The SCIM RESTful API is used to administer users, groups, devices, and roles for a tenant.
System for Cross-domain Identity Management (SCIM) is an open standard for automating the exchange of user identity information between identity domains or IT systems. Ionic supports the SCIM protocol for this provisioning.
The SCIM API contains five resources: users, groups, devices, roles, and scopes.
- Users: Management of users. See the Users Introduction.
- Groups: Management of user groups. See the Groups Introduction.
- Devices: Management of user devices. See the Devices Introduction.
- Roles: Management of user roles. See the Roles Introduction.
- Scopes: Obtain a list of all supported scopes. See the List Scopes page.
In addition, you can perform multiple operations on these resources through one request by using the Bulk API request.
NOTE: Management of these resources can be accomplished through either the API or the Ionic dashboard. For instructions on using the Ionic.com dashboard, see the Administrator Console Guide.
- Protocol: SCIM 1.1
- Authentication: HTTP Basic Authentication
- Nested Groups are not currently supported.
SCIM Server and Client
The Ionic SCIM API functions as a SCIM Server, meaning it receives and processes SCIM messages sent by some other party. If you want to integrate your Active Directory user stores into Ionic, you will need to either use a third party identity provider (for example, Ping Identity) or write you own connection layer as the SCIM client. These “provisioning interfaces” typically run on a local server at a site of your choosing and connect directly to your Active Directory instance. Upon first establishing a connection with Ionic, all Users and Groups configured in the Provisioning Software will be translated into SCIM messages and sent to our API.
Take the example of using Ping as your identity provider.
When you connect via the third identity provider (Ping), it first does an initial push of all users to the SCIM
API to synchronize the third party identity sources (Ionic) with the root source of identity (Active Directory).
After the two identity stores (Ionic and the root source Active Directory) are synchronized, the Identity Provider
only makes marginal updates to the users that are modified.
These changes are in turn automatically propagated via
PUT (update) messages to the SCIM API.
If you wish to write your own connection layer, you will need to use the SCIM API.
Ionic SCIM Implementation Details
Ionic’s SCIM API is compliant with the 1.1 version of the protocol. Please see the SCIM Core Schema 1.1 for more information on the protocol.