文档

云SSO支持的SCIM 2.0接口

更新时间:
一键部署

本文为您介绍云SSO提供的SCIM 2.0接口,声明了支持范围和限制条件。如果自建IdP需要集成SCIM协议将用户或用户组同步到云SSO时,需要关注本文档。使用各身份提供商(例如:Okta、Azure AD等)提供的SCIM同步能力时,通常不需要关注本文档。

使用说明

SCIM 2.0接口的实现遵循RFC 7644,具体请求说明请参见RFC文档,具体的结构实现请参见SCIM Schemas

接入点和地域

SCIM服务对应的接入点(Endpoint):https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/

已部署云SSO的地域ID(regionId):服务接入点

SCIM 2.0接口总览

SCIM 2.0接口如下表所示。调用SCIM接口时,请根据实际情况将<regionId>替换为云SSO目录所在的地域,将<your scim credential>替换为您的SCIM密钥。

分类

SCIM 2.0接口

支持情况

功能描述

Discovery Endpoint

/ServiceProviderConfig

支持

获取服务端支持的功能。

/ResourceTypes

支持

获取服务端支持的资源类型,返回User和Group。

/Schemas

支持

获取服务端支持的Schema,返回User和Group的详细Schema。

/Users

POST /Users

支持

同步用户。

GET /Users/{id}

支持

查询指定ID的用户。

GET /Users

支持

按条件查询用户信息或查询所有用户列表。

不指定filter时,返回所有用户,最多100条,支持分页。

PUT /Users/{id}

支持

替换指定ID的用户信息。

PATCH /Users/{id}

支持

更新指定ID的用户信息。

DELETE /Users/{id}

支持

删除指定ID的用户。

/Groups

POST /Groups

支持

同步用户组。

GET /Groups/{id}

支持

查询指定ID的用户组,包含用户组中的用户信息。

GET /Groups

支持

按条件查询用户组信息或查询所有用户组列表。

不指定filter时,返回所有用户组列表但不返回用户组中的用户信息,最多100条,支持分页。

PUT /Groups/{id}

支持

替换用户组信息。

PATCH /Groups/{id}

支持

更新用户组信息。

DELETE /Groups/{id}

支持

删除指定ID的用户组。

/Me

不支持

/Bulk

不支持

/.Search

不支持

Discovery Endpoint

/ServiceProviderConfig

功能描述

获取服务端支持的功能。

使用约束

不需要认证。

请求示例

curl https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/ServiceProviderConfig -H "Content-type:application/json"

返回示例

{
  "authenticationSchemes": [
    {
      "description": "Authentication scheme using the OAuth Bearer Token Standard",
      "name": "OAuth Bearer Token",
      "primary": true,
      "type": "oauthbearertoken"
    }
  ],
  "bulk": {
    "maxOperations": 0,
    "maxPayloadSize": 0,
    "supported": false
  },
  "changePassword": {
    "supported": false
  },
  "etag": {
    "supported": false
  },
  "filter": {
    "maxResults": 1000,
    "supported": false
  },
  "patch": {
    "supported": true
  },
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
  ],
  "sort": {
    "supported": false
  }
}

返回结果显示:

  • 支持的功能:patch。

  • 不支持的功能:bulk、changePassword、sort、etag、filter。

/ResourceTypes

功能描述

获取服务端支持的资源类型,返回User和Group。

请求示例

curl https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/ResourceTypes --header 'Authorization: Bearer <your scim credential>' --header "content-type:application/json"

返回示例

{
  "Resources": [
    {
      "description": "Group",
      "endpoint": "/Groups",
      "id": "Group",
      "meta": {
        "location": "https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/ResourceTypes/Group",
        "resourceType": "ResourceType"
      },
      "name": "Group",
      "schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:ResourceType"
      ]
    },
    {
      "description": "User Account",
      "endpoint": "/Users",
      "id": "User",
      "meta": {
        "location": "https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/ResourceTypes/User",
        "resourceType": "ResourceType"
      },
      "name": "User",
      "schema": "urn:ietf:params:scim:schemas:core:2.0:User",
      "schemaExtensions": [
        {
          "required": false,
          "schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
        }
      ],
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:ResourceType"
      ]
    }
  ],
  "itemsPerPage": 10,
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "startIndex": 1,
  "totalResults": 2
}

