specific attributes without replacing the entire resource.
Example: Deactivate a User
curl -X PATCH https://auth.calimatic.com/scim/v2/Users/f1g2h3i4-j5k6-7890 \
-H "Authorization: Bearer scim_your_token" \
-H "Content-Type: application/scim+json" \
-d '{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "Replace",
"path": "active",
"value": false
}
]
}'
Example: Update Name
curl -X PATCH https://auth.calimatic.com/scim/v2/Users/f1g2h3i4-j5k6-7890 \
-H "Authorization: Bearer scim_your_token" \
-H "Content-Type: application/scim+json" \
-d '{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "Replace",
"path": "name.givenName",
"value": "Janet"
}
]
}'
Delete a User
DELETE /scim/v2/Users/{id}
Deactivates the user in Calimatic Auth. Returns 204 No Content.
Groups
SCIM Groups map to roles within a Calimatic organization. Assigning a user to a SCIM Group grants them the corresponding role.
List Groups
GET /scim/v2/Groups
Query Parameters
| Parameter | Type | Description |
|---|---|---|
filter | string | SCIM filter (e.g., displayName eq "Admins") |
startIndex | number | 1-based start index |
count | number | Results per page |
Example Response
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
"totalResults": 3,
"Resources": [
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"id": "grp-uuid-...",
"displayName": "Admins",
"members": [
{ "value": "user-uuid-1", "display": "Jane Smith" },
{ "value": "user-uuid-2", "display": "Bob Jones" }
],
"meta": {
"resourceType": "Group",
"created": "2025-01-10T10:00:00.000Z",
"lastModified": "2025-01-15T14:30:00.000Z"
}
}
]
}
Update Group Membership (PATCH)
PATCH /scim/v2/Groups/{id}
Content-Type: application/scim+json
Example: Add a Member
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "Add",
"path": "members",
"value": [
{ "value": "user-uuid-..." }
]
}
]
}
Example: Remove a Member
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "Remove",
"path": "members[value eq \"user-uuid-...\"]"
}
]
}
Error Responses
SCIM errors follow the standard SCIM error schema:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
"status": "404",
"detail": "User not found"
}
Status Codes
| Status | Description |
|---|---|
| 200 | Success (GET, PATCH, PUT) |
| 201 | Created (POST) |
| 204 | No Content (DELETE) |
| 400 | Bad request (invalid filter, missing required fields) |
| 401 | Unauthorized (missing or invalid Bearer token) |
| 404 | Resource not found |
| 409 | Conflict (user with this email already exists) |
| 429 | Rate limit exceeded |
| 500 | Internal server error |
Configuring Your Identity Provider
Azure AD / Entra ID
- Go to Enterprise Applications > Your App > Provisioning
- Set Provisioning Mode to Automatic
- Enter:
- Tenant URL:
https://auth.calimatic.com/scim/v2 - Secret Token: Your SCIM Bearer token
- Tenant URL:
- Click Test Connection
- Configure attribute mappings (see User Schema Mapping)
- Enable provisioning
Okta
- Go to Applications > Your App > Provisioning > Integration
- Enable SCIM connector
- Enter:
- SCIM connector base URL:
https://auth.calimatic.com/scim/v2 - Authentication Mode: HTTP Header
- Authorization:
Bearer scim_your_token
- SCIM connector base URL:
- Configure supported operations (Create, Update, Deactivate)
- Configure attribute mappings
OneLogin
- Go to Applications > Your App > Provisioning
- Enable provisioning
- Enter the SCIM base URL and Bearer token
- Map attributes as needed
Rate Limits
| Endpoint | Limit | Window |
|---|---|---|
| All SCIM endpoints | 60 requests | 1 minute per token |
When rate limited, the response includes a Retry-After header.