本文为您介绍 EIAM 提供的SCIM 2.0接口,声明了支持范围和限制条件。仅当您的自建应用需要集成使用SCIM接口同步相关数据时,才需要关注本文档。
使用说明
SCIM 2.0接口的实现遵循 RFC 7642、RFC 7643、RFC 7644。具体的结构实现,请参见SCIM Schemas。
SCIM 2.0接口总览
授权令牌(BearerToken)可以通过以下两种方式获取:
静态BearerToken:这是一个界面配置生成的静态令牌,您可以在应用管理页面,点击账户同步,进入应用同步到IDaaS 页面配置生成。
通过Client_Credentials生成的Access Token:您可以通过EIAM提供的OAuth 2.0 Client Credentials授权码模式来动态获取Access Token。在这种情况下,您将使用您的ClientID/Secret来请求生成Access Token。具体信息,请参见GenerateToken - 生成应用认证token。
SCIM 2.0接口如下表所示。
重要
调用SCIM接口时,请根据实际情况将{BaseUrl}替换为EIAM实例应用中的SCIM Base URL,将<BearerToken>替换为有效的SCIM授权令牌。
分类 | SCIM 2.0接口 | 支持情况 | 功能描述 |
Discovery Endpoint | 支持 | 获取服务端支持的功能。 | |
支持 | 获取服务端支持的资源类型,返回User和Group。 | ||
支持 | 获取服务端支持的Schema,返回User,EnterpriseUser和Group的详细Schema。 | ||
/Users | 支持 | 同步用户。 | |
支持 | 查询指定ID的用户。 | ||
支持 | 按条件查询用户信息或查询所有用户列表。 不指定filter时,返回所有用户,最多100条,支持分页。 | ||
支持 | 替换指定ID的用户信息。 | ||
支持 | 更新指定ID的用户信息。 | ||
支持 | 删除指定ID的用户。 | ||
/Groups | 支持 | 同步用户组。 | |
支持 | 查询指定ID的用户组,包含用户组中的用户信息。 | ||
支持 | 按条件查询用户组信息或查询所有用户组列表。 不指定filter时,返回所有用户组列表但不返回用户组中的用户信息,最多100条,支持分页。 | ||
支持 | 替换用户组信息。 | ||
支持 | 更新用户组信息。 | ||
支持 | 删除指定ID的用户组。 | ||
/Me | 无 | 不支持 | 无 |
/Bulk | 无 | 不支持 | 无 |
/.Search | 无 | 不支持 | 无 |
接口详细说明与操作示例
Discovery Endpoint
/ServiceProviderConfig
功能描述
获取服务端支持的功能。
使用约束
不需要认证。
请求示例
curl {baseUrl}/ServiceProviderConfig --header "Content-type:application/scim+json"返回示例
{
"documentationUri": "",
"patch": {
"supported": true
},
"bulk": {
"supported": false,
"maxOperations": 0,
"maxPayloadSize": 0
},
"filter": {
"supported": true,
"maxResults": 100
},
"changePassword": {
"supported": true
},
"sort": {
"supported": false
},
"etag": {
"supported": false
},
"authenticationSchemes": [
{
"name": "OAuth Bearer Token",
"description": "Authentication scheme using the OAuth Bearer Token Standard",
"specUri": "https://www.rfc-editor.org/info/rfc6750",
"type": "oauthbearertoken",
"primary": true
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
]
}/ResourceTypes
功能描述
获取服务端支持的资源类型,返回User和Group。
使用约束
不需要认证。
请求示例
curl {baseUrl}/ResourceTypes --header "content-type:application/scim+json"返回示例
{
"startIndex": 1,
"totalResults": 2,
"itemsPerPage": 2,
"Resources": [
{
"name": "Group",
"description": "Group",
"endpoint": "/Groups",
"schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
"id": "Group",
"meta": {
"resourceType": "Group",
"location": "{BaseUrl}/ResourceTypes/Group"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
]
},
{
"name": "User",
"description": "User Account",
"endpoint": "/Users",
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"schemaExtensions": [
{
"schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"required": false
}
],
"id": "User",
"meta": {
"resourceType": "User",
"location": "{BaseUrl}/ResourceTypes/User"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:ResourceType"
]
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}/Schemas
功能描述
获取服务端支持的Schema,返回User和Group的详细Schema。
使用约束
支持按资源类型查询。
只支持下文文档描述的字段。
不需要认证。
请求示例
#请求用户资源的企业扩展信息
curl {baseUrl}/Schemas --header "content-type:application/scim+json"
#请求用户资源的企业扩展信息
curl {baseUrl}/Schemas/urn:ietf:params:scim:schemas:core:2.0:User --header "content-type:application/scim+json"
#请求用户资源的企业扩展信息
curl {baseUrl}/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group --header "content-type:application/scim+json"
#请求用户资源的企业扩展信息
curl {baseUrl}/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User --header "content-type:application/scim+json"返回示例
用户资源Schema
{
"startIndex": 1,
"totalResults": 3,
"itemsPerPage": 3,
"Resources": [
{
"name": "User",
"description": "User Account",
"attributes": [
{
"name": "userName",
"type": "string",
"multiValued": false,
"description": "Unique identifier for the User typically used by the user to directly authenticate to the service provider.",
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "server"
},
{
"name": "displayName",