/Schemas

功能描述

获取服务端支持的Schema,返回User和Group的详细Schema。

使用约束

  • 支持按资源类型查询。

  • 对协议中约定的字段名和字段值不区分大小写。

  • 只支持下文文档描述的字段。

请求示例

请求所有资源Schema
    curl https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Schemas --header 'Authorization: Bearer <your scim credential>' --header "content-type:application/json"
请求用户资源Schema
    curl https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User --header 'Authorization: Bearer <your scim credential>' --header "content-type:application/json"
请求用户组资源Schema
    curl https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group --header 'Authorization: Bearer <your scim credential>' --header "content-type:application/json"

返回示例

用户资源Schema

{
  "attributes": [
    {
      "caseExact": true,
      "description": "A Boolean value indicating the User's administrative status.",
      "multiValued": false,
      "mutability": "readWrite",
      "name": "active",
      "required": false,
      "returned": "default",
      "type": "boolean",
      "uniqueness": "none"
    },
    {
      "caseExact": false,
      "description": "The name of the User, suitable for display to end-users. The name SHOULD be the full name of the User being described if known.",
      "multiValued": false,
      "mutability": "readWrite",
      "name": "displayName",
      "required": false,
      "returned": "default",
      "type": "string",
      "uniqueness": "none"
    },
    {
      "caseExact": true,
      "description": "E-mail addresses for the user. The value SHOULD be canonicalized by the Service Provider, e.g., bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and other.",
      "multiValued": true,
      "mutability": "readWrite",
      "name": "emails",
      "required": false,
      "returned": "default",
      "subAttributes": [
        {
          "caseExact": false,
          "description": "A human readable name, primarily used for display purposes.",
          "multiValued": false,
          "mutability": "readWrite",
          "name": "display",
          "required": false,
          "returned": "default",
          "type": "string",
          "uniqueness": "none"
        },
        {
          "caseExact": true,
          "description": "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred mailing address or primary e-mail address. The primary attribute value 'true' MUST appear no more than once.",
          "multiValued": false,
          "mutability": "readWrite",
          "name": "primary",
          "required": false,
          "returned": "default",
          "type": "boolean",
          "uniqueness": "none"
        },
        {
          "canonicalValues": [
            "other",
            "work",
            "home"
          ],
          "caseExact": false,
          "description": "A label indicating the attribute's function; e.g., 'work' or 'home'.",
          "multiValued": false,
          "mutability": "readWrite",
          "name": "type",
          "required": false,
          "returned": "default",
          "type": "string",
          "uniqueness": "none"
        },
        {
          "caseExact": false,
          "description": "E-mail addresses for the user. The value\nSHOULD be canonicalized by the Service Provider, e.g.\nbjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type\nvalues of work, home, and other.",
          "multiValued": false,
          "mutability": "readWrite",
          "name": "value",
          "required": false,
          "returned": "default",
          "type": "string",
          "uniqueness": "none"
        }
      ],
      "type": "complex",
      "uniqueness": "none"
    },
    {
      "caseExact": true,
      "description": "The components of the user's real name.",
      "multiValued": false,
      "mutability": "readWrite",
      "name": "name",
      "required": false,
      "returned": "default",
      "subAttributes": [
        {
          "caseExact": false,
          "description": "The family name of the User, or Last Name in most Western languages (for example, Jensen given the full name Ms. Barbara J Jensen, III.).",
          "multiValued": false,
          "mutability": "readWrite",
          "name": "familyName",
          "required": false,
          "returned": "default",
          "type": "string",
          "uniqueness": "none"
        },
        {
          "caseExact": false,
          "description": "The given name of the User, or First Name in most Western languages (for example, Barbara given the full name Ms. Barbara J Jensen, III.).",
          "multiValued": false,
          "mutability": "readWrite",
          "name": "givenName",
          "required": false,
          "returned": "default",
          "type": "string",
          "uniqueness": "none"
        },
        {
          "caseExact": false,
          "description": "The middle name(s) of the User (for example, Robert given the full name Ms. Barbara J Jensen, III.).",
          "multiValued": false,
          "mutability": "readWrite",
          "name": "middleName",
          "required": false,
          "returned": "default",
          "type": "string",
          "uniqueness": "none"
        }
      ],
      "type": "complex",
      "uniqueness": "none"
    },
    {
      "caseExact": false,
      "description": "Unique identifier for the User typically used by the user to directly authenticate to the service provider.",
      "multiValued": false,
      "mutability": "readWrite",
      "name": "userName",
      "required": true,
      "returned": "default",
      "type": "string",
      "uniqueness": "server"
    }
  ],
  "description": "User Account",
  "endpoint": "/Users",
  "extensionSchemas": [
    {
      "required": false,
      "schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
    }
  ],
  "id": "urn:ietf:params:scim:schemas:core:2.0:User",
  "meta": {
    "location": "https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User",
    "resourceType": "Schema"
  },
  "name": "User",
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:Schema"
  ]
}

