Workplace

Account Management SCIM 2.0 API

Overview

As people join and leave your organization, you need to grant and revoke access to Workplace. This guide describes account provisioning and deactivation through the use of the SCIM API 2.0. This set of API calls will allow you to build a custom connector to provision and deactivate your people who are stored on your user directory.

On this page:

If you're planning on integrating with a cloud provider for the purpose of provisioning and deactivating users, please see our Automatic Account Management guide.

Using SCIM 2.0 API

The SCIM 2.0 Account Management API for Workplace is a SCIM-compliant REST API. The SCIM specification was designed to easily manage user identities and grouping in cloud-based apps and services.

The base URL for the SCIM 2.0 API is https://scim.workplace.com/

API Access Token

This API will only process requests that include a valid access token, which you must send as an authorization header when making API calls.

To receive an access token, you need to create an app on the Integrations page of the Admin Panel. More information can be found in the Apps and Permissions documentation.

The Manage Accounts permission is required to allow SCIM API access.

Only a Workplace user with the System Administrator privilege can change this configuration.

Example API Call

As a basic example, the below is a minimal API call to fetch a list of users from the /Users endpoint, including an access token and user agent.

GET /Users/ HTTP/1.1
Host: scim.workplace.com
Authorization: Bearer {your access token}
User-Agent: {your user agent}

Note: A User-Agent string is mandatory in all SCIM API requests.

API Reference

The User Management API data structure is comprised of the core User SCIM schema and several schema extensions:

The URL for the User Management API: https://scim.workplace.com/Users

The Group Management API data structure is comprised of the core Group SCIM schema:

The URL for the Group Management API: https://scim.workplace.com/Groups

Core User Schema

The following properties belong to the core SCIM schema urn:ietf:params:scim:schemas:core:2.0:User

FieldDescriptionTypeRequired

userName

Unique identifier for the user, used by the user to directly authenticate with the service provider. Must be unique.

String

Required

name

The components of the Users real name.

Name

Optional

displayName

The name of the User, suitable for display to end-users. Each User returned MAY include a non-empty displayName value. The name SHOULD be the full name of the User being described if known (e.g. Babs Jensen or Ms. Barbara J Jensen, III), but MAY be a username or handle, if that is all that is available (e.g. bjensen).

String

Optional

nickName

The casual way to address the user in real life, e.g., Bob or Bobby instead of Robert. This attribute SHOULD NOT be used to represent a username.

String

Optional

profileUrl

A fully qualified URL to a page representing the user online profile.

URL

Optional

title

Title of the user, e.g., Vice President.

String

Optional

userType

Used to identify the organization to user relationship. Typical values used might be Contractor, Employee, Intern, Temp, External, and Unknown, but any value may be used.

String

Optional

preferredLanguage

Indicates the preferred written or spoken language for this user. Generally used for selecting a localised User Interface. Valid values are concatenation of the ISO 639-1 two-letter language code and the ISO 3166-1 two letter country code separated by hyphen or underscore. For example, en-US specifies the English language and country US.

String

Optional

locale

Used to indicate a default location for the user for the purposes of localizing items such as currency, date time format, numerical representations, etc. Valid values are concatenation of the ISO 639-1 two-letter language code and the ISO 3166-1 two letter country code separated by hyphen or underscore. For example, en-US specifies the English language and country US.

String

Optional

timezone

The timezone of the user in the Olson timezone database format, e.g., America/Los_Angeles.

String

Optional

active

A Boolean value indicating whether a user is active. Set to true if the user is able to access Workplace and should receive email and mobile push notifications. Set to false to cause the user to be logged out and to prevent the user from receiving further emails or mobile push notifications.

boolean

Optional

emails

Array of one or more Email objects for the user.

Email

Optional

phoneNumbers

Array of one or more phoneNumber values for the User. Include country code for valid canonicalization.

String

Optional

ims

Array of one or more im (Instant Message) address values for the user.

String

Optional

photos

Array of one or more photo values that each contain a fully-qualified URL that points to an image file that is a photo of the user.

URL

Optional

addresses

Array containing one or more Address objects.

Address

Optional

entitlements

Array of one or more entitlement values that this user has.

String

Optional

roles

Array of one or more role values that this user holds.

String

Optional

x509Certificates

An array of one ore more x509certificate values that each contain an X509 Certificate issued to the user.

Binary

Optional

schemas

The schema identifier for the SCIM request.

