本文為您介紹 EIAM 提供的SCIM 2.0介面,聲明了支援範圍和限制條件。僅當您的自建應用需要整合使用SCIM介面同步相關資料時,才需要關注本文檔。
使用說明
SCIM 2.0介面的實現遵循 RFC 7642、RFC 7643、RFC 7644。具體的結構實現,請參見SCIM Schemas。
SCIM 2.0介面總覽
授權令牌(BearerToken)可以通過以下兩種方式擷取:
靜態BearerToken:這是一個介面配置產生的靜態令牌,您可以在應用管理頁面,點擊賬戶同步,進入應用同步到IDaaS 頁面配置產生。
通過Client_Credentials產生的Access Token:您可以通過EIAM提供的OAuth 2.0 Client Credentials授權碼模式來動態擷取Access Token。在這種情況下,您將使用您的ClientID/Secret來請求產生Access Token。具體資訊,請參見GenerateToken - 產生應用認證token。
SCIM 2.0介面如下表所示。
重要
調用SCIM介面時,請根據實際情況將{BaseUrl}替換為EIAM執行個體應用中的SCIM Base URL,將<BearerToken>替換為有效SCIM授權令牌。
分類 | SCIM 2.0介面 | 支援情況 | 功能描述 |
Discovery Endpoint | 支援 | 擷取服務端支援的功能。 | |
支援 | 擷取服務端支援的資源類型,返回User和Group。 | ||
支援 | 擷取服務端支援的Schema,返回User,EnterpriseUser和Group的詳細Schema。 | ||
/Users | 支援 | 同步處理的使用者。 | |
支援 | 查詢指定ID的使用者。 | ||
支援 | 按條件查詢使用者資訊或查詢所有使用者列表。 不指定filter時,返回所有使用者,最多100條,支援分頁。 | ||
支援 | 替換指定ID的使用者資訊。 | ||
支援 | 更新指定ID的使用者資訊。 | ||
支援 | 刪除指定ID的使用者。 | ||
/Groups | 支援 | 同步處理的使用者組。 | |
支援 | 查詢指定ID的使用者組,包含使用者組中的使用者資訊。 | ||
支援 | 按條件查詢使用者組資訊或查詢所有使用者組列表。 不指定filter時,返回所有使用者組列表但不返回使用者組中的使用者資訊,最多100條,支援分頁。 | ||
支援 | 替換使用者組資訊。 | ||
支援 | 更新使用者組資訊。 | ||
支援 | 刪除指定ID的使用者組。 | ||
/Me | 無 | 不支援 | 無 |
/Bulk | 無 | 不支援 | 無 |
/.Search | 無 | 不支援 | 無 |
介面詳細說明與操作樣本
Discovery Endpoint
/ServiceProviderConfig
功能描述
擷取服務端支援的功能。
使用約束
不需要認證。
請求樣本
curl {baseUrl}/ServiceProviderConfig --header "Content-type:application/scim+json"返回樣本
{
"documentationUri": "",
"patch": {
"supported": true
},
"bulk": {
"supported": false,
"maxOperations": 0,
"maxPayloadSize": 0
},
"filter": {
"supported": true,
"maxResults": 100
},
"changePassword": {
"supported": true
},
"sort": {
"supported": false
},
"etag": {
"supported": false
},
"authenticationSchemes": [
{
"name": "OAuth Bearer Token",
"description": "Authentication scheme using the OAuth Bearer Token Standard",
"specUri": "https://www.rfc-editor.org/info/rfc6750",
"type": "oauthbearertoken",
"primary": true
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
]
}/ResourceTypes
功能描述
擷取服務端支援的資源類型,返回User和Group。
使用約束
不需要認證。
請求樣本
curl {baseUrl}/ResourceTypes --header "content-type:application/scim+json"返回樣本
{
"startIndex": 1,
"totalResults": 2,
"itemsPerPage": 2,
"Resources": [
{
"name": "Group",
"description": "Group",
"endpoint": "/Groups",
"schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
"id": "Group",
"meta": {
"resourceType": "Group",
"location": "{BaseUrl}/ResourceTypes/Group"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
]
},
{
"name": "User",
"description": "User Account",
"endpoint": "/Users",
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"schemaExtensions": [
{
"schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"required": false
}
],
"id": "User",
"meta": {
"resourceType": "User",
"location": "{BaseUrl}/ResourceTypes/User"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
]
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}/Schemas
功能描述
擷取服務端支援的Schema,返回User和Group的詳細Schema。
使用約束
支援按資源類型查詢。
只支援下文文檔描述的欄位。
不需要認證。
請求樣本
#請求使用者資源的企業擴充資訊
curl {baseUrl}/Schemas --header "content-type:application/scim+json"
#請求使用者資源的企業擴充資訊
curl {baseUrl}/Schemas/urn:ietf:params:scim:schemas:core:2.0:User --header "content-type:application/scim+json"
#請求使用者資源的企業擴充資訊
curl {baseUrl}/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group --header "content-type:application/scim+json"
#請求使用者資源的企業擴充資訊
curl {baseUrl}/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User --header "content-type:application/scim+json"返回樣本
使用者資源Schema
{
"startIndex": 1,
"totalResults": 3,
"itemsPerPage": 3,
"Resources": [
{
"name": "User",
"description": "User Account",
"attributes": [
{
"name": "userName",
"type": "string",
"multiValued": false,
"description": "Unique identifier for the User typically used by the user to directly authenticate to the service provider.",