用户组资源Schema

{
  "attributes": [
    {
      "caseExact": false,
      "description": "A human-readable name for the Group.",
      "multiValued": false,
      "mutability": "readWrite",
      "name": "displayName",
      "required": true,
      "returned": "default",
      "type": "string",
      "uniqueness": "server"
    },
    {
      "caseExact": true,
      "description": "A list of members of the Group.",
      "multiValued": true,
      "mutability": "readWrite",
      "name": "members",
      "required": false,
      "returned": "default",
      "subAttributes": [
        {
          "caseExact": false,
          "description": "A human readable name, primarily used for display purposes.",
          "multiValued": false,
          "mutability": "immutable",
          "name": "display",
          "required": false,
          "returned": "default",
          "type": "string",
          "uniqueness": "none"
        },
        {
          "caseExact": true,
          "description": "The URI of the member resource.",
          "multiValued": false,
          "mutability": "immutable",
          "name": "ref",
          "referenceTypes": [
            "User"
          ],
          "required": true,
          "returned": "default",
          "type": "reference",
          "uniqueness": "none"
        },
        {
          "caseExact": false,
          "description": "The identifier of a group member.",
          "multiValued": false,
          "mutability": "immutable",
          "name": "value",
          "required": true,
          "returned": "default",
          "type": "string",
          "uniqueness": "none"
        }
      ],
      "type": "complex",
      "uniqueness": "none"
    }
  ],
  "description": "Group",
  "endpoint": "/Groups",
  "id": "urn:ietf:params:scim:schemas:core:2.0:Group",
  "meta": {
    "location": "https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group",
    "resourceType": "Schema"
  },
  "name": "Group",
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:Schema"
  ]
}

/Users

POST /Users

功能描述

同步用户。

使用约束

  • 字段参考Schema返回结果里声明的定义。

  • 如果云SSO中存在同名的手动方式创建的用户,则会将该手动用户更改为SCIM同步用户。

请求示例

curl https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Users --header 'Authorization: Bearer <your scim credential>' --header "content-type:application/json" -X POST -d '<data>'

其中,data结构示例如下:

{
    "displayName": "<user display name>",
    "emails": [
        {
            "primary": true,
            "type": "work",
            "value": "<user email>"
        }
    ],
    "externalId": "<external Id>",
    "name": {
        "familyName": "<user family name>",
        "givenName": "<user given name>"
    },
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "userName": "<user name>"
}

返回示例

{
    "active": true,
    "displayName": "<user display name>",
    "emails":
    [
        {
            "primary": true,
            "type": "work",
            "value": "<user email>"
        }
    ],
    "externalId": "<external Id>",
    "id": "u-00vrs1l19d6gbsi5****",
    "meta":
    {
        "created": "2023-08-01T13:16:30.000Z",
        "lastModified": "2023-08-01T13:16:30.000Z",
        "location": "https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Users/u-00vrs1l19d6gbsi5****",
        "resourceType": "User"
    },
    "name":
    {
        "familyName": "<user family name>",
        "givenName": "<user given name>"
    },
    "schemas":
    [
        "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "userName": "<user name>"
}