String

Optional

id

Unique identifier for the SCIM User as defined by Workplace. Each User will always contain a non-empty id value. This identifier will be unique across all Workplace users and it will be a stable, non-reassignable that does not change with the same User is returned in subsequent requests.

String

Read Only

externalId

An identifier for the User as defined by the customer. Each User MAY include a non-empty externalId value. The value of the externalId attribute is always issued be the customer and will never be specified by Workplace.

String

Optional

Enterprise User Extension

The following properties belong to the SCIM extension urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

FieldDescriptionTypeRequired

employeeNumber

Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization.

String

Optional

costCenter

Identifies the name of a cost center. enterprise:1.0

String

Optional

organization

Identifies the name of an organization.

String

Optional

division

Identifies the name of a division.

String

Optional

department

Identifies the name of a department.

String

Optional

manager

A complex type that optionally allows Service Providers to represent organizational hierarchy by referencing the id attribute of another User.

User Reference

Optional

Note that you need to remove the entire "manager": { "value": "manager id"} parameter in case you want to remove a manager from a user.

Account Status Details Extension

The following properties belong to the SCIM extension urn:ietf:params:scim:schemas:extension:facebook:accountstatusdetails:2.0:User

FieldDescriptionTypeRequired

accessCode

AccessCode for initial account login.

String

Read Only

accessCodeExpirationDate

Expiration date for access code.

Date Time

Read Only

canDelete

Field indicates whether the account is in a deletable state

Boolean

Read Only

claimed

Field that shows whether a user has claimed the account or not

Boolean

Optional

claimDate

Field that shows when a user claimed the account formatted as a Unix timestamp

Date Time

Read Only

claimLink

The unique claim link that allows a user to claim the account

URL

Read Only

invited

Field that shows whether a user is invited or not

Boolean

Optional

invitedDate

Field that shows when a user was invited formatted as a Unix timestamp

Date Time

Read Only

Depending on whether a user is created, invited or claimed the account, the field values within the account status details will appear or change.

GET:

unclaimed and deactivated account

"urn:ietf:params:scim:schemas:extension:facebook:accountstatusdetails:2.0:User": {
      "claimed": false,
      "invited": false,
      "inviteDate": "2017-05-19T13:14:29+00:00"
}

invited and unclaimed account

"urn:ietf:params:scim:schemas:extension:facebook:accountstatusdetails:2.0:User": {
    "claimed": false,
    "invited": false,
    "inviteDate": "2017-05-19T13:14:29+00:00"
}

claimed (via claimlink) account

"urn:ietf:params:scim:schemas:extension:facebook:accountstatusdetails:2.0:User": {
    "claimed": true,
    "claimDate": "2017-05-22T10:34:35+00:00",
    "invited": true,
    "inviteDate": "2017-05-19T13:14:29+00:00"
}

not invited and unclaimed account

"urn:ietf:params:scim:schemas:extension:facebook:accountstatusdetails:2.0:User": {
    "claimed": false,
    "invited": false
}

PUT and PATCH:

update account from not invited to invited

You can use a PUT or PATCH request to trigger unsent user invites. Read only attributes can be omitted.

You can only use PUT or PATCH requests to invite users, using the invite "true" value during a POST request will create the user but the user won't be invited unless this is configured in the general settings of your instance.

Request:

"urn:scim:schemas:extension:facebook:accountstatusdetails:1.0": {
    "claimed": false,
    "invited": true
}

Response:

"urn:scim:schemas:extension:facebook:accountstatusdetails:1.0": {
    "claimed": false,
    "claimLink": "<claimLink url>",
    "invited": true,
    "inviteDate": "2017-05-19T13:14:29+00:00"
}

Note you cannot update an invited user to not invited. The response will return unchanged values (the request will silently fail).

update account from claimed to unclaimed

You can use a PUT or PATCH request to reset the claimed status of an account. Read only attributes can be omitted.

Request:

"urn:ietf:params:scim:schemas:extension:facebook:accountstatusdetails:2.0:User": {
    "claimed": false,
    "invited": true,
}

Response:

"urn:ietf:params:scim:schemas:extension:facebook:accountstatusdetails:2.0:User": {
    "claimed": false,
    "claimLink": "<claimLink url>",
    "invited": true,
    "inviteDate": "2017-05-19T13:14:29+00:00"
    }

Note you cannot update an unclaimed user to claimed. The response will return unchanged values (the request will silently fail).