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "server"
},
{
"name": "displayName",
"type": "string",
"multiValued": false,
"description": "The name of the User, suitable for display to end-users. The name SHOULD be the full name of the User being described if known.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "password",
"type": "string",
"multiValued": false,
"description": "The User's clear text password. This attribute is intended to be used as a means to specify an initial password when creating a new User or to reset an existing User's password.",
"required": false,
"caseExact": false,
"mutability": "writeOnly",
"returned": "never",
"uniqueness": "none"
},
{
"name": "emails",
"type": "complex",
"subAttributes": [
{
"name": "value",
"type": "string",
"multiValued": false,
"description": "E-mail addresses for the user. The value\nSHOULD be canonicalized by the Service Provider, e.g.\nbjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type\nvalues of work, home, and other.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "display",
"type": "string",
"multiValued": false,
"description": "A human readable name, primarily used for display purposes.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "type",
"type": "string",
"multiValued": false,
"description": "A label indicating the attribute's function; e.g., 'work' or 'home'.",
"required": false,
"canonicalValues": [
"work",
"home",
"other"
],
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "primary",
"type": "boolean",
"multiValued": false,
"description": "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred mailing address or primary e-mail address. The primary attribute value 'true' MUST appear no more than once.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "E-mail addresses for the user. The value SHOULD be canonicalized by the Service Provider, e.g., bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and other.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "server"
},
{
"name": "phoneNumbers",
"type": "complex",
"subAttributes": [
{
"name": "value",
"type": "string",
"multiValued": false,
"description": "Phone number of the User",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "display",
"type": "string",
"multiValued": false,
"description": "A human readable name, primarily used for display purposes.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "type",
"type": "string",
"multiValued": false,
"description": "A label indicating the attribute's function; e.g., 'work' or 'home' or 'mobile' etc.",
"required": false,
"canonicalValues": [
"work",
"home",
"mobile",
"fax",
"pager",
"other"
],
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "primary",
"type": "boolean",
"multiValued": false,
"description": "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred phone number or primary phone number. The primary attribute value 'true' MUST appear no more than once.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "Phone numbers for the User. The value SHOULD be canonicalized by the Service Provider according to format in RFC3966 e.g., 'tel:555xxxx5555'. Canonical Type values of work, home, mobile, fax, pager and other.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "server"
},
{
"name": "phoneRegion",
"type": "string",
"multiValued": false,
"description": "PhoneRegion for the User. eg.86.If not filled, the default value is 86",
"required": false,
"caseExact": false,
"mutability": "writeOnly",
"returned": "never",
"uniqueness": "none"
},
{
"name": "id",
"type": "string",
"multiValued": false,
"description": "A unique identifier for a SCIM resource as defined by the service provider.",
"required": true,
