ObjectStackScim
Scim protocol schemas
SCIM 2.0 Protocol Implementation
System for Cross-domain Identity Management (SCIM) 2.0 specification
implementation for ObjectStack.
Overview
SCIM 2.0 is an HTTP-based protocol for managing user and group identities
across domains. It provides a standardized REST API for user provisioning,
de-provisioning, and synchronization.
Use Cases
- Enterprise SSO Integration
-
Integrate with Okta, Azure AD, OneLogin
-
Automatic user provisioning from corporate directory
-
Just-in-Time (JIT) user creation on first login
- User Lifecycle Management
-
Automatically create users when they join organization
-
Update user attributes when they change roles
-
Deactivate users when they leave organization
- Group/Department Synchronization
-
Sync organizational structure from AD/LDAP
-
Maintain group memberships automatically
-
Map corporate roles to application permissions
- Compliance & Audit
-
Maintain accurate user directory
-
Track all identity changes
-
Meet SOX/HIPAA requirements for user management
Specification References
-
RFC 7643: SCIM Core Schema
-
RFC 7644: SCIM Protocol
-
RFC 7642: SCIM Requirements
Industry Implementations
-
Okta: Leading SCIM provider
-
Azure AD: Microsoft's identity platform
-
OneLogin: Enterprise SSO provider
-
Google Workspace: Google's identity management
@see https://datatracker.ietf.org/doc/html/rfc7643
@see https://datatracker.ietf.org/doc/html/rfc7644
Source: packages/spec/src/identity/scim.zod.ts
TypeScript Usage
import { SCIMAddress, SCIMBulkOperation, SCIMBulkRequest, SCIMBulkResponse, SCIMBulkResponseOperation, SCIMEmail, SCIMEnterpriseUser, SCIMError, SCIMGroup, SCIMGroupReference, SCIMListResponse, SCIMMemberReference, SCIMMeta, SCIMName, SCIMPatchOperation, SCIMPatchRequest, SCIMPhoneNumber, SCIMUser } from '@objectstack/spec/identity';
import type { SCIMAddress, SCIMBulkOperation, SCIMBulkRequest, SCIMBulkResponse, SCIMBulkResponseOperation, SCIMEmail, SCIMEnterpriseUser, SCIMError, SCIMGroup, SCIMGroupReference, SCIMListResponse, SCIMMemberReference, SCIMMeta, SCIMName, SCIMPatchOperation, SCIMPatchRequest, SCIMPhoneNumber, SCIMUser } from '@objectstack/spec/identity';
// Validate data
const result = SCIMAddress.parse(data);SCIMAddress
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| formatted | string | optional | Formatted address |
| streetAddress | string | optional | Street address |
| locality | string | optional | City/Locality |
| region | string | optional | State/Region |
| postalCode | string | optional | Postal code |
| country | string | optional | Country |
| type | Enum<'work' | 'home' | 'other'> | optional | Address type |
| primary | boolean | ✅ | Primary address indicator |
SCIMBulkOperation
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| method | Enum<'POST' | 'PUT' | 'PATCH' | 'DELETE'> | ✅ | HTTP method for the bulk operation |
| path | string | ✅ | Resource endpoint path (e.g. /Users, /Groups/{id}) |
| bulkId | string | optional | Client-assigned ID for cross-referencing between operations |
| data | Record<string, any> | optional | Request body for POST/PUT/PATCH operations |
| version | string | optional | ETag for optimistic concurrency control |
SCIMBulkRequest
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| schemas | string[] | ✅ | SCIM schema URIs (BulkRequest) |
| operations | Object[] | ✅ | Bulk operations to execute (minimum 1) |
| failOnErrors | integer | optional | Stop processing after this many errors |
SCIMBulkResponse
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| schemas | string[] | ✅ | SCIM schema URIs (BulkResponse) |
| operations | Object[] | ✅ | Results for each bulk operation |
SCIMBulkResponseOperation
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| method | Enum<'POST' | 'PUT' | 'PATCH' | 'DELETE'> | ✅ | HTTP method that was executed |
| bulkId | string | optional | Client-assigned bulk operation ID |
| location | string | optional | URL of the created or modified resource |
| status | string | ✅ | HTTP status code as string (e.g. "201", "400") |
| response | any | optional | Response body (typically present for errors) |
SCIMEmail
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| value | string | ✅ | Email address |
| type | Enum<'work' | 'home' | 'other'> | optional | Email type |
| display | string | optional | Display label |
| primary | boolean | ✅ | Primary email indicator |
SCIMEnterpriseUser
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| employeeNumber | string | optional | Employee number |
| costCenter | string | optional | Cost center |
| organization | string | optional | Organization |
| division | string | optional | Division |
| department | string | optional | Department |
| manager | Object | optional | Manager reference |
SCIMError