Authentication Method Extension

The following properties belong to the SCIM extension urn:ietf:params:scim:schemas:extension:facebook:authmethod:2.0:User

The Authentication Method Extension will allow you to set the authentication method in case that you've enabled the possibility to log in with either "sso" or "password".

FieldDescriptionTypeRequired

authMethod

Authentication method required for the account

String

Optional

Note that the value of the "authMethod" will be set to the default value that was configured in the Admin Panel when you create new users without setting the value of the "authMethod".

GET Request

When retrieving the information of a user, the value of the "authMethod" will be visible in case that your instance has hybrid authentication enabled.

Single Sign On:

"urn:ietf:params:scim:schemas:extension:facebook:authmethod:2.0:User": {
    "authMethod": "sso"
}

Username / Password:

"urn:ietf:params:scim:schemas:extension:facebook:authmethod:2.0:User": {
    "authMethod": "password"
}

POST Request

In case the hybrid authentication is enabled for your instance, you can trigger a POST Request to create your users and set the "authMethod" to "sso" or "password". In this case, the created user will only be able to log in with the configured "authMethod".

PUT and PATCH Request

In case hybrid authentication is enabled for your instance, you can trigger a PUT or PATCH Request to update the "authMethod" of your users and change the "authMethod" to "sso" or "password".

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "replace",
            "path": "urn:ietf:params:scim:schemas:extension:facebook:authmethod:2.0:User:authMethod ",
            "value": "sso"
        }
    ]
}

Frontline Extension

The following properties belong to the SCIM extension urn:ietf:params:scim:schemas:extension:facebook:frontline:2.0:User

The Frontline Extension will allow you to set which accounts are for frontline team members and to toggle account access to meet local regulatory responsibilities.

FieldDescriptionTypeRequired

frontline

Indicates whether the account is for a Frontline user.

Boolean

Optional

hasAccess

Indicates whether the Frontline account access is enabled. This attribute is only valid when the 'frontline' attribute is 'true'

Boolean

Optional

Note that if omitted or frontline users are not enabled on your instance, new accounts are created as standard users. Similarly if hasAccess is omitted or not enabled on your instance, the default value of true will be used.

PUT and PATCH Request

Frontline status of a user and their access can be toggled after creation.

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "replace",
            "path": "urn:ietf:params:scim:schemas:extension:facebook:frontline:2.0:User:frontline",
            "value": true
        },
        {
            "op": "replace",
            "path": "urn:ietf:params:scim:schemas:extension:facebook:frontline:2.0:User:hasAccess",
            "value": false
        }
    ]
}

Note you cannot update an standard user to not have access. The response will return unchanged values (the request will silently fail).

Start / Termination Date Extension

The following properties belong to the SCIM extension urn:ietf:params:scim:schemas:extension:facebook:starttermdates:2.0:User

FieldDescriptionTypeRequired

startDate

Field that contains the date the employee was hired in xsd:dateTime format (YYYY-MM-DDThh:mm:ssZ)

String

Optional

termDate

Field that contains the date the employee was terminated, if any, in xsd:dateTime format (YYYY-MM-DDThh:mm:ssZ)

String

Optional

Custom Profile Fields Extension

The Additional Profile Fields product feature allows Workplace customers to enable additional profile fields, which are optional, in their organization and use them for use cases including Auto Group Membership. These additional fields profile fields can be controlled by community admins just like default profile fields, from the Admin Panel Profile Fields settings page.

Before using any of the Additional Profile Fields with SCIM 2.0 API in a community, they have to be added to that community using the above setup instructions and the Additional Profile Fields should be editable by IDP Integrations.

Note:

Additional Profile Fields in Workplace can be accessed using the SCIM API schema extension customprofilefields.

The following properties belong to the SCIM extension urn:ietf:params:scim:schemas:extension:customprofilefields:2.0:User

FieldDescriptionTypeRequired

fixedTextFields

Array of custom fields whose values can only be from a list of text values from a predefined list (the predefined list needs to be set up in the Admin Panel).

List of FixedTextField objects for the user

Optional

FixedTextField Data Structure

FieldDescriptionTypeRequired

type

Name of the custom profile field.

String

Required

value

Value of the custom profile field for the user. Value can be set to null in the following endpoints to delete the value of a custom profile field for a user: POST /Users, PUT /Users/:user_id, PATCH /Users/:user_id.