"caseExact": false,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "server"
},
{
"name": "externalId",
"type": "string",
"multiValued": false,
"description": "A String that is an identifier for the resource as defined by the provisioning client.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "meta",
"type": "complex",
"subAttributes": [
{
"name": "resourceType",
"type": "string",
"multiValued": false,
"description": "The resource Type",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
},
{
"name": "location",
"type": "reference",
"multiValued": false,
"description": "The location (URI) of the resource",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
}
],
"multiValued": false,
"description": ".",
"required": false,
"caseExact": false,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "schemas",
"type": "string",
"multiValued": true,
"description": ".",
"required": true,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
}
],
"id": "urn:ietf:params:scim:schemas:core:2.0:User",
"meta": {
"resourceType": "Schema",
"location": "{BaseUrl}/Schemas/urn:ietf:params:scim:schemas:core:2.0:User"
}
},
{
"name": "Group",
"description": "Group",
"attributes": [
{
"name": "displayName",
"type": "string",
"multiValued": false,
"description": "A human-readable name for the Group.",
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "members",
"type": "complex",
"subAttributes": [
{
"name": "value",
"type": "string",
"multiValued": false,
"description": "The identifier of a group member.",
"required": true,
"caseExact": false,
"mutability": "immutable",
"returned": "default",
"uniqueness": "none"
},
{
"name": "ref",
"type": "reference",
"multiValued": false,
"description": "The URI of the member resource.",
"required": true,
"caseExact": true,
"mutability": "immutable",
"returned": "default",
"uniqueness": "none",
"referenceTypes": [
"User"
]
},
{
"name": "display",
"type": "string",
"multiValued": false,
"description": "A human readable name, primarily used for display purposes.",
"required": false,
"caseExact": false,
"mutability": "immutable",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "A list of members of the Group.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "id",
"type": "string",
"multiValued": false,
"description": "A unique identifier for a SCIM resource as defined by the service provider.",
"required": true,
"caseExact": false,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "server"
},
{
"name": "externalId",
"type": "string",
"multiValued": false,
"description": "A String that is an identifier for the resource as defined by the provisioning client.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "meta",
"type": "complex",
"subAttributes": [
{
"name": "resourceType",
"type": "string",
"multiValued": false,
"description": "The resource Type",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
},
{
"name": "location",
"type": "reference",
"multiValued": false,
"description": "The location (URI) of the resource",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
}
],
"multiValued": false,
"description": ".",
"required": false,
"caseExact": false,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "schemas",
"type": "string",
"multiValued": true,
"description": ".",
"required": true,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
}
],
"id": "urn:ietf:params:scim:schemas:core:2.0:Group",
"meta": {
"resourceType": "Schema",
"location": "{BaseUrl}/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group"
}
},
{
"name": "EnterpriseUser",
"description": "Enterprise User",
"attributes": [
{
"name": "organization",
"type": "string",
"multiValued": false,
"description": "Identifies the name of an organization.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"id": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"meta": {