"type": "string",
"multiValued": false,
"description": "The name of the User, suitable for display to end-users. The name SHOULD be the full name of the User being described if known.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "password",
"type": "string",
"multiValued": false,
"description": "The User's clear text password. This attribute is intended to be used as a means to specify an initial password when creating a new User or to reset an existing User's password.",
"required": false,
"caseExact": false,
"mutability": "writeOnly",
"returned": "never",
"uniqueness": "none"
},
{
"name": "emails",
"type": "complex",
"subAttributes": [
{
"name": "value",
"type": "string",
"multiValued": false,
"description": "E-mail addresses for the user. The value\nSHOULD be canonicalized by the Service Provider, e.g.\nbjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type\nvalues of work, home, and other.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "display",
"type": "string",
"multiValued": false,
"description": "A human readable name, primarily used for display purposes.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "type",
"type": "string",
"multiValued": false,
"description": "A label indicating the attribute's function; e.g., 'work' or 'home'.",
"required": false,
"canonicalValues": [
"work",
"home",
"other"
],
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "primary",
"type": "boolean",
"multiValued": false,
"description": "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred mailing address or primary e-mail address. The primary attribute value 'true' MUST appear no more than once.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "E-mail addresses for the user. The value SHOULD be canonicalized by the Service Provider, e.g., bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and other.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "server"
},
{
"name": "phoneNumbers",
"type": "complex",
"subAttributes": [
{
"name": "value",
"type": "string",
"multiValued": false,
"description": "Phone number of the User",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "display",
"type": "string",
"multiValued": false,
"description": "A human readable name, primarily used for display purposes.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "type",
"type": "string",
"multiValued": false,
"description": "A label indicating the attribute's function; e.g., 'work' or 'home' or 'mobile' etc.",
"required": false,
"canonicalValues": [
"work",
"home",
"mobile",
"fax",
"pager",
"other"
],
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "primary",
"type": "boolean",
"multiValued": false,
"description": "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred phone number or primary phone number. The primary attribute value 'true' MUST appear no more than once.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "Phone numbers for the User. The value SHOULD be canonicalized by the Service Provider according to format in RFC3966 e.g., 'tel:555xxxx5555'. Canonical Type values of work, home, mobile, fax, pager and other.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "server"
},
{
"name": "phoneRegion",
"type": "string",
"multiValued": false,
"description": "PhoneRegion for the User. eg.86.If not filled, the default value is 86",
"required": false,
"caseExact": false,
"mutability": "writeOnly",
"returned": "never",
"uniqueness": "none"
},
{
"name": "id",
"type": "string",
"multiValued": false,
"description": "A unique identifier for a SCIM resource as defined by the service provider.",
"required": true,
"caseExact": false,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "server"
},
{
"name": "externalId",
"type": "string",
"multiValued": false,
"description": "A String that is an identifier for the resource as defined by the provisioning client.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "meta",