String

Required

Name Mapping for Custom Profile Fields

A selection of additional profile fields are available for system admins to enable in their company. The table below lists all the available fields and their API names to be used in SCIM API requests to update Workplace user profiles.

Field CategoryField Display NameField API Name

Role

Work schedule

work_schedule

Role

Employee type

employee_type

Org

Subsidiary

subsidiary

Org

Business Unit

business_unit

Org

Year joined

year_joined

Location

State

state

Location

City

city

Location

Time Zone

time_zone

Location

Office Location

office_location

Location

Country

country

Location

Desk number

desk_number

Location

Floor

floor

Location

Region

region

Location

Store

store

Usage Examples

GET

In a company which has enabled additional profile fields and for a user who has an additional profile field set.

Note: Additional profile fields are not sent in response by default and have to be explicitly requested in a GET request

Request:

GET /Users/100069996612677?attributes=meta,active,locale,emails,userName,name,profileUrl,id,schemas,urn:ietf:params:scim:schemas:extension:facebook:frontline:2.0:User:frontline,urn:ietf:params:scim:schemas:extension:facebook:accountstatusdetails:2.0:User:inviteDate,urn:ietf:params:scim:schemas:extension:facebook:accountstatusdetails:2.0:User:invited,urn:ietf:params:scim:schemas:extension:facebook:accountstatusdetails:2.0:User:claimed,urn:ietf:params:scim:schemas:extension:facebook:accountstatusdetails:2.0:User:canDelete,urn:ietf:params:scim:schemas:extension:facebook:authMethod:2.0:User:authMethod,urn:ietf:params:scim:schemas:extension:facebook:customprofilefields:2.0:User:fixedTextFields
Host: scim.workplace.com
Authorization: Bearer ${BEARER_TOKEN}

Response:

...
"urn:ietf:params:scim:schemas:extension:facebook:customprofilefields:2.0:User": {
    "fixedTextFields": [
      {
        "type": "work_schedule",
        "value": "Part Time"
      },
      {
        "type": "store",
        "value": "703452"
      }
    ],
   },
"profileUrl": "",
"profileUrl": true,
"urn:ietf:params:scim:schemas:extension:facebook:authmethod:2.0:User": {
    "authMethod": "password"
}
...

POST

Creating a user using Workplace SCIM v2 API with custom profile fields.

POST /Users
Host: scim.workplace.com
Authorization: Bearer {your access token}
Content-Type: application/json

{
  "active":true,
  "userName":"user1@company1.com",
  "name": {
    "formatted" : "SCIM Coworker 1"
  },
  "urn:ietf:params:scim:schemas:extension:facebook:customprofilefields:2.0:User":{
    "fixedTextFields": [
      {
        "type": "work_schedule",
        "value": "Full time"
      },
      {
        "type": "employee_type",
        "value": "Regular"
      }
    ]
  }
}

PUT

Updating a user profile using Workplace SCIM v2 API with custom profile fields

PUT /Users/:user_id'
Host: scim.workplace.com
Authorization: Bearer {your access token}
Content-Type: application/json


{
  ...      
  "urn:ietf:params:scim:schemas:extension:facebook:customprofilefields:2.0:User":{
    "fixedTextFields": [
      {
        "type": "work_schedule",
        "value": "Full time"
      },
      {
        "type": "employee_type",
        "value": "Regular"
      }
    ]
  }
  ...
}

PATCH without path

Patching a user profile without path parameter using Workplace SCIM v2 API

Note: PATCH request type supports updating additional profile fields. Along with updating other user profile fields like name or addresses or locale, Workplace SCIM PATCH API for Users can be used to update one or more Additional Profile Fields as well in the same request without sending in the path parameter in the req body.

PATCH /Users/:user_id
Host: scim.workplace.com
Authorization: Bearer {your access token}
Content-Type: application/json

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [{
    "op": "replace",
    "value": {
      "urn:ietf:params:scim:schemas:extension:facebook:customprofilefields:2.0:User": {
        "fixedTextFields": [{
          "type": "work_schedule",
          "value": "Part time"
        },{
          "type": "employee_type",
          "value": "Seasonal"
        }]
      }
    }
  }]
}

Delete an Additional Profile Field using PATCH without path:

Sending a null value to an additional profile field would delete the field from a user’s profile.