"resourceType": "Schema",
"location": "{BaseUrl}/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
}
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}Users
POST /Users
功能描述
同步處理的使用者。
使用約束
欄位參考Schema返回結果裡聲明的定義。
若傳賬戶所屬組織則賬戶放在所屬ou下面,若不含所屬ou,則賬戶的所屬組織為同步目標節點。具體看請求樣本。
請求樣本:
curl {baseUrl}/Users --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X POST -d '<data>'其中,data結構樣本如下。
樣本一:不傳賬戶所屬組織樣本
{
"userName": "<user username>",
"externalId": "<external Id>",
"displayName": "<user display name>",
"active": true,
"emails": [
{
"primary": true,
"type": "work",
"value": "<user email>"
}
],
"phoneRegion":"86"
"phoneNumbers": [
{
"primary": true,
"type": "work",
"value": "<user phoneNumber>"
}
],
"active":true,
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
]
}
樣本二:傳賬戶所屬組織樣本。
{
"userName": "<user username>",
"externalId": "<external Id>",
"displayName": "<user display name>",
"emails": [
{
"primary": true,
"type": "work",
"value": "<user email>"
}
],
"phoneRegion":"86"
"phoneNumbers": [
{
"primary": true,
"type": "work",
"value": "<user phoneNumber>"
}
],
"active":true,
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}返回樣本
HTTP/1.1 201
{
"id": "<userId>",
"userName": "<user username>",
"displayName": "<user display name>",
"active": true,
"emails": [
{
"value": "<user email>",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "<user phoneNumber>",
"type": "work",
"primary": true
}
],
"externalId": "<external Id>",
"active":true,
"meta": {
"resourceType": "User",
"created": "2025-02-25T09:56:48.622Z",
"lastModified": "2025-02-25T09:56:48.622Z",
"location": "{BaseUrl}/Users/<userId>"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}GET /Users/{id}
功能描述
查詢指定ID的使用者。
使用約束
如果帶/{id},則返回該ID對應的使用者。如果{id}不是已存在的使用者,則拒絕請求。
只能查詢SCIM 匯入來源的,且在同步範圍內的使用者
請求樣本
curl {BaseUrl}/Users/<userId> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X GET返回樣本
HTTP/1.1 200
{
"id": "<userId>",
"userName": "<user username>",
"displayName": "<user display name>",
"active": true,
"emails": [
{
"value": "<user email>",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "<user phoneNumber>",
"type": "work",
"primary": true
}
],
"externalId": "<external Id>",
"active":true,
"meta": {
"resourceType": "User",
"created": "2025-02-25T09:56:48.622Z",
"lastModified": "2025-02-25T09:56:48.622Z",
"location": "{BaseUrl}/Users/<userId>"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}GET /Users
功能描述
按條件查詢使用者資訊或查詢所有使用者列表。
使用約束
如果有filter,則過濾相應的使用者返回,filter只支援eq和and操作符。filter需要URL編碼。
如果沒有filter,只能查詢SCIM 匯入來源的,且在同步範圍內的使用者
若有filter,則能查詢同步範圍內的所有使用者
請求樣本
curl {BaseUrl}/Users<?parameters> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X GET其中,parameters支援列表如下:
參數名 | 取值說明 | 樣本 |
filter | 支援: externalId, id, userName, emails[type eq "work"].value, phoneNumbers[type eq "work"].value 的eq運算式。 必須URL編碼 |
|
startIndex | 可置空,預設值為1,表示標號。 | startIndex=1 |
count | 可置空,預設值為20,表示每頁使用者個數。 每頁最多返回100條記錄,如果記錄條數大於100(count>100),則按100處理。 | count=20 |
返回樣本
HTTP/1.1 200
{
"startIndex": 1,
"totalResults": 2,
"itemsPerPage": 20,
"Resources": [
{
"userName": "username1",
"displayName": "displayName1",
"active": true,
"emails": [
{
"value": "test1@example.com",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "333*****333",
"type": "work",
"primary": true
}
],
"id": "user_addxxxxxxxxxxxxxxx1",
"externalId": "externalId1",
"meta": {
"resourceType": "User",
"created": "2025-03-06T03:16:40.201Z",
"lastModified": "2025-03-06T03:16:40.201Z",
"location": "{BaseUrl}/Users/user_addxxxxxxxxxxxxxxx1"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
]
},
{
"userName": "username2",
"displayName": "displayName2",
"active": true,
"emails": [
{
"value": "test2@example.com",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "333*****334",