"type": "complex",
"subAttributes": [
{
"name": "resourceType",
"type": "string",
"multiValued": false,
"description": "The resource Type",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
},
{
"name": "location",
"type": "reference",
"multiValued": false,
"description": "The location (URI) of the resource",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
}
],
"multiValued": false,
"description": ".",
"required": false,
"caseExact": false,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "schemas",
"type": "string",
"multiValued": true,
"description": ".",
"required": true,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
}
],
"id": "urn:ietf:params:scim:schemas:core:2.0:User",
"meta": {
"resourceType": "Schema",
"location": "{BaseUrl}/Schemas/urn:ietf:params:scim:schemas:core:2.0:User"
}
},
{
"name": "Group",
"description": "Group",
"attributes": [
{
"name": "displayName",
"type": "string",
"multiValued": false,
"description": "A human-readable name for the Group.",
"required": true,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "members",
"type": "complex",
"subAttributes": [
{
"name": "value",
"type": "string",
"multiValued": false,
"description": "The identifier of a group member.",
"required": true,
"caseExact": false,
"mutability": "immutable",
"returned": "default",
"uniqueness": "none"
},
{
"name": "ref",
"type": "reference",
"multiValued": false,
"description": "The URI of the member resource.",
"required": true,
"caseExact": true,
"mutability": "immutable",
"returned": "default",
"uniqueness": "none",
"referenceTypes": [
"User"
]
},
{
"name": "display",
"type": "string",
"multiValued": false,
"description": "A human readable name, primarily used for display purposes.",
"required": false,
"caseExact": false,
"mutability": "immutable",
"returned": "default",
"uniqueness": "none"
}
],
"multiValued": true,
"description": "A list of members of the Group.",
"required": false,
"caseExact": true,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "id",
"type": "string",
"multiValued": false,
"description": "A unique identifier for a SCIM resource as defined by the service provider.",
"required": true,
"caseExact": false,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "server"
},
{
"name": "externalId",
"type": "string",
"multiValued": false,
"description": "A String that is an identifier for the resource as defined by the provisioning client.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
},
{
"name": "meta",
"type": "complex",
"subAttributes": [
{
"name": "resourceType",
"type": "string",
"multiValued": false,
"description": "The resource Type",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
},
{
"name": "location",
"type": "reference",
"multiValued": false,
"description": "The location (URI) of the resource",
"required": false,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
}
],
"multiValued": false,
"description": ".",
"required": false,
"caseExact": false,
"mutability": "readOnly",
"returned": "default",
"uniqueness": "none"
},
{
"name": "schemas",
"type": "string",
"multiValued": true,
"description": ".",
"required": true,
"caseExact": true,
"mutability": "readOnly",
"returned": "always",
"uniqueness": "none"
}
],
"id": "urn:ietf:params:scim:schemas:core:2.0:Group",
"meta": {
"resourceType": "Schema",
"location": "{BaseUrl}/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group"
}
},
{
"name": "EnterpriseUser",
"description": "Enterprise User",
"attributes": [
{
"name": "organization",
"type": "string",
"multiValued": false,
"description": "Identifies the name of an organization.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
],
"id": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"meta": {
"resourceType": "Schema",
