SCIM

ここには以下の内容があります:

Organization 向け SCIM プロビジョニング

SCIM API への呼び出しを認証する

SAML および SCIM データのマッピング

サポートされている SCIM ユーザ属性

List SCIM provisioned identities

Provision and invite a SCIM user

Get SCIM provisioning information for a user

Update a provisioned organization membership

Update an attribute for a SCIM user

Delete a SCIM user from an organization

GitHub Organizationのメンバーのアクセスを、SCIM APIを使って制御及び管理できます。

Organization 向け SCIM プロビジョニング

SCIM API は SCIM を有効にしたアイデンティティプロバイダ (IdPs) で、GitHub Organization メンバーシップのプロビジョニングを自動化するために用いられます。 The GitHub API is based on version 2.0 of the SCIM standard. IdP が使用するべき GitHub SCIM エンドポイントは、https://api.github.com/scim/v2/organizations/{org}/ です。

ノート:

The SCIM API is available only to organizations on GitHub Enterprise Cloud with SAML SSO enabled. SCIMでのユーザアクセスのプロビジョニングとプロビジョニング解除は、Enterpriseアカウントでは利用できません。 SCIMに関する詳しい情報については、「SCIM について」を参照してください。
The SCIM API cannot be used with Enterprise Managed Users.

SCIM API への呼び出しを認証する

SCIM API を使用するには、GitHub Organization の所有者として認証する必要があります。 API は、OAuth 2.0 Bearer トークンが Authorization ヘッダに含まれていることを想定しています。個人アクセストークンを使用することもできますが、まず SAML SSO Organizationで使用するためにトークンを承認する必要があります。

SAML および SCIM データのマッピング

SAML IdP および SCIM クライアントは、ユーザごとに一致する NameID と userName の値を使用する必要があります。これにより、SAML を介して認証するユーザを、プロビジョニングされた SCIM ID にリンクできます。

サポートされている SCIM ユーザ属性

名前	種類	説明
`userName`	`string`	ユーザのユーザ名。
`name.givenName`	`string`	ユーザーの名。
`name.lastName`	`string`	ユーザーの姓。
`emails`	`array`	ユーザのメール一覧。
`externalId`	`string`	この識別子は SAML プロバイダによって生成され、GitHub ユーザと照合するためにSAML プロバイダによって一意の ID として使用されます。ユーザの `externalID` は、SAML プロバイダ、または SCIM プロビジョニング済み ID の一覧表示エンドポイントを使用して、ユーザの GitHub ユーザ名やメールアドレスなどの他の既知の属性でフィルタして見つけることができます。
`id`	`string`	GitHub SCIM エンドポイントによって生成された識別子。
`active`	`boolean`	ID がアクティブである（true）か、プロビジョニングを解除する必要がある（false）かを示すために使用する。

注釈: SCIM API のエンドポイント URL では、大文字と小文字が区別されます。たとえば、Users エンドポイントの最初の文字は大文字にする必要があります。

GET /scim/v2/organizations/{org}/Users/{scim_user_id}

List SCIM provisioned identities

Retrieves a paginated list of all provisioned organization members, including pending invitations. If you provide the filter parameter, the resources for all matching provisions members are returned.

When a user with a SAML-provisioned external identity leaves (or is removed from) an organization, the account's metadata is immediately removed. However, the returned list of user accounts might not always match the organization or enterprise member list you see on GitHub. This can happen in certain cases where an external identity associated with an organization will not match an organization member:

When a user with a SCIM-provisioned external identity is removed from an organization, the account's metadata is preserved to allow the user to re-join the organization in the future.
When inviting a user to join an organization, you can expect to see their external identity in the results before they accept the invitation, or if the invitation is cancelled (or never accepted).
When a user is invited over SCIM, an external identity is created that matches with the invitee's email address. However, this identity is only linked to a user account when the user accepts the invitation by going through SAML SSO.