"type": "work",
"primary": true
}
],
"id": "user_g3od4xxxxxxxxxxxxxxx2",
"externalId": "externalId2",
"meta": {
"resourceType": "User",
"created": "2025-03-06T06:58:35.997Z",
"lastModified": "2025-03-06T06:58:35.997Z",
"location": "{BaseUrl}/Users/user_g3od4xxxxxxxxxxxxxxx2"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
]
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}
PUT /Users/{id}
描述
替換使用者資訊。
使用約束
{id}必傳,修改的欄位範圍為Schema中定義的欄位。
覆蓋原有屬性。若參數為空白,則該參數的值不進行修改。
僅能修改同步範圍內來源是SCIM 匯入或自建的使用者。如果是自建的賬戶,修改後則將來源修改為SCIM匯入。
請求樣本
curl {BaseUrl}/Users/<userId> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X PUT -d '<data>'其中,data 結構樣本如下:
{
"id":"<userId>"
"userName": "<user username>",
"externalId": "<external Id>",
"displayName": "<user display name>",
"emails": [
{
"primary": true,
"type": "work",
"value": "<user email>"
}
],
"phoneRegion":"86"
"phoneNumbers": [
{
"primary": true,
"type": "work",
"value": "<user phoneNumber>"
}
],
"active":true,
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}返回樣本
HTTP/1.1 200
{
"id": "<userId>",
"userName": "<user username>",
"displayName": "<user display name>",
"active": true,
"emails": [
{
"value": "<user email>",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "<user phoneNumber>",
"type": "work",
"primary": true
}
],
"externalId": "<external Id>",
"active":true,
"meta": {
"resourceType": "User",
"created": "2025-02-25T09:56:48.622Z",
"lastModified": "2025-02-25T09:56:48.622Z",
"location": "{BaseUrl}/Users/<userId>"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}PATCH /Users/{id}
描述
部分更新使用者資訊。
使用約束
{id}必傳,修改的欄位範圍為Schema中定義的欄位。
Patch支援Add、Replace,不支援Remove。若傳Remove則忽略。
path參數可選。具體看請求樣本的data結構體。
僅能修改同步範圍內來源是SCIM 匯入或自建的使用者。如果是自建的賬戶,修改後則將來源修改為SCIM匯入。
請求樣本:
curl {BaseUrl}/Users/<userId> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X PATCH -d '<data>'其中,data結構樣本如下。
樣本一:添加displayName,不帶path。
{
"Operations": [
{
"op": "add",
"value": {
"diplayName": "updateDisplayName"
}
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}樣本二:修改displayName,帶path。
{
"Operations": [
{
"op": "Replace",
"path": "diplayName",
"value": "updateDisplayName"
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}樣本三:修改郵箱,不帶path。
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [{
"op": "Replace",
"value": {
"emails": [{
"value": "test@example.com",
"type": "work",
"primary": true
}]
}
}]
}樣本四:修改郵箱,帶path。
{
"Operations": [
{
"op": "Replace",
"path": "emails[type eq \"work\"].value",
"value": "test@example.com"
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}樣本五:禁用賬戶,帶path。
{
"Operations": [
{
"op": "Replace",
"path": "active",
"value": "false"
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}樣本六:禁用賬戶,不帶path。
{
"Operations": [
{
"op": "Replace",
"value": {
"active": false
}
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}返回樣本
HTTP/1.1 204DELETE /Users/{id}
功能描述
刪除指定ID的使用者。
使用約束
{id}必傳。
僅能刪除被同步的使用者。
請求樣本
curl {BaseUrl}/Users/<userId> --header 'Authorization: Bearer <BearerToken' --header "content-type:application/scim+json" -X DELETE返回樣本
HTTP/1.1 204Group
POST /Groups
功能描述
同步處理的使用者組。
使用約束
欄位限制參考Schema描述。
成員最多支援1000個,若超過1000,則報錯。
成員不存在的或者不在同步範圍的則忽略。
返回組資訊,則建立成功群組成員關係的資訊。
請求樣本
{
"externalId": "<external Id>",
"displayName": "<group name>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"type": "User"
},
{
"value": "user_d3rmo3xxxxxxxxxbo6vhcfq",
"$ref": "{BaseUrl}/Users/user_d3rmo3xxxxxxxxxbo6vhcfq",
"type": "User"
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}
返回樣本
HTTP/1.1 201
{
"id": "group_bz7xxxxxxxxxx3hhxdha",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T06:35:46.009Z",
"location": "{BaseUrl}/Groups/group_bz7xxxxxxxxxx3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}GET /Groups/{id}
功能描述
查詢指定ID的使用者組。
使用約束
返回該ID對應的使用者組,預設包含members參數值。
支援excludedAttributes=members,若請求參數中包含此參數,則不返回members。
如果{id}不是已存在的使用者組,則拒絕請求。
僅能查詢SCIM 匯入來源的使用者組。
請求樣本
curl {BaseUrl}/Groups/<groupId><?parameters> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X GET其中,parameter支援列表如下:
參數名 | 取值說明 | 樣本 |
excludedAttributes | 排除某個欄位的返回。 值只支援members,代表不需要返回members | members |
返回樣本
HTTP/1.1 200
{
"id": "<groupId>",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T06:35:46.009Z",
"location": "{BaseUrl}/Groups/group_bz7xxxxxxxxxx3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}GET /Groups
功能描述
按條件查詢使用者組資訊或查詢所有使用者組列表。
使用約束
如果有filter,則過濾相應的組返回,filter只支援eq和and操作符。
如果沒有filter,則返回所有組列表,且members的值為空白(即列表方法不返回members)。
支援SCIM協議的標準分頁方式,預設返回20條,最多返回100條記錄,如果記錄條數大於100(count>100),按100條處理。
僅能查詢被同步的使用者組。
請求樣本
curl {BaseUrl}/Groups<?parameters> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X GET其中,parameter 支援如下:
參數名 | 取值說明 | 樣本 |
filter | 僅支援displayName、externalId、id的eq運算式。 需要URL編碼 |
|
startIndex | 可置空,預設值為1,表示標號。 | startIndex=1 |
count | 可置空,預設值為20,表示每頁使用者個數。 每頁最多返回100條記錄,如果記錄條數大於100(count>100),則按100處理。 | count=20 |
返回樣本
HTTP/1.1 200
{
"startIndex": 1,
"totalResults": 2,
"itemsPerPage": 20,
"Resources": [
{
"displayName": "GroupName1",
"id": "group_7xh7xxxxxxxxxxgvajbbowpe",
"externalId": "externalId1",
"meta": {
"resourceType": "Group",
"created": "2025-03-07T10:03:21.784Z",
"lastModified": "2025-03-07T10:03:21.784Z",
"location": "{BaseUrl}/Groups/group_7xh7xxxxxxxxxxgvajbbowpe"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
},
{
"displayName": "GroupName2",
"id": "group_bz7qhxxxxxxxxxle3hhxdha",
"externalId": "externalId2",
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T10:46:36.549Z",
"location": "{BaseUrl}/Groups/group_bz7qhxxxxxxxxxle3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}PUT /Groups/{id}
功能描述
替換使用者組資訊。
使用約束
{id}必傳,修改的欄位範圍為Schema中定義的欄位。
覆蓋原有屬性,若members有值則替換member。最多支援member 1000個,若超過1000個,則報錯。
僅能修改來源是SCIM 匯入的使用者組。且只能替換組使用者關係來源是SCIM 匯入的members。
返回組資訊及所有的members。
請求樣本
curl {BaseUrl}/Groups/<groupId> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X PUT -d '<data>'其中,data結構樣本如下:
{
"id": "<groupId>",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}返回樣本
HTTP/1.1 200
{
"id": "<groupId>",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T06:35:46.009Z",
"location": "{BaseUrl}/Groups/group_bz7xxxxxxxxxx3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}PATCH /Groups/{id}
功能描述
更新使用者組資訊。
使用約束
{id}必傳,修改的欄位範圍為Schema中定義的欄位。
Patch支援Add、Replace和Remove。
Replace members僅能支援1000成員,超過1000報錯;
Add members 僅支援100成員,超過100報錯;
Remove members 僅支援100成員,超過100報錯;
僅能修改來源是SCIM 匯入的使用者組。且只能處理組使用者關係來源是SCIM 匯入的members
返回組資訊及所有的members。
請求樣本
curl {BaseUrl}/Groups/<groupId> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X PATCH -d '<data>'其中,data結構樣本如下。
樣本一:移除組內所有SCIM來源的成員。
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "remove",
"path": "members"
}
]
}樣本二:新增成員,移除成員樣本。
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "remove",
"path": "members",
"value": [{
"value": "user_dm57xxxxxxxxxxx5wzecz"
}]
{
"op": "add",
"path": "members",
"value": [{
"value": "user_sdfqxxxxxxxxxxkzhw5wz"
}]
}
]
}樣本三:替換成員。
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "replace",
"path": "members",
"value": [{
"value": "user_dm57xxxxxxxxxxx5wzecz"
}]
}
]
}返回樣本
HTTP/1.1 200
{
"id": "<groupId>",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T06:35:46.009Z",
"location": "{BaseUrl}/Groups/group_bz7xxxxxxxxxx3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}DELETE /Groups/{id}
功能描述
刪除指定ID的使用者組。
使用約束
{id}必傳。
存在member的時候會同步移除member。
僅能刪除來源是SCIM 匯入的使用者組。
請求樣本
curl {BaseUrl}/Groups/<groupId> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X DELETE返回樣本
HTTP/1.1 204