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| schemas | string[] | ✅ | SCIM schema URIs |
| status | integer | ✅ | HTTP status code |
| scimType | Enum<'invalidFilter' | 'tooMany' | 'uniqueness' | 'mutability' | 'invalidSyntax' | 'invalidPath' | 'noTarget' | 'invalidValue' | 'invalidVers' | 'sensitive'> | optional | SCIM error type |
| detail | string | optional | Error detail message |
SCIMGroup
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| schemas | string[] | ✅ | SCIM schema URIs (must include Group schema) |
| id | string | optional | Unique resource identifier |
| externalId | string | optional | External identifier from client system |
| displayName | string | ✅ | Group display name (REQUIRED) |
| members | Object[] | optional | Group members |
| meta | Object | optional | Resource metadata |
SCIMGroupReference
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| value | string | ✅ | Group ID |
| $ref | string | optional | URI reference to the group |
| display | string | optional | Group display name |
| type | Enum<'direct' | 'indirect'> | optional | Membership type |
SCIMListResponse
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| schemas | string[] | ✅ | SCIM schema URIs |
| totalResults | integer | ✅ | Total results count |
| Resources | Object | Object | Record<string, any>[] | ✅ | Resources array (Users, Groups, or custom resources) |
| startIndex | integer | optional | Start index (1-based) |
| itemsPerPage | integer | optional | Items per page |
SCIMMemberReference
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| value | string | ✅ | Member ID |
| $ref | string | optional | URI reference to the member |
| type | Enum<'User' | 'Group'> | optional | Member type |
| display | string | optional | Member display name |
SCIMMeta
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| resourceType | string | optional | Resource type |
| created | string | optional | Creation timestamp |
| lastModified | string | optional | Last modification timestamp |
| location | string | optional | Resource location URI |
| version | string | optional | Entity tag (ETag) for concurrency control |
SCIMName
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| formatted | string | optional | Formatted full name |
| familyName | string | optional | Family name (last name) |
| givenName | string | optional | Given name (first name) |
| middleName | string | optional | Middle name |
| honorificPrefix | string | optional | Honorific prefix (Mr., Ms., Dr.) |
| honorificSuffix | string | optional | Honorific suffix (Jr., Sr.) |
SCIMPatchOperation
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| op | Enum<'add' | 'remove' | 'replace'> | ✅ | Operation type |
| path | string | optional | Attribute path (optional for add) |
| value | any | optional | Value to set |
SCIMPatchRequest
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| schemas | string[] | ✅ | SCIM schema URIs |
| Operations | Object[] | ✅ | Patch operations |
SCIMPhoneNumber
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| value | string | ✅ | Phone number |
| type | Enum<'work' | 'home' | 'mobile' | 'fax' | 'pager' | 'other'> | optional | Phone number type |
| display | string | optional | Display label |
| primary | boolean | ✅ | Primary phone indicator |
SCIMUser
Properties
| Property | Type | Required | Description |
|---|---|---|---|
| schemas | string[] | ✅ | SCIM schema URIs (must include User schema) |
| id | string | optional | Unique resource identifier |
| externalId | string | optional | External identifier from client system |
| userName | string | ✅ | Unique username (REQUIRED) |
| name | Object | optional | Structured name components |
| displayName | string | optional | Display name for UI |
| nickName | string | optional | Nickname |
| profileUrl | string | optional | Profile page URL |
| title | string | optional | Job title |
| userType | string | optional | User type (employee, contractor) |
| preferredLanguage | string | optional | Preferred language (ISO 639-1) |
| locale | string | optional | Locale (e.g., en-US) |
| timezone | string | optional | Timezone |
| active | boolean | ✅ | Account active status |
| password | string | optional | Password (write-only) |
| emails | Object[] | optional | Email addresses |
| phoneNumbers | Object[] | optional | Phone numbers |
| ims | Object[] | optional | IM addresses |
| photos | Object[] | optional | Photo URLs |
| addresses | Object[] | optional | Physical addresses |
| groups | Object[] | optional | Group memberships |
| entitlements | Object[] | optional | Entitlements |
| roles | Object[] | optional | Roles |
| x509Certificates | Object[] | optional | X509 certificates |
| meta | Object | optional | Resource metadata |
| urn:ietf:params:scim:schemas:extension:enterprise:2.0:User | Object | optional | Enterprise user attributes |