PATCH /Users/:user_id
Host: scim.workplace.com
Authorization: Bearer {your access token}
Content-Type: application/json

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [{
    "op": "replace",
    "value": {
      "urn:ietf:params:scim:schemas:extension:facebook:customprofilefields:2.0:User": {
        "fixedTextFields": [{
          "type": "work_schedule",
          "value": null
        },{
          "type": "employee_type",
          "value": null
        }]
      }    
    }
  }]
}

PATCH with path and without filter:

Patching a user profile with path parameter using Workplace SCIM v2 API.

Note: PATCH request type supports updating additional profile fields. Workplace SCIM PATCH API for Users can be used to update one or more Additional Profile Fields as well in the same request by sending in the path parameter to the customprofilefields schema extension.

PATCH /Users/:user_id'
Host: scim.workplace.com
Authorization: Bearer ${your access token}
Content-Type: application/json

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [{
    "op": "replace",
    "path": "urn:ietf:params:scim:schemas:extension:facebook:customprofilefields:2.0:User:fixedTextFields",
    "value": [{
      "type":"work_schedule",
      "value":"Seasonal"
    }]
  }]
}

PATCH with path and filter:

Patching a user profile with path and filter parameter using Workplace SCIM v2 API

Note: PATCH request type supports updating additional profile fields. Workplace SCIM PATCH API for Users can be used to update a particular Additional Profile Fields by sending in the path parameter with a filter specifying the exact additional profile field to the customprofilefields schema extension.

PATCH /Users/:user_id
Host: scim.workplace.com
Authorization: Bearer {your access token}
Content-Type: application/json

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [{
    "op": "replace",
    "path": "urn:ietf:params:scim:schemas:extension:facebook:customprofilefields:2.0:User:fixedTextFields[type eq \"work_schedule\"].value",
    "value": "Seasonal Term"
  }]
}

Name Data Structure

The following fields make up the Name data structure used by the name field.

FieldDescriptionTypeRequired

formatted

The full name, including all middle names, titles, and suffixes as appropriate, formatted for display (e.g. Ms. Barbara J Jensen, III.).

String

Required

familyName

The family name of the User, or Last Name in most Western languages (e.g. Jensen given the full name Ms. Barbara J Jensen, III.).

String

Optional

givenName

The given name of the User, or First Name in most Western languages (e.g. Barbara given the full name Ms. Barbara J Jensen, III.).

String

Optional

middleName

The middle name(s) of the User.

String

Optional

honorificPrefix

The honorific prefix(es) of the User, or Title in most Western languages (e.g. Ms. given the full name Ms. Barbara J Jensen, III.).

String

Optional

honorificSuffix

The honorific suffix(es) of the User, or Suffix in most Western languages (e.g. III. given the full name Ms. Barbara J Jensen, III.).

String

Optional

Email Data Structure

The following describes the data structure used by the email field.

FieldDescriptionTypeRequired

display

The canonicalized representation of the email value.

String

Read Only

primary

Boolean value indicating whether this is the primary address.

Boolean

Optional

type

Type of this address, e.g., work or personal.

String

Optional

value

Email address.

String

Required

Address Data Structure

The following describes the data structure used by the address field.

FieldDescriptionTypeRequired

primary

Boolean value indicating whether this is the primary address.

Boolean

Optional

type

Type of this address, e.g., work or personal.

String

Optional

streetAddress

The full street address component, which may include house number, street name, P.O. box, and multi-line extended street address information. This attribute MAY contain newlines.

String

Optional

locality

The city or locality component.

String

Optional

region

The state or region component.

String

Optional

postalCode

The zipcode or postal code component.

String

Optional

country

The country name component. When specified the value MUST be in ISO 3166-1 alpha 2 short code format; e.g., the United States and Sweden are US and SE respectively.

String

Optional

formatted

The full mailing address, formatted for display or use with a mailinglabel. This attribute MAY contain newlines.

String

Optional

User Reference Data Structure

The following describes the data structure used by the user reference fields, e.g manager, members.

FieldDescriptionTypeRequired

value

The id of the SCIM user representing the manager of this user.

String

Required

$ref

The URI of the SCIM resource representing the User's manager.

String

Read Only

displayName

Display name of the manager.

String

Read Only

Core Group Schema

The following properties belong to the core SCIM schema urn:ietf:params:scim:schemas:core:2.0:Group

FieldDescriptionTypeRequired

displayName

Unique human readable name for the Group. Must be unique.

String

Required

members

The members of this Group.

Array containing one or more User Reference objects.