The returned list of external identities can include an entry for a null user. These are unlinked SAML identities that are created when a user goes through the following Single Sign-On (SSO) process but does not sign in to their GitHub account after completing SSO:

The user is granted access by the IdP and is not a member of the GitHub organization.
The user attempts to access the GitHub organization and initiates the SAML SSO process, and is not currently signed in to their GitHub account.
After successfully authenticating with the SAML SSO IdP, the null external identity entry is created and the user is prompted to sign in to their GitHub account:
- If the user signs in, their GitHub account is linked to this entry.
- If the user does not sign in (or does not create a new account when prompted), they are not added to the GitHub organization, and the external identity null entry remains in place.

get /scim/v2/organizations/{org}/Users

パラメータ

Name	Type	In	Description
`accept`	string	header	Setting to `application/vnd.github.v3+json` is recommended.
`org`	string	path
`startIndex`	integer	query	Used for pagination: the index of the first result to return.
`count`	integer	query	Used for pagination: the number of results to return.
`filter`	string	query	Filters results using the equals query parameter operator (`eq`). You can filter results that are equal to `id`, `userName`, `emails`, and `external_id`. For example, to search for an identity with the `userName` Octocat, you would use this query: `?filter=userName%20eq%20\"Octocat\"`. To filter results for the identity with the email `octocat@github.com`, you would use this query: `?filter=emails%20eq%20\"octocat@github.com\"`.

コードサンプル

Shell

curl \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/scim/v2/organizations/ORG/Users

JavaScript (@octokit/core.js)

await octokit.request('GET /scim/v2/organizations/{org}/Users', {
  org: 'org'
})

Response

Status: 200 OK

Not modified

Status: 304 Not Modified

Bad Request

Status: 400 Bad Request

Forbidden

Status: 403 Forbidden

Resource not found

Status: 404 Not Found

Notes

Works with GitHub Apps

Provision and invite a SCIM user

Provision organization membership for a user, and send an activation email to the email address.

post /scim/v2/organizations/{org}/Users

パラメータ

Name Type In Description

accept

string

header

Setting to application/vnd.github.v3+json is recommended.

org string path

userName

string

body

Required. Configured by the admin. Could be an email, login, or username

displayName

string

body

The name of the user, suitable for display to end-users

name

object

body

Required.

Properties of the name object

Name (Type)	Description
`givenName` (string)	Required.
`familyName` (string)	Required.
`formatted` (string)

emails

array of objects

body

Required. user emails

Properties of the emails items

Name (Type)	Description
`value` (string)	Required.
`primary` (boolean)
`type` (string)

schemas array of strings body

externalId string body

groups array of strings body

active boolean body

コードサンプル

Shell

curl \
  -X POST \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/scim/v2/organizations/ORG/Users \
  -d '{"userName":"userName","name":{"givenName":"givenName","familyName":"familyName","formatted":"formatted"},"emails":["octocat@github.com"]}'

JavaScript (@octokit/core.js)

await octokit.request('POST /scim/v2/organizations/{org}/Users', {
  org: 'org',
  userName: 'userName',
  name: {
    givenName: 'givenName',
    familyName: 'familyName',
    formatted: 'formatted'
  },
  emails: [
    'octocat@github.com'
  ]
})

Response

Status: 201 Created

Not modified

Status: 304 Not Modified

Bad Request

Status: 400 Bad Request

Forbidden

Status: 403 Forbidden

Resource not found

Status: 404 Not Found

Conflict

Status: 409 Conflict

Internal Error

Status: 500 Internal Server Error

Notes

Works with GitHub Apps

Get SCIM provisioning information for a user

get /scim/v2/organizations/{org}/Users/{scim_user_id}

パラメータ

Name	Type	In	Description
`accept`	string	header	Setting to `application/vnd.github.v3+json` is recommended.
`org`	string	path
`scim_user_id`	string	path	scim_user_id parameter

コードサンプル

Shell

curl \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID

JavaScript (@octokit/core.js)

await octokit.request('GET /scim/v2/organizations/{org}/Users/{scim_user_id}', {
  org: 'org',
  scim_user_id: 'scim_user_id'
})

Response

Status: 200 OK

Not modified

Status: 304 Not Modified

Forbidden

Status: 403 Forbidden

Resource not found

Status: 404 Not Found

Notes

Works with GitHub Apps

Update a provisioned organization membership

Replaces an existing provisioned user's information. You must provide all the information required for the user as if you were provisioning them for the first time. Any existing user information that you don't provide will be removed. If you want to only update a specific attribute, use the Update an attribute for a SCIM user endpoint instead.

You must at least provide the required values for the user: userName, name, and emails.

Warning: Setting active: false removes the user from the organization, deletes the external identity, and deletes the associated {scim_user_id}.

put /scim/v2/organizations/{org}/Users/{scim_user_id}

パラメータ

Name Type In Description

accept

string

header

Setting to application/vnd.github.v3+json is recommended.

org string path

scim_user_id

string

path

scim_user_id parameter

schemas array of strings body

displayName

string

body

The name of the user, suitable for display to end-users

externalId string body

groups array of strings body

active boolean body

userName

string

body

Required. Configured by the admin. Could be an email, login, or username

name

object

body

Required.