GET /Users/{id}和GET /Users

功能描述

  • GET /Users/{id}:查询指定ID的用户。

  • GET /Users:按条件查询用户信息或查询所有用户列表。

使用约束

  • 如果带/{id},则返回该ID对应的用户。如果{id}不是已存在的用户,则拒绝请求。

  • 如果不带/{id}且有filter,则过滤相应的用户返回,filter只支持externalId和userName字段,且只支持eq和and操作符。

  • 如果不带/{id}且没有filter,则返回所有用户列表,支持SCIM协议的标准分页方式,每页最多返回100条记录,如果记录条数大于100(count>100),则按100处理。

  • 仅能查询被同步的用户。

示例1:查询指定ID的用户

请求示例

curl https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Users/<userId> --header 'Authorization: Bearer <your scim credential>' --header "content-type:application/json" -X GET

返回示例

{
    "active": true,
    "displayName": "<user display name>",
    "emails":
    [
        {
            "primary": true,
            "type": "work",
            "value": "<user email>"
        }
    ],
    "externalId": "<external Id>",
    "id": "u-00vrs1l19d6gbsi5****",
    "meta":
    {
        "created": "2023-08-01T13:16:30.000Z",
        "lastModified": "2023-08-01T13:16:30.000Z",
        "location": "https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Users/u-00vrs1l19d6gbsi5****",
        "resourceType": "User"
    },
    "name":
    {
        "familyName": "<user family name>",
        "givenName": "<user given name>"
    },
    "schemas":
    [
        "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "userName": "<user name>"
}

示例2:按条件查询用户信息或查询所有用户列表

请求示例

curl https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Users<?parameters> --header 'Authorization: Bearer <your scim credential>' --header "content-type:application/json" -X GET

其中,parameters支持列表如下:

参数名

取值说明

示例

filter

仅支持userName、externalId、id的eq表达式。

  • filter=userName+eq+%22demoUserName%22

  • filter=externalId+eq+%22demoExternalId%22

  • filter=id+eq+%22demoId%22

startIndex

可置空,默认值为1,表示标号。

startIndex=1

count

可置空,默认值为10,表示每页用户个数。

count=10

返回示例

{
    "Resources":
    [
        {
            "active": true,
            "displayName": "<user display name>",
            "emails":
            [
                {
                    "primary": true,
                    "type": "work",
                    "value": "<user email>"
                }
            ],
            "externalId": "external****",
            "id": "u-0015b4962vrywtzb****",
            "meta":
            {
                "created": "2023-07-07T17:21:07.000Z",
                "lastModified": "2023-07-07T17:21:07.000Z",
                "resourceType": "User"
            },
            "name":
            {
                "familyName": "<user family name>",
                "givenName": "<user given name>"
            },
            "schemas":
            [
                "urn:ietf:params:scim:schemas:core:2.0:User"
            ],
            "userName": "<user name>"
        },
        {
            "active": true,
            "displayName": "<user display name>",
            "emails":
            [
                {
                    "primary": true,
                    "type": "work",
                    "value": "<user email>"
                }
            ],
            "externalId": "<external Id>",
            "id": "u-00vrs1l19d6gbsi5****",
            "meta":
            {
                "created": "2023-08-01T13:16:30.000Z",
                "lastModified": "2023-08-01T13:16:30.000Z",
                "resourceType": "User"
            },
            "name":
            {
                "familyName": "<user family name>",
                "givenName": "<user given name>"
            },
            "schemas":
            [
                "urn:ietf:params:scim:schemas:core:2.0:User"
            ],
            "userName": "<user name>"
        }
    ],
    "itemsPerPage": 10,
    "schemas":
    [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "startIndex": 1,
    "totalResults": 2
}