Optional

id

Unique identifier for the SCIM Group as defined by Workplace. Each Group will always contain a non-empty id value. This identifier will be unique across all Workplace groups and it will be a stable, non-reassignable that does not change with the same Group is returned in subsequent requests.

String

Read Only

externalId

An identifier for the Group as defined by the customer. Each User MAY include a non-empty externalId value. The value of the externalId attribute is always issued be the customer and will never be specified by Workplace.

String

Optional

Within Workplace SCIM Groups are mapped to People Sets. Users should only be added to and removed from groups, never updated.

It is recommend to exclude the members attribute from Group responses to minimise payload size. If included the response may be truncated to 10000 members for performance reasons.

create a SCIM group via POST

{
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:Group"
    ],
    "externalId": "<external id>",
    "displayName": "<group name>"
}

You can use a PATCH request to add or remove members from a group as well change the display name.

add a user to a SCIM group

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "add",
            "path": "members",
            "value": [
                {
                    "value": "<user id>"
                }
            ]
        }
    ]
}

remove a user from a SCIM group

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "remove",
            "path": "members[value eq \"<user id>\"]"
        }
    ]
}

Create accounts without email addresses (beta only)

We now allow for users to be created without the need for an actual email address. In order to do this, you will need to create a user that has an external id and a formatted name. You can still choose to add other attributes in case you want to add a user with rich profile data.

How can I create and update a user without an email address?

POST Request

In order to create an email less user, you'll need to create a user that has at least the following parameters:

  • externalId
  • formatted name

The request could look like the following:

{
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:facebook:authmethod:2.0:User"
    ],
    "externalId": "1745847",
    "name": {
        "formatted": "Julius Caesar"
    },
    "active": true,
    "urn:ietf:params:scim:schemas:extension:facebook:authmethod:2.0:User": {
        "authMethod": "password"
    }
}

The response in this case would look like this:

{
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
        "urn:ietf:params:scim:schemas:extension:facebook:accountstatusdetails:2.0:User",
        "urn:ietf:params:scim:schemas:extension:facebook:authmethod:2.0:User",
        "urn:ietf:params:scim:schemas:extension:facebook:frontline:2.0:User",
        "urn:ietf:params:scim:schemas:extension:facebook:starttermdates:2.0:User"
    ],
    "id": "100024833978801",
    "externalId": "1745847",
    "name": {
        "formatted": "Julius Caesar"
    },
    "active": true,
    "urn:ietf:params:scim:schemas:extension:facebook:accountstatusdetails:2.0:User": {
        "accessCode": "dwsngnlinocitezt",
        "accessCodeExpirationDate": "2017-05-22T10:34:35+00:00",
        "claimed": false,
        "invited": true,
        "inviteDate": "2017-05-19T13:14:29+00:00"
    },
    "urn:ietf:params:scim:schemas:extension:facebook:authmethod:2.0:User": {
        "authMethod": "password"
    }
}

It's important to know that the response won't create a username yet. The username will only be set once the user activates the account by using the access code on the desktop or mobile applications.

Once the user activated the account, you will get the following response:

{
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
        "urn:ietf:params:scim:schemas:extension:facebook:accountstatusdetails:2.0:User",
        "urn:ietf:params:scim:schemas:extension:facebook:authmethod:2.0:User",
        "urn:ietf:params:scim:schemas:extension:facebook:frontline:2.0:User",
        "urn:ietf:params:scim:schemas:extension:facebook:starttermdates:2.0:User"
    ],
    "id": "100024833978801",
    "externalId": "1745847",
    "userName": "Julius.C",
    "name": {
        "formatted": "Julius Caesar"
    },
    "active": true,
    "urn:scim:schemas:extension:facebook:accountstatusdetails:1.0": {
        "accessCode": "bcbegjpagzeqkwox",
        "accessCodeExpirationDate": "2017-05-22T10:34:35+00:00",
        "claimed": true,
        "claimDate": "2017-05-20T09:44:18+00:00",
        "invited": true,
        "inviteDate": "2017-05-19T13:14:29+00:00"
    },
    "urn:ietf:params:scim:schemas:extension:facebook:authmethod:2.0:User": {
        "authMethod": "password"
    }
}

When the account is activated, you'll notice two things:

  • The username is visible
  • The access code has changed

Because of the fact that the username is now set, we can use an access code to reset the password of this user based on a username and access code.

authMethod needs to be "password"