Properties of the name object

Name (Type)	Description
`givenName` (string)	Required.
`familyName` (string)	Required.
`formatted` (string)

emails

array of objects

body

Required. user emails

Properties of the emails items

Name (Type)	Description
`type` (string)
`value` (string)	Required.
`primary` (boolean)

コードサンプル

Shell

curl \
  -X PUT \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID \
  -d '{"userName":"userName","name":{"givenName":"givenName","familyName":"familyName","formatted":"formatted"},"emails":["octocat@github.com"]}'

JavaScript (@octokit/core.js)

await octokit.request('PUT /scim/v2/organizations/{org}/Users/{scim_user_id}', {
  org: 'org',
  scim_user_id: 'scim_user_id',
  userName: 'userName',
  name: {
    givenName: 'givenName',
    familyName: 'familyName',
    formatted: 'formatted'
  },
  emails: [
    'octocat@github.com'
  ]
})

Response

Status: 200 OK

Not modified

Status: 304 Not Modified

Forbidden

Status: 403 Forbidden

Resource not found

Status: 404 Not Found

Notes

Works with GitHub Apps

Update an attribute for a SCIM user

Allows you to change a provisioned user's individual attributes. To change a user's values, you must provide a specific Operations JSON format that contains at least one of the add, remove, or replace operations. For examples and more information on the SCIM operations format, see the SCIM specification.

Note: Complicated SCIM path selectors that include filters are not supported. For example, a path selector defined as "path": "emails[type eq \"work\"]" will not work.

Warning: If you set active:false using the replace operation (as shown in the JSON example below), it removes the user from the organization, deletes the external identity, and deletes the associated :scim_user_id.

{
  "Operations":[{
    "op":"replace",
    "value":{
      "active":false
    }
  }]
}

patch /scim/v2/organizations/{org}/Users/{scim_user_id}

パラメータ

Name Type In Description

accept

string

header

Setting to application/vnd.github.v3+json is recommended.

org string path

scim_user_id

string

path

scim_user_id parameter

schemas array of strings body

Operations

array of objects

body

Required. Set of operations to be performed

Properties of the Operations items

Name (Type)	Description
`op` (string)	Required.
`path` (string)
`value` (object or array or string)

コードサンプル

Shell

curl \
  -X PATCH \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID \
  -d '{"Operations":[{"op":"op","path":"path","value":{"active":true,"userName":"userName","externalId":"externalId","givenName":"givenName","familyName":"familyName"}}]}'

JavaScript (@octokit/core.js)

await octokit.request('PATCH /scim/v2/organizations/{org}/Users/{scim_user_id}', {
  org: 'org',
  scim_user_id: 'scim_user_id',
  Operations: [
    {
      op: 'op',
      path: 'path',
      value: {
        active: true,
        userName: 'userName',
        externalId: 'externalId',
        givenName: 'givenName',
        familyName: 'familyName'
      }
    }
  ]
})

Response

Status: 200 OK

Not modified

Status: 304 Not Modified

Bad Request

Status: 400 Bad Request

Forbidden

Status: 403 Forbidden

Resource not found

Status: 404 Not Found

Response

Status: 429 Too Many Requests

Notes

Works with GitHub Apps

Delete a SCIM user from an organization

delete /scim/v2/organizations/{org}/Users/{scim_user_id}

パラメータ

Name	Type	In	Description
`accept`	string	header	Setting to `application/vnd.github.v3+json` is recommended.
`org`	string	path
`scim_user_id`	string	path	scim_user_id parameter

コードサンプル

Shell

curl \
  -X DELETE \
  -H "Accept: application/vnd.github.v3+json" \
  https://api.github.com/scim/v2/organizations/ORG/Users/SCIM_USER_ID

JavaScript (@octokit/core.js)

await octokit.request('DELETE /scim/v2/organizations/{org}/Users/{scim_user_id}', {
  org: 'org',
  scim_user_id: 'scim_user_id'
})

Response

Status: 204 No Content

Not modified

Status: 304 Not Modified

Forbidden

Status: 403 Forbidden

Resource not found

Status: 404 Not Found

Notes

Works with GitHub Apps