PUT /Users/{id}和PATCH /Users/{id}

描述

  • PUT /Users/{id}:替换用户信息。

  • PATCH /Users/{id} :更新用户信息。

使用约束

  • {id}必传,修改的字段范围为Schema中定义的字段。

  • PUT为覆盖原有属性。

  • Patch支持Add、Replace和Remove。

  • 仅能修改被同步的用户。

请求示例

替换用户信息(PUT)

curl https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Users/<userId> --header 'Authorization: Bearer <your scim credential>' --header "content-type:application/json" -X PUT -d '<data>'

其中,data结构示例如下:

{
    "active": false,
    "externalId": "<external Id>",
    "id": "<user id>",
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "userName": "<user name>"
}

更新用户信息(PATCH)

curl https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Users/<userId> --header 'Authorization: Bearer <your scim credential>' --header "content-type:application/json" -X PATCH -d '<data>'

其中,data结构示例如下:

//remove操作
{
    "Operations": [
        {
            "op": "remove",
            "path": "displayName"
        }
    ],
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ]
}
// replace操作
{
    "Operations": [
        {
            "op": "replace",
            "path": "",
            "value": {
                "active": false,
                "displayName": "displayName",
                "name": {
                    "familyName": "familyName",
                    "givenName": "givenName"
                }
            }
        }
    ],
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ]
}
// add操作
{
    "Operations": [
        {
            "op": "add",
            "path": "",
            "value": {
                "displayName": "displayName",
                "name": {
                    "familyName": "familyName",
                    "givenName": "givenName"
                }
            }
        }
    ],
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ]
}

DELETE /Users/{id}

功能描述

删除指定ID的用户。

使用约束

  • {id}必传。

  • 仅能删除被同步的用户。

请求示例

curl https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Users/<userId> --header 'Authorization: Bearer <your scim credential>' --header "content-type:application/json" -X DELETE

/Group

POST /Groups

功能描述

同步用户组。

使用约束

  • 字段限制参考Schema描述。

  • 如果云SSO中存在同名的手动方式创建的用户组,则会将该手动的用户组更改为SCIM同步的用户组。

请求示例

curl https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Groups --header 'Authorization: Bearer <your scim credential>' --header "content-type:application/json" -X POST -d '<data>'

其中,data结构示例如下:

{
    "displayName": "<group name>",
    "externalId": "<external Id>",
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:Group"
    ]
}

返回示例

{
    "displayName": "<group name>",
    "externalId": "<external Id>",
    "id": "g-00nqnd7hoevd1unv****",
    "members":
    [],
    "meta":
    {
        "created": "2023-08-01T13:30:23.000Z",
        "lastModified": "2023-08-01T13:30:23.000Z",
        "location": "https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Groups/g-00nqnd7hoevd1unv****",
        "resourceType": "Group"
    },
    "schemas":
    [
        "urn:ietf:params:scim:schemas:core:2.0:Group"
    ]
}

GET /Groups/{id}和GET /Groups

功能描述

  • GET /Groups/{id}:查询指定ID的用户组。

  • GET /Groups:按条件查询用户组信息或查询所有用户组列表。

使用约束

  • 支持使用id查询和filter查询。

  • filter只支持externalId和displayName字段,且只支持eq和and操作符。

  • 如果带/{id},则返回该ID对应的用户组,且包含members参数值,如果{id}不是已存在的用户组,则拒绝请求。

  • 如果不带/{id}且没有filter,则返回所有用户组列表,且members的值为空(即列表方法不返回members)。支持SCIM协议的标准分页方式,最多返回100条记录,如果记录条数大于100(count>100),按100处理。

  • 仅能查询被同步的用户组。

示例1:查询指定ID的用户组

请求示例

curl https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Groups/<groupId> --header 'Authorization: Bearer <your scim credential>' --header "content-type:application/json" -X GET

