SCIM is an acronym for System for Cross-Domain Identity Management. SCIM is a standardized protocol for managing user identities on the web, typically from a corporate directory to cloud applications across the enterprise information system value chain. The SCIM protocol initiates CRUD operations (create, read, update, and delete) using REST APIs to manage user identities in connected applications. These CRUD operations ensure:
-
User records and group entities are provisioned to the appropriate applications for onboarding.
-
User record information is properly updated in downstream applications where the same user record exists, including being added into the proper group entity.
-
User records are deprovisioned from the downstream applications in the case of resignation, seasonal layoff, termination, etc. Group identities are removed if they no longer exist.
SCIM 2.0 is a standard protocol used by identity providers (IdPs) to manage and provision user identities appropriately across applications.
The SCIM design requires the use of a common user object schema for syncing user identity information, as well as a common group object schema for syncing group entities. To learn more about the SCIM specification, review the following Requests for Comments posted by the Internet Engineering Task Force:
-
RFC 7642 – Definitions, Overview, Concepts, and Requirements
-
RFC 7643 – Core Schema
-
RFC 7644 – Protocol
Litmos is a SCIM-compliant provider that supports User and Group resources with all corresponding operations. In the Litmos context, groups are teams. We support SCIM service providers for these operations. We have integrations with Microsoft Azure Active Directory and SAP Identity Provisioning Service.
Base URL
The base URL for API requests is dependent on the location of your Litmos tenant.
-
United States: https://api.litmos.com/v2/SCIM
-
Australia: https://api.litmos.com.au/v2/SCIM
-
Europe: https://api.litmoseu.com/v2/SCIM
SCIM Authentication
Litmos supports bearer tokens and basic authentication for SCIM authentication. Bearer tokens are the preferred method.
Bearer Tokens
You create a bearer token in Litmos and then use that token in the authorization header in the IdP.
Use the following steps to create a bearer token:
-
As an Account Owner, log in to Litmos.
-
Navigate to Account Settings > Integrations and then select the SCIM tile.
-
Choose Create SCIM Token.
-
Enter an application name, set the number of days that the token will be valid, and then choose Create Token.
-
In the SCIM dialog, show the token and then copy it so you can paste it in the authorization header in the IdP.
Basic Authentication
With basic authentication, the configuration is done in the authorization header in the IdP. The following parameters are required:
-
username – User name of the Litmos account owner
-
password – Corresponding password for the Litmos account owner
-
domain – Litmos sub-domain, or full domain if using a custom domain account
The parameter names are case-sensitive.