Web service

From version 4.1, Identify includes an Identify*SCIM Service for provisioning users on Identify based on the specification suite developed under IETF.
Safewhere*SCIM promises to reduce the cost and complexity of user provisioning operations by providing a common users and groups schema and a REST API for all the necessary CRUD operations.


The first version of Identify*SCIM supports user resource only. It follows most of the definitions on the specification, but there are some notices. The following section points out which ones do not correspond to Identify concepts and how the others map to Identify users’ attributes:

Attribute type SCIM User Attribute Identify User Attribute
Common Schema Attributes Id Id
ExternalId Primary identified name (*)
Meta created: <created date>

lastModified: <modified date>

location: "<tenantURL>/admin/scim/v1/Users/<Id>"

version: null

attributes: null

Singular Locale,Name, NickName,PreferredLanguage, Title, TimeZone, ProfileUrl No corresponding concept
Active Enabled
Username Primary identified name (*)
DisplayName UserName
Password Empty (**)
Multi-valued attributes Entitlements, PhoneNumbers, Ims, Photos, Addresses, Roles No corresponding concept
Emails Value of email claim, which is specified on system setup
Scim enterprise user schema extension EmployeeNumber, CostCenter, Division, Department, Manager No corresponding concept
Organization Organization
Schema extensions urn:scim:schemas:extension:mapping:hint:1.0 Claim type, which is specified as a hint to extract username
urn:scim:schemas:extension:safewhere:identify:1.0.forceResetPasswordAfterFirstTimeLogin ForceResetPasswordAfterFirstTimeLogin
urn:scim:schemas:extension:safewhere:identify:1.0.ActivationCode Value of claim ActivationCode, which is defined as "DeviceActivationCodeClaimDefinitionId" on system setup
urn:scim:schemas:extension:safewhere:identify:1.0.Claims All claims of user

(*)Primary identified name: The value of the primary claim, which is used for specifying a user.

  • • There are three steps to map the SCIM user to the Identify user:
    • Map by hint: If the attribute"urn:scim:schemas:extension:mapping:hint:1.0" is not null, the system will try to use it as the primary claim type.
    • Map by combination: The SCIM user's username is a combination of its claim type and its value. The separator is defined by "ScimUserNameCombinationSeparator" on system setup.
    • Map by default: It will try to get the default username claim type, which is specified as "ScimDefaultNameClaimType" on system setup
  • There are three steps to map the Identify user to the SCIM user:
    • Try to get the claim that is primary.
    • Try to get the claim whose claim type is defined on "ScimDefaultNameClaimType".
    • Try to get the first claim whose value is not null.

(**) Password mapping: From Identify user to SCIM user, it will be empty. In contrast, it will use the SCIM user's password to update to the Identify user object.

SCIM Authentication and Authorization

Identify*Scim service uses the OAuth 2.0 token for authentication and authorization with a scope of "identify*scim".

OAuth Protocol Connection settings for SCIM:

Set the audience field of tokens that are issued for the application: fill in the token issuer URI which is set as the Entity ID at the system setup page


Web service URL: <TenantUrl>/admin/api/scim/v1/Users
Content-type: application/json
Content: Scim user json object

Commands Description Returns Exceptions Comment
GET Retrieving a known user resource by id or all users Code (200) and json object 404: Resource not found
500: Internal server error
To retrieve a specific user, append the Web service URL with "/<id>"
POST Creates a completely new resource Code (200) and the reflex scim user json object 500: Internal server error
PUT Performs a full update Code (200) and the reflex scim user json object 404: Resource not found
500: Internal server error
PATCH Performs a partial update Code (200) and the reflex scim user json object 500: Internal server error It supports deleting attributes as defined on specification. Therefore, it can be used for adding/updating or deleting claims normally.
DELETE Deletes a user or performs a partial update Code (200) 404: Resource not found
500: Internal server error
To delete a specific user, append the Web service URL with
QUERY Retrieves users with specified attributes Code (200) and the reflex scim user json objects 500: Internal server error * Attributes: It can be empty or a list of scim users’ attributes separated by commas. If empty, a completed SCIM user json objects. ** Filter & paginate are not supported on Identify*Scim 1.1 yet.