返回示例

{
    "displayName": "<group name>",
    "externalId": "<external Id>",
    "id": "g-00nqnd7hoevd1unv****",
    "members":
    [
        {
            "$ref": "https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Users/u-00vrs1l19d6gbsi5****",
            "display": "",
            "value": "u-00vrs1l19d6gbsi5****"
        }
    ],
    "meta":
    {
        "created": "2023-08-01T13:30:23.000Z",
        "lastModified": "2023-08-01T13:30:23.000Z",
        "location": "https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Groups/g-00nqnd7hoevd1unv****",
        "resourceType": "Group"
    },
    "schemas":
    [
        "urn:ietf:params:scim:schemas:core:2.0:Group"
    ]
}

示例2:按条件查询用户组信息或查询所有用户组列表

请求示例

curl https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Groups<?parameters> --header 'Authorization: Bearer <your scim credential>' --header "content-type:application/json" -X GET

其中,parameter支持列表如下:

参数名

取值说明

示例

filter

仅支持displayName、externalId、id的eq表达式。

  • filter=displayName+eq+%22demoDisplayName%22

  • filter=externalId+eq+%22demoExternalId%22

  • filter=id+eq+%22demoId%22

startIndex

可置空,默认值为1,表示标号。

startIndex=1

count

可置空,默认值为10,表示每页用户组个数。

count=10

返回示例

{
    "Resources":
    [
        {
            "displayName": "<group name>",
            "externalId": "<external Id>",
            "id": "g-00nqnd7hoevd1unv****",
            "members":
            [],
            "meta":
            {
                "created": "2023-08-01T13:30:23.000Z",
                "lastModified": "2023-08-01T13:30:23.000Z",
                "resourceType": "Group"
            },
            "schemas":
            [
                "urn:ietf:params:scim:schemas:core:2.0:Group"
            ]
        }
    ],
    "itemsPerPage": 10,
    "schemas":
    [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "startIndex": 1,
    "totalResults": 1
}

PUT /Groups/{id}和PATCH /Groups/{id}

功能描述

  • PUT /Groups/{id}:替换用户组信息。

  • PATCH /Groups/{id}:更新用户组信息。

使用约束

  • {id}必传,修改的字段范围为Schema中定义的字段。

  • PUT为覆盖原有属性,支持替换member。

  • Patch支持Add、Replace和Remove。

  • 仅能修改被同步的用户组。

请求示例

替换用户组信息(PUT)

curl https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Groups/<groupId> --header 'Authorization: Bearer <your scim credential>' --header "content-type:application/json" -X PUT -d '<data>'

其中,data结构示例如下:

{
    "displayName": "<group name>",
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:Group"
    ]
}

更新用户组信息(PATCH)

curl https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Groups/<groupId> --header 'Authorization: Bearer <your scim credential>' --header "content-type:application/json" -X PATCH -d '<data>'

其中,data结构示例如下:

//从<groupId>对应的组内移除指定的用户<userId>
{
    "Operations": [
        {
            "op": "remove",
            "path": "members",
            "value": [
                {
                    "value": "<userId>"
                }
            ]
        }
    ],
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ]
}
//从<groupId>对应的组内移除所有用户
{
    "Operations": [
        {
            "op": "remove",
            "path": "members"
        }
    ],
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ]
}
//向<groupId>对应的组内添加3个用户
{
    "Operations": [
        {
            "op": "add",
            "path": "members",
            "value": [
                {
                    "$ref": "https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Users/<userId1>",
                    "display": "<userName1>",
                    "value": "<userId1>"
                },
                {
                    "$ref": "https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Users/<userId2>",
                    "display": "<userName2>",
                    "value": "<userId2>"
                },
                {
                    "$ref": "https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Users/<userId3>",
                    "display": "<userName3>",
                    "value": "<userId3>"
                }
            ]
        }
    ],
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ]
}

DELETE /Groups/{id}

功能描述

删除指定ID的用户组。

使用约束

  • {id}必传。

  • 存在member的时候会同步移除member。

  • 仅能删除被同步的用户组。

请求示例

curl https://cloudsso-scim-<regionId>.aliyun.com/scim/v2/Groups/<groupId> --header 'Authorization: Bearer <your scim credential>' --header "content-type:application/json" -X DELETE