SecureAuth SCIM discussion

System for Cross-domain Identity Management (SCIM) is an open standard that manages user identity information between identity domains. This topic answers some typical questions you might have about SCIM and the SecureAuth Identity Store.

What does SCIM mean to SecureAuth Identity Store?

We use SCIM in the standard way--to manage user and group information--but we also use it to manage password policies, deny lists, membership, privacy fields, and more.

Does SecureAuth Identity Store provision third-party SCIM endpoints?

No, the current release of the Identity Store does not support provisioning.

What is the best practice to manage authentication to my SCIM API?

Generate your credentials by using the SecureAuth Identity Store UI, and then generate the bearer token (aka, access token) to use it for the API operations.

Find out how to obtain a bearer token in Use the Postman collection. If you're working in your own development environment (not Postman), see Obtain credentials.

Does SecureAuth support multiple email addresses, phone numbers, and physical addresses in my user profile and do I need to use an array to specify them?

Yes, you can set multiple values for email addresses, phone numbers, and physical addresses in the user profile in a few different ways. Use the API to add as many elements as needed. You can also use the CSV import from the user interface where you can include as many element types per user as needed.

Additionally, use the standard array structure to specify the elements; you must use an array structure even if you have only one element. To find out more information about this multi-valued attribute, see the SCIM specification, Section 5, Arrays.

How does the Identity Store determine the primary value for multiple email addresses, phone numbers, and physical addresses?

Set the primary=true attribute as the value for the user's primary email address, phone number, or physical address.

Additionally, you can use the type sub-attribute to read the type attribute of your primary value attribute. Any value that you require is allowed in the type sub-attribute.

Example: If you have three email addresses, set one primary email. You can set only one primary email, phone number, and physical address.

Does the Identity Store support Delete /User?

Yes. Because we support multiple identity stores, we empower you to manage your distinct identity stores, but have controls in place to ensure that an identity store cannot be deleted when it contains users. We support Delete /User so that you can delete all users from an identity store and then delete the identity store. Deleting a user is permanent and the user information is irrecoverable.

What is the active attribute on the user object?

SecureAuth does not use this attribute to determine if a user is active or not. We use our own extension schema, SecureAuth user extension, which includes the following attributes: staged, active, deactivated, suspended, locked, etc.

Does the Identity Store exclude any parts of the SCIM specification?

The identity Store does not expose the following parts of the SCIM spec:

  • Bulk operations

  • Query filtering with meta.lastModified

  • /Schemas endpoint

  • /ServiceProviderConfig endpoint

  • /ResourceTypes endpoint

What's the best way to import users quickly?

This depends on how many users you need to create or import.

  • Use the POST Create User API to add as many users as needed, one at a time.

  • Use the CSV import where you can add users in bulk, along with specified attributes (email address, phone number, etc.). See Identity Store CSV file upload and export.