Deployment: Invicti Platform on-demand, Invicti Platform on-premises Package: Invicti Ultimate Requires: API access
SCIM provisioning reference
This document is a reference for SCIM 2.0 provisioning in Invicti Platform, covering supported schemas, features, attributes, and known limitations. For setup instructions, see Set up SCIM provisioning.
The endpoint examples on this page use https://platform.invicti.com. Replace this with the URL for your region: EU (https://platform-eu.invicti.com), CA (https://platform-ca.invicti.com), or your on-premises or private tenant URL.
Supported schemas
All standard SCIM 2.0 schemas as defined by RFC 7643:
urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfigurn:ietf:params:scim:schemas:core:2.0:ResourceTypeurn:ietf:params:scim:schemas:core:2.0:Schemaurn:ietf:params:scim:schemas:core:2.0:Userurn:ietf:params:scim:schemas:core:2.0:Group
The following message schemas are used in requests and responses to SCIM 2.0 protocol endpoints as defined by RFC 7644:
urn:ietf:params:scim:api:messages:2.0:ListResponseurn:ietf:params:scim:api:messages:2.0:SearchRequesturn:ietf:params:scim:api:messages:2.0:PatchOpurn:ietf:params:scim:api:messages:2.0:BulkRequesturn:ietf:params:scim:api:messages:2.0:BulkResponseurn:ietf:params:scim:api:messages:2.0:Error
You can retrieve the full list of schemas and attribute details from:
https://platform.invicti.com/api/scim/v2/Schemas
Features
You can retrieve the service provider configuration from:
https://platform.invicti.com/api/scim/v2/ServiceProviderConfig
Supported
- Filtering using the
filterquery parameter on list endpoints, including sub-attribute bracket notation, for examplename[givenName eq "joe"]andemails[type eq "work"] - Sorting using
sortByandsortOrderquery parameters on list endpoints - Patch operations
- Bearer token authentication
- OAuth 2.0 Client Credentials grant
Unsupported
- Bulk operations
- ETags
Attributes
The following SCIM 2.0 attributes are supported for users and groups.
User attributes
| Attribute | Type | Constraint | Notes |
|---|---|---|---|
id | string | Read-only | |
externalId | string | Optional | |
name | object | Required | |
name.givenName | string | Required | First name |
name.familyName | string | Required | Last name |
userName | string | Required | Must be in email address format |
locale | string | Optional | ISO 639-1 language code optionally followed by a hyphen and ISO 3166 Alpha-2 country code, for example en-US. Can be updated via PUT and PATCH. |
timezone | string | Optional | IANA timezone ID, for example America/New_York. Can be updated via PUT and PATCH. |
password | string | Optional | Must meet platform password complexity requirements. Write-only. New users without a password receive an invite email to set their own password. |
emails | Array of objects | Optional | |
emails.value | string | Optional | Email address |
emails.display | string | Optional | Email display name |
emails.type | string | Optional | work, home, or other |
emails.primary | boolean | Optional | Whether this is the primary email address |
phonenumbers | Array of objects | Optional | |
phonenumbers.value | string | Optional | Phone number. Must be a valid phone number in local format (based on country code) or international format, for example +1 212 555 0188. |
phonenumbers.display | string | Optional | Phone display name |
phonenumbers.type | string | Optional | work, home, mobile, fax, pager, or other |
phonenumbers.primary | boolean | Optional | Whether this is the primary phone number |
groups | Array of objects | Read-only | User group memberships |
groups.value | string | Read-only | Group identifier |
groups.display | string | Read-only | Group name |
groups.type | string | Read-only | Always direct. Indirect and nested grouping are not supported. |
groups.$ref | reference | Read-only | URL of the group resource |
Group attributes
SCIM 2.0 groups correspond to teams in Invicti Platform.
| Attribute | Type | Constraint | Notes |
|---|---|---|---|
externalId | string | Optional | |
id | string | Read-only | |
displayName | string | Required | |
members | Array of objects | Optional | Group members. Can be set when creating the group, or via PUT or PATCH. |
members.value | string | Read-only | User identifier |
members.display | string | Read-only | Username |
members.type | string | Read-only | Always User. Nested groups are not supported. |
members.$ref | reference | Read-only | URL of the user resource |
Known limitations
- Usernames must be in email address format.
- Nested or indirect group membership is not supported. In practice,
groups.typealways returnsdirectandmembers.typealways returnsUser.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center