It's not allowed to create an email-less user with the authMethod set to "sso". We recommend that you add the "authMethod": "password" to all of the POST and PUT requests to avoid any errors in case the default authentication is set to "sso"

{
    "Errors": [
        {
            "description": "People without email have to use a password to log in: Select 'Password' for this users login method",
            "code": 1855128
        }
    ]
}
PUT and PATCH Requests

When you want to update a user, you can update any value apart from the following parameters:

Error message will be triggered when updating

  • username
{
    "Errors": [
        {
            "description": "You Can't Change Your Username: Usernames are permanent and can't be changed.",
            "code": 1855129
        }
    ]
}
  • authMethod to "sso"
{
    "Errors": [
        {
            "description": "You Can't Change Your Username: Usernames are permanent and can't be changed.",
            "code": 1855129
        }
    ]
}
The request will silently fail when updating any read only fields, including
  • accessCode
  • accessCodeExpirationDate

When you try to change the values for these parameters, the original value will be returned.

How can I retrieve my email-less users?

GET Request

You can use the GET request in the same way that you would use the GET request for users with an email address. The only difference is that you will only be able to see a username in case the user claimed the account.

How can I delete or deactivate my email less users?

PUT and PATCH Request

You can use the PUT and PATCH requests to deactivate user accounts. The Workplace SCIM 2.0 API has not enabled support for deleting user accounts.

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "replace",
            "path": "active",
            "value": false
        }
    ]
}

Usage Examples

Creating an Account for a Person

When a new person joins your organization or is newly-granted access to Workplace, you must create an account for them.

To create a new account, send a POST request to the endpoint https://scim.workplace.com/Users/.

Upon success, you will receive a 201 - Created response. The response body will contain a JSON representation of the person's account, including the Workplace-assigned ID, which must be used to do any subsequent update operations.

If a user already exists within your Workplace instance with the same username, you will receive a 409 - Conflict response.

The typical recovery path for a conflict is to:

  1. Make a GET request using the username filter to retrieve the existing user.
  2. Merge your local user record with the existing Workplace user record.
  3. Do a PUT operation to update the Workplace user.

You may receive another response code - refer to the error codes section below for more details.

Once a new User Account is created, Workplace will begin sending invitation and other notification emails.

If you'd like to create the account without inviting the person immediately, you must disable the setting Send invites when accounts are created on the Settings tab of the Admin Panel.

Read more.

Create a User with a Profile Picture

Any manual updates made by an employee to their profile picture will change their account to a manual updates only mode. After being switched to manual mode, Workplace will no longer use updates to the photos field for updating an account's profile picture.

You can create a user and set their initial Workplace profile picture if you have an internet-accessible image URL for the person by including the photos attribute with the type set to profile and primary set to true.

"photos": [
    {
        "value": "http://www.example.com/julius_profile_pic.jpeg",
        "type": "profile",
        "primary": true
    }
]

Remove the profile picture that was set through the API

You can clear the profile picture, thus setting it back to the default appearance, changing the primary value to false or by removing the profile entry from the photos array.

You're only able to set or clear the profile picture through the API when the user hasn't updated it through the UI.

Getting All Users

You can retrieve the information about your users:

  • Send a GET request to the endpoint https://scim.workplace.com/Users
  • By default, a GET request on /Users will return results in pages of 100.
  • You can specify a different page size and page offset by including the parameters count and startIndex.
GET /Users?count=10&startIndex=20 HTTP/1.1
Host: scim.workplace.com
Authorization: Bearer {your access token}

Upon success:

  • You will receive a 200 - OK response
  • The response body will contain a JSON representation of the requested users

Getting one user by ID

You can retrieve a single user by the user's Workplace ID:

GET /Users/{Workplace-assigned user id} HTTP/1.1
Host: scim.workplace.com
Authorization: Bearer {your access token}

If a user doesn't exist:

  • You will receive a 404 - OK response
  • Error message: “User or Group Not Available: The user or group you tried to access from SCIM is not available.”

You can only get a user if you are authorized to see the user, i.e., if that user exists within your Workplace instance

Getting one User by Username

You can retrieve a single user by username / email address by including a username filter:

GET /Users?filter=userName%20eq%20%22juliusc@example.com%22 HTTP/1.1
Host: scim.workplace.com
Authorization: Bearer {your access token}

If no user exists with that username, you will receive an empty response list.

You can only get a user if you are authorized to see the user; i.e., if that user exists within your Workplace instance

Getting one User by External Id

You can retrieve a single user by their external id by including a username filter:

GET /Users?filter=externalId%20eq%20%22{external-id}%22 HTTP/1.1
Host: scim.workplace.com
Authorization: Bearer {your access token}

If no user exists with that externalId, you will receive an empty response list.

You can only get a user if you are authorized to see the user; i.e., if that user exists within your Workplace instance

Setting Manager IDs

Workplace recommends always setting manager IDs for your users, since it creates a better user experience for the people using the product.

  1. You can set a user's manager during either a POST, PUT or PATCH operation, but doing so requires having the Workplace-assigned user ID for the manager.
  2. When doing create operations, you may not yet have the manager's user ID when you create the user.
  3. To simplify this, use two-pass logic (explained below) to create users and then set manager IDs.

Two-pass Logic

On the first pass:

  1. Iterate over each user
  2. Build the request payload, but do not set the manager relationship
  3. Simply create each user by sending a POST request
  4. Store each created-users' IDs in a data store

After users have been created, do a second pass to update each user's manager:

  1. Iterate over each user
  2. Lookup the user's manager's Workplace user ID in your data store
  3. Create the request payload for this user, adding the manager's ID to the request body
  4. Finally send a PUT request to Workplace to update the user and set the manager relationship

Updating a User

When any user attribute changes in your user directory, you must update the user's account in Workplace. This can either be done on event, when the underlying data changes, or in a batch, say every 3 hours. In either case, the logic is the same:

  1. Prepare the request body with the updated data.
  2. Send a PUT or PATCH request to the endpoint https://scim.workplace.com/Users/{Workplace-assigned user id}
  3. Upon success, you will receive a 200 - OK response
  4. If the user id you specified does not exist, you will receive a 404 - Not Found response

Workplace supports both PUT and PATCH requests to update user attributes. For legacy support incomplete PUT requests are allowed - any missing attributes will be unchanged.

Deactivating a User's Account

When a person leaves your organization or should not longer have access to Workplace, you must deactivate their account:

  1. Generate the request body setting the attribute active to false.
  2. Send a PUT or PATCH request to the endpoint https://scim.workplace.com/Users/{Workplace-assigned user id}
  3. Upon success, you will receive a 200 - OK response. The user will immediately be deactivated and any current mobile or web sessions for that user will be immediately terminated.

Deleting a User Account

The Workplace SCIM 2.0 API has not enabled support for deleting user accounts. We recommend deactivating users using the PUT/PATCH method above. For legacy support calling DELETE on the /Users endpoint will deactivate the user account.

Further Examples

Create a Person Who is a Manager

POST /Users/ HTTP/1.1
Host: scim.workplace.com
Authorization: Bearer {your access token}

{
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
    ],
    "userName": "juliusc@example.com",
    "name": {
        "formatted": "Julius Caesar"
    },
    "active": true,
    "emails": [
        {
            "primary": true,
            "type": "work",
            "value": "juliusc@example.com"
        }
    ],
    "addresses": [
        {
            "type": "work",
            "formatted": "Emporer's Palace",
            "primary": true
        }
    ],
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        "department": "Headquarters"
    }
}

Read the Manager's ID From the Response Body

{
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
    ],
    "id": "11111111111",
    "userName": "juliusc@example.com",
    "name": {
        "formatted": "Julius Caesar"
    },
    "active": true,
    "emails": [
        {
            "primary": true,
            "type": "work",
            "value": "juliusc@example.com"
        }
    ],
    "addresses": [
        {
            "type": "work",
            "formatted": "Foro Italico",
            "primary": true
        }
    ],
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        "department": "Headquarters"
    }
}

Create a Person With an Assigned Manager

POST /Users/ HTTP/1.1
Host: scim.workplace.com
Authorization: Bearer {your access token}

{
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
    ],
    "userName": "marka@example.com",
    "name": {
        "formatted": "Mark Antony"
    },
    "active": true,
    "emails": [
        {
            "primary": true,
            "type": "work",
            "value": "marka@example.com"
        }
    ],
    "addresses": [
        {
            "type": "work",
            "formatted": "Foro Italico",
            "primary": true
        }
    ],
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        "department": "Senate",
        "manager": {
            "value": "11111111111"
        }
    }
}

Upgrading from SCIM v1.1

Workplace has deprecated SCIM v1.1 support and will