"location": "{BaseUrl}/Schemas/urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
}
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}Users
POST /Users
功能描述
同步用户。
使用约束
字段参考Schema返回结果里声明的定义。
若传账户所属组织则账户放在所属ou下面,若不含所属ou,则账户的所属组织为同步目标节点。具体看请求示例。
请求示例:
curl {baseUrl}/Users --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X POST -d '<data>'其中,data结构示例如下。
示例一:不传账户所属组织示例
{
"userName": "<user username>",
"externalId": "<external Id>",
"displayName": "<user display name>",
"active": true,
"emails": [
{
"primary": true,
"type": "work",
"value": "<user email>"
}
],
"phoneRegion":"86"
"phoneNumbers": [
{
"primary": true,
"type": "work",
"value": "<user phoneNumber>"
}
],
"active":true,
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
]
}
示例二:传账户所属组织示例。
{
"userName": "<user username>",
"externalId": "<external Id>",
"displayName": "<user display name>",
"emails": [
{
"primary": true,
"type": "work",
"value": "<user email>"
}
],
"phoneRegion":"86"
"phoneNumbers": [
{
"primary": true,
"type": "work",
"value": "<user phoneNumber>"
}
],
"active":true,
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}返回示例
HTTP/1.1 201
{
"id": "<userId>",
"userName": "<user username>",
"displayName": "<user display name>",
"active": true,
"emails": [
{
"value": "<user email>",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "<user phoneNumber>",
"type": "work",
"primary": true
}
],
"externalId": "<external Id>",
"active":true,
"meta": {
"resourceType": "User",
"created": "2025-02-25T09:56:48.622Z",
"lastModified": "2025-02-25T09:56:48.622Z",
"location": "{BaseUrl}/Users/<userId>"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}GET /Users/{id}
功能描述
查询指定ID的用户。
使用约束
如果带/{id},则返回该ID对应的用户。如果{id}不是已存在的用户,则拒绝请求。
只能查询SCIM 导入来源的,且在同步范围内的用户
请求示例
curl {BaseUrl}/Users/<userId> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X GET返回示例
HTTP/1.1 200
{
"id": "<userId>",
"userName": "<user username>",
"displayName": "<user display name>",
"active": true,
"emails": [
{
"value": "<user email>",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "<user phoneNumber>",
"type": "work",
"primary": true
}
],
"externalId": "<external Id>",
"active":true,
"meta": {
"resourceType": "User",
"created": "2025-02-25T09:56:48.622Z",
"lastModified": "2025-02-25T09:56:48.622Z",
"location": "{BaseUrl}/Users/<userId>"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}GET /Users
功能描述
按条件查询用户信息或查询所有用户列表。
使用约束
如果有filter,则过滤相应的用户返回,filter只支持eq和and操作符。filter需要URL编码。
如果没有filter,只能查询SCIM 导入来源的,且在同步范围内的用户
若有filter,则能查询同步范围内的所有用户
请求示例
curl {BaseUrl}/Users<?parameters> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X GET其中,parameters支持列表如下:
参数名 | 取值说明 | 示例 |
filter | 支持: externalId, id, userName, emails[type eq "work"].value, phoneNumbers[type eq "work"].value 的eq表达式。 必须URL编码 |
|
startIndex | 可置空,默认值为1,表示标号。 | startIndex=1 |
count | 可置空,默认值为20,表示每页用户个数。 每页最多返回100条记录,如果记录条数大于100(count>100),则按100处理。 | count=20 |
返回示例
HTTP/1.1 200
{
"startIndex": 1,
"totalResults": 2,
"itemsPerPage": 20,
"Resources": [
{
"userName": "username1",
"displayName": "displayName1",
"active": true,
"emails": [
{
"value": "test1@example.com",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "333*****333",
"type": "work",
"primary": true
}
],
"id": "user_addxxxxxxxxxxxxxxx1",
"externalId": "externalId1",
"meta": {
"resourceType": "User",
"created": "2025-03-06T03:16:40.201Z",
"lastModified": "2025-03-06T03:16:40.201Z",
"location": "{BaseUrl}/Users/user_addxxxxxxxxxxxxxxx1"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
]
},
{
"userName": "username2",
"displayName": "displayName2",
"active": true,
"emails": [
{
"value": "test2@example.com",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "333*****334",
"type": "work",
"primary": true
}
],
"id": "user_g3od4xxxxxxxxxxxxxxx2",
"externalId": "externalId2",
"meta": {
"resourceType": "User",
"created": "2025-03-06T06:58:35.997Z",
"lastModified": "2025-03-06T06:58:35.997Z",
"location": "{BaseUrl}/Users/user_g3od4xxxxxxxxxxxxxxx2"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
]
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}
PUT /Users/{id}
描述
替换用户信息。
使用约束
{id}必传,修改的字段范围为Schema中定义的字段。
覆盖原有属性。若参数为空,则该参数的值不进行修改。
仅能修改同步范围内来源是SCIM 导入或自建的用户。如果是自建的账户,修改后则将来源修改为SCIM导入。
请求示例
curl {BaseUrl}/Users/<userId> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X PUT -d '<data>'其中,data 结构示例如下:
{
"id":"<userId>"
"userName": "<user username>",
"externalId": "<external Id>",
"displayName": "<user display name>",
"emails": [
{
"primary": true,
"type": "work",
"value": "<user email>"
}
],
"phoneRegion":"86"
"phoneNumbers": [
{
"primary": true,
"type": "work",
"value": "<user phoneNumber>"
}
],
"active":true,
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}返回示例
HTTP/1.1 200
{
"id": "<userId>",
"userName": "<user username>",
"displayName": "<user display name>",
"active": true,
"emails": [
{
"value": "<user email>",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "<user phoneNumber>",
"type": "work",
"primary": true
}
],
"externalId": "<external Id>",
"active":true,
"meta": {
"resourceType": "User",
"created": "2025-02-25T09:56:48.622Z",
"lastModified": "2025-02-25T09:56:48.622Z",
"location": "{BaseUrl}/Users/<userId>"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"organization": "<user organizationalUnitId>"
}
}PATCH /Users/{id}
描述
部分更新用户信息。
使用约束
{id}必传,修改的字段范围为Schema中定义的字段。
Patch支持Add、Replace,不支持Remove。若传Remove则忽略。
path参数可选。具体看请求示例的data结构体。
仅能修改同步范围内来源是SCIM 导入或自建的用户。如果是自建的账户,修改后则将来源修改为SCIM导入。
请求示例:
curl {BaseUrl}/Users/<userId> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X PATCH -d '<data>'其中,data结构示例如下。
示例一:添加displayName,不带path。
{
"Operations": [
{
"op": "add",
"value": {
"diplayName": "updateDisplayName"
}
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}示例二:修改displayName,带path。
{
"Operations": [
{
"op": "Replace",
"path": "diplayName",
"value": "updateDisplayName"
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}示例三:修改邮箱,不带path。
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [{
"op": "Replace",
"value": {
"emails": [{
"value": "test@example.com",
"type": "work",
"primary": true
}]
}
}]
}示例四:修改邮箱,带path。
{
"Operations": [
{
"op": "Replace",
"path": "emails[type eq \"work\"].value",
"value": "test@example.com"
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}示例五:禁用账户,带path。
{
"Operations": [
{
"op": "Replace",
"path": "active",
"value": "false"
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}示例六:禁用账户,不带path。
{
"Operations": [
{
"op": "Replace",
"value": {
"active": false
}
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}返回示例
HTTP/1.1 204DELETE /Users/{id}
功能描述
删除指定ID的用户。
使用约束
{id}必传。
仅能删除被同步的用户。
请求示例
curl {BaseUrl}/Users/<userId> --header 'Authorization: Bearer <BearerToken' --header "content-type:application/scim+json" -X DELETE返回示例
HTTP/1.1 204Group
POST /Groups
功能描述
同步用户组。
使用约束
字段限制参考Schema描述。
成员最多支持1000个,若超过1000,则报错。
成员不存在的或者不在同步范围的则忽略。
返回组信息,则创建成功组成员关系的信息。
请求示例
{
"externalId": "<external Id>",
"displayName": "<group name>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"type": "User"
},
{
"value": "user_d3rmo3xxxxxxxxxbo6vhcfq",
"$ref": "{BaseUrl}/Users/user_d3rmo3xxxxxxxxxbo6vhcfq",
"type": "User"
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}
返回示例
HTTP/1.1 201
{
"id": "group_bz7xxxxxxxxxx3hhxdha",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T06:35:46.009Z",
"location": "{BaseUrl}/Groups/group_bz7xxxxxxxxxx3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}GET /Groups/{id}
功能描述
查询指定ID的用户组。
使用约束
返回该ID对应的用户组,默认包含members参数值。
支持excludedAttributes=members,若请求参数中包含此参数,则不返回members。
如果{id}不是已存在的用户组,则拒绝请求。
仅能查询SCIM 导入来源的用户组。
请求示例
curl {BaseUrl}/Groups/<groupId><?parameters> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X GET其中,parameter支持列表如下:
参数名 | 取值说明 | 示例 |
excludedAttributes | 排除某个字段的返回。 值只支持members,代表不需要返回members | members |
返回示例
HTTP/1.1 200
{
"id": "<groupId>",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T06:35:46.009Z",
"location": "{BaseUrl}/Groups/group_bz7xxxxxxxxxx3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}GET /Groups
功能描述
按条件查询用户组信息或查询所有用户组列表。
使用约束
如果有filter,则过滤相应的组返回,filter只支持eq和and操作符。
如果没有filter,则返回所有组列表,且members的值为空(即列表方法不返回members)。
支持SCIM协议的标准分页方式,默认返回20条,最多返回100条记录,如果记录条数大于100(count>100),按100条处理。
仅能查询被同步的用户组。
请求示例
curl {BaseUrl}/Groups<?parameters> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X GET其中,parameter 支持如下:
参数名 | 取值说明 | 示例 |
filter | 仅支持displayName、externalId、id的eq表达式。 需要URL编码 |
|
startIndex | 可置空,默认值为1,表示标号。 | startIndex=1 |
count | 可置空,默认值为20,表示每页用户个数。 每页最多返回100条记录,如果记录条数大于100(count>100),则按100处理。 | count=20 |
返回示例
HTTP/1.1 200
{
"startIndex": 1,
"totalResults": 2,
"itemsPerPage": 20,
"Resources": [
{
"displayName": "GroupName1",
"id": "group_7xh7xxxxxxxxxxgvajbbowpe",
"externalId": "externalId1",
"meta": {
"resourceType": "Group",
"created": "2025-03-07T10:03:21.784Z",
"lastModified": "2025-03-07T10:03:21.784Z",
"location": "{BaseUrl}/Groups/group_7xh7xxxxxxxxxxgvajbbowpe"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
},
{
"displayName": "GroupName2",
"id": "group_bz7qhxxxxxxxxxle3hhxdha",
"externalId": "externalId2",
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T10:46:36.549Z",
"location": "{BaseUrl}/Groups/group_bz7qhxxxxxxxxxle3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
]
}PUT /Groups/{id}
功能描述
替换用户组信息。
使用约束
{id}必传,修改的字段范围为Schema中定义的字段。
覆盖原有属性,若members有值则替换member。最多支持member 1000个,若超过1000个,则报错。
仅能修改来源是SCIM 导入的用户组。且只能替换组用户关系来源是SCIM 导入的members。
返回组信息及所有的members。
请求示例
curl {BaseUrl}/Groups/<groupId> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X PUT -d '<data>'其中,data结构示例如下:
{
"id": "<groupId>",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}返回示例
HTTP/1.1 200
{
"id": "<groupId>",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T06:35:46.009Z",
"location": "{BaseUrl}/Groups/group_bz7xxxxxxxxxx3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}PATCH /Groups/{id}
功能描述
更新用户组信息。
使用约束
{id}必传,修改的字段范围为Schema中定义的字段。
Patch支持Add、Replace和Remove。
Replace members仅能支持1000成员,超过1000报错;
Add members 仅支持100成员,超过100报错;
Remove members 仅支持100成员,超过100报错;
仅能修改来源是SCIM 导入的用户组。且只能处理组用户关系来源是SCIM 导入的members
返回组信息及所有的members。
请求示例
curl {BaseUrl}/Groups/<groupId> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X PATCH -d '<data>'其中,data结构示例如下。
示例一:移除组内所有SCIM来源的成员。
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "remove",
"path": "members"
}
]
}示例二:添加成员,移除成员示例。
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "remove",
"path": "members",
"value": [{
"value": "user_dm57xxxxxxxxxxx5wzecz"
}]
{
"op": "add",
"path": "members",
"value": [{
"value": "user_sdfqxxxxxxxxxxkzhw5wz"
}]
}
]
}示例三:替换成员。
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [
{
"op": "replace",
"path": "members",
"value": [{
"value": "user_dm57xxxxxxxxxxx5wzecz"
}]
}
]
}返回示例
HTTP/1.1 200
{
"id": "<groupId>",
"displayName": "<group name>",
"externalId": "<external Id>",
"members": [
{
"value": "user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue",
"$ref": "{BaseUrl}/Users/user_4pnblmv5oxxxxxxxxxxxxo7pcuxwue"
}
],
"meta": {
"resourceType": "Group",
"created": "2025-03-06T06:35:46.009Z",
"lastModified": "2025-03-06T06:35:46.009Z",
"location": "{BaseUrl}/Groups/group_bz7xxxxxxxxxx3hhxdha"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
]
}DELETE /Groups/{id}
功能描述
删除指定ID的用户组。
使用约束
{id}必传。
存在member的时候会同步移除member。
仅能删除来源是SCIM 导入的用户组。
请求示例
curl {BaseUrl}/Groups/<groupId> --header 'Authorization: Bearer <BearerToken>' --header "content-type:application/scim+json" -X DELETE返回示例
HTTP/1.1 204该文章对您有帮助吗?