User Provisioning Using SCIM API
You can use SCIM API to create a user (POST) in the Unified Directory, search for users (GET) in the Unified Directory, replace users (PUT) in the Unified Directory, modify users (PATCH) in the Unified Directory, and remove users (DELETE) from the Unified Directory. You can search for users by the SCIM attributes userName, emails, or id.
Note: Managing user groups is not supported through SCIM API.
Procedure
In the Cloud Administration Console, click Users > Identity Sources.
The Identity Sources list displays the enabled Unified Directory.Click Edit corresponding to the Unified Directory.
Copy the Base URI and use it in the configuration in SCIM client. This is the SCIM Base URI where all the SCIM resources are hosted.
Copy the Client Secret key that can be used for SCIM API authentication.
Note: You can click Generate to get a new client secret key. Click SaveSettings and Publish Changes before you use the new secret key.
SCIM API Authentication
SCIM API uses long-lived bearer token as an authentication scheme. Use the preceding procedure to generate the bearer token (client secret).
SCIM Attribute Mapping
| SCIM Attribute | Field on Users > Management |
|---|---|
| name.givenName | First Name |
| name.familyName | Last Name |
| userName | Username |
| emails[type eq "work"].value | Email Address |
| active | User Status |
| phoneNumbers[type eq "mobile"].value | SMS Phone |
| phoneNumbers[type eq "mobile"].value | Voice Phone |
SCIM Attributes
The following table describes properties used in the requests and responses.
| Request/Response Parameter | Description | Type |
|---|---|---|
| id | UUID of a user | String |
| userName | Unique identifier for the user, could be used as loginId by the users | String |
| name | Components of user's name | Complex |
| displayName | The name of the user, suitable for display | String |
| nickName | Nick name of the user | String |
| title | Title of the user | String |
| userType | Type of user | String |
| preferredLanguage | Preferred language | String |
| active | Indicates user's status | Boolean |
| locale | Indicates the user's default location for localizing | String |
| password | Password | String |
| emails | Unique identifier for the user (email of type "work" is used as primary identifier for the user. It can be used as login Id by the user.) | List<email> |
| phoneNumbers | Phone numbers of a user (phoneNumber of type "mobile" is used for SMS/VOICE authentication) | List<Phone number> |
| addresses | Physical mailing address of a user | List<Address> |
| externalId | Identifier of a User, defined by the provisioning client | String |
| emails | ||
| value | Email address | String |
| type | Types of email: home, work, or other | String |
| primary | Indicates primary/preferred email | Boolean |
| phoneNumber | ||
| value | Phone number | String |
| type | Types of phone number: home, work, mobile, pager, fax, or other | String |
| primary | Indicates primary/preferred phone number | Boolean |
| name | ||
| formatted | The full name, including all middle names, titles, and suffixes as appropriate, formatted for display | String |
| familyName | Last name or family name of the user | String |
| givenName | First name of the user | String |
| Address | ||
| formatted | The full mailing address, formatted for display or use with a mailing label | String |
| streetAddress | Full street address , which may include house number, street name, P.O. box, and multi-line extended street address information | String |
| locality | City or locality | String |
| region | State or region | String |
| postalCode | Zip code or postal code | String |
| country | Country name | String |
| type | Type of address. Valid values work, home and other. | String |
Note: userName and emails are required parameters.
For more details on SCIM attributes, refer to https://www.rfc-editor.org/rfc/rfc7643.
SCIM APIs and Discovery Endpoints
SCIM API for User Modification
Note: The SCIM API for User Replacement, SCIM API for User Modification, and SCIM API for User Deletion endpoints are unavailable for Local identity source types.
Integrating SCIM with Azure AD
Azure AD can be configured to automatically provision assigned users to applications that implement a specific profile of the SCIM 2.0 protocol.
Procedure
Create non-gallery app in Azure AD.
Configure SCIM connection details in Azure from Unified Directory using Base URI and Client Secret.
Configure user attribute mapping. Cloud mandates two SCIM attributes to be present in SCIM User provisioning request - userName and email [type eq 'work'].value. Use this default mapping.
Ensure that the users are assigned to non-gallery app created for provisioning.
Start provisioning.
Attribute mappings define how attributes are synchronized between Azure Active Directory and customappsso. The following table shows an example mapping that can be used for Azure AD integration.
| Azure Active Directory Attribute | customappsso Attribute |
|---|---|
| userPrincipalName | userName |
| Switch([IsSoftDeleted], "False", "True", "True", "False") | active |
| displayName | displayName |
| mail or userPrincipalName | emails[type eq "work"].value |
| givenName | name.givenName |
| surname | name.familyName |
| mobile | phoneNumbers[type eq "mobile"].value |
| objectId | externalId |
For details on Azure AD integration, refer to Integrate your SCIM endpoint with the Azure AD Provisioning Service.
Rate Limit
Rate limiting is applied to all SCIM API requests. When the rate limit is exceeded, a 429 HTTP error message is returned with a Retry-After response in the header. For example:
"Retry-After": "2 seconds"
Response Code
The following table shows response code for this API.
| Code | Description |
|---|---|
| 429 | Too many requests. |
Related Articles
Adding Administrators Number of Views Edit a Token Attribute Definition Number of Views SCIM API for User Deletion Number of Views Yubico Copyright Number of Views Clear a Cached Copy of Windows Credentials in the User Dashboard Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8 Deploying RSA Authenticator 6.2.2 for Windows Using DISM Downloading RSA Authentication Manager license files or RSA Software token seed records
