Good to know
SCIM API supported features and limitations
Our SCIM integration supports SCIM version 2.0 and is certified for Microsoft Entra Id.
Stay tuned as our SCIM integration is certified for additional identity providers!
Supported features
The Eptura SCIM API supports the following provisioning actions:
- Create users
- Delete users
- Update user attributes
- Add a group
- Remove a group
- Update Groups attributes
- Add/remove users to/from a group
Limitations
The Eptura SCIM API has the following limitations:
- On-premise AD does not work with the SCIM API. Only SCIM-compatible clients such as Microsoft Entra ID can utilize it.
- All users are created in Eptura as 'People'.
- Automatic user/group provisioning is only supported for Microsoft Entra ID.
- The following optional features are not currently supported:
- Sorting
- Logical filter ‘NOT’.
- Bulk endpoints (…/bulk ).
- ‘ExternalId’ is a fixed user attribute and cannot be updated.
- Nested groups (group inside group) are not supported.
- Child attribute filtering is not supported for multi-valued attributes such as ‘Emails’ and ‘PhoneNumbers’ for ‘Get User’ endpoint with the filtering parameter ‘excludedattributes/attributes’.
- To update the group attribute ‘displayName’ only, the ‘Replace’ operation can be used with the ‘Patch Group’ endpoint.
- ‘Get Group’ endpoints do not support filter by meta-attributes like ‘createddate/modifieddate’
SCIM FAQ
- What is SCIM?
SCIM, or System for Cross-domain Identity Management specification, is an open standard designed to manage user identity information. The goal of SCIM is to securely automate the exchange of user identity data between identity providers and service providers requiring user identity information (such as enterprise SaaS apps).
SCIM provides a defined schema for representing users and groups, and a RESTful API to run CRUD (create, read, update, delete) operations on those user and group resources.
- Why use SCIM?
Maintaining identities across multiple platforms can be time-consuming, labor-intensive, and prone to inconsistencies and error. SCIM streamlines these processes and reduces mistakes. It enables systems to communicate with each other in near-to-real time, ensuring user data is consistent across all platforms.
- When should we use the SCIM API?
Our SCIM API is designed for businesses who want to manage their user identity in cloud-based applications and services and require enhanced interoperability, security, and scalability. If you have Microsoft Entra ID or other SCIM compatible identity management system, building connections to our SCIM API is a straightforward approach.
The technical prerequisites to use our SCIM API is to have any SCIM-compliant Identity Providers / API service.
- How does SCIM make provisioning easier?
The standard user object schema and RESTful APIs for management defined in SCIM 2.0 allow Identity Providers and apps to integrate more easily. Application developers can use our SCIM endpoints to integrate with any SCIM-compliant client.
- What does Eptura provide?
Eptura provides access to our SCIM API documentation and API endpoints. Your application experts will develop and configure the Identity Management System and the connection with our SCIM API. We have created detailed guidance on the format of the request and the responses you can expect when integrating with Eptura.
- Does on-premises Active Directory work with SCIM API?
No, on-premises Active Directory does not work with SCIM API.
- What version of SCIM do you support?
SCIM v2.0
- Can a SCIM client be set up to work with two Eptura clients?
No.
- Can Eptura clients be set up to accept user imports from two SCIM clients?
No.
- Is the Eptura SCIM API a 2-way synchronization of users?
No. Eptura SCIM API is never triggered from within Eptura. Only from the SCIM client.
- How frequently does Eptura receive changes via SCIM API?
The period between synchronization and calculating changes in data is entirely dependent on the SCIM client. The client is responsible for reading the current user data by using the GET endpoints. Alternatively, it can save the last sync state and then decide what changes to communicate.
- What permissions or secret details are communicated to Eptura by Microsoft Entra ID?
No Azure AD permission or secret details are communicated to the Eptura SCIM API. The customer’s domain name is needed for verification purposes.
- Can I change the field mappings of the supported SCIM fields with those of the Eptura fields?
No. However, the client can change the mapping between their Identity Provider and supported SCIM standard fields. Handling this conversion is the responsibility of the SCIM client.
- Can multiple OUs (Organisational Units) be configured or filtered for SCIM?
No, SCIM does not support OUs therefore no OU information is passed to the Eptura SCIM API. However, if your own SCIM compatible client supports it (MS Entra ID does not) you can filter using your own client before passing the information across.
- How do we get an access token?
Eptura creates the SCIM-API valid bearer access token that you add to your Microsoft EntraID. Contact Eptura for more information.
- How do you check the group membership of a user?
Use ‘Get Group’ by filter with ‘userId’ to return the group a user is a member of.
- Can ‘Get Group’ endpoint return the entire member list?
No, the ‘Get group’ endpoint does not return the entire member list.
- What filters are supported by the ‘Get Group’ filter endpoint?
The following group attributes are supported by the ‘Get Group’ filter endpoint: ‘groupName’, ‘externalId’, ‘members’, and ‘groupid’.
- What filter operators are supported by the ‘Get Group’ filter endpoint?
The following filter operators are supported by the ‘Get Group’ filter endpoints (operator command in brackets): equals (eq), contains (co), starts with (sw), ends with (ew), and not equals (ne). However, the ‘members’ and ‘groupId’ group attributes support only the equals (eq) operator.
- What filters are supported by the ‘Get User’ filter endpoint?
The following user attributes are supported by the ‘Get user’ filter endpoint: ‘userName’, ‘firstName’, ‘lastName’, ‘email’, ‘telephone’, ‘mobile’, ‘externalId’, ‘accountactive’, 'created', and 'lastModified'. - What filter operators are supported by the ‘Get User’ filter endpoint?
The following filter operators are supported by the ‘Get User’ filter endpoints (operator command in brackets): equals (eq), contains (co), starts with (sw), ends with (ew), and not equals (ne). However, the ‘accountactive’ user attribute supports only the equals (eq) operator.
- What users are returned when ‘Get User’ endpoint is called with no filter?
Only the active users created/merged from SCIM and of the same user type defined in the SCIM client. By default, the tenant setting ‘userType’ is set to Forms users.
- Can I delete a user created in the Eptura application?
No. You can only delete users created/merged from SCIM and those of the same user type defined as ‘userType’ tenant setting in the SCIM client. By default, the tenant setting ‘userType’ is set to Forms users.
- Can the userName attribute for a user be updated through SCIM?
Yes, if the userName does not already exist in Eptura SCIM can update the user attribute.
- Can I filter users by created/last modified date values?
Yes. SCIM allows users to be filtered by date values:
- Created date: for example - meta.created gt "2024-05-30"
- Last modified date: for example – meta.lastModified gt "2024-05-30"
- How many group members can be provisioned in a single request?
Currently, we support passing a maximum of 100 members (uisers) in a single Group post/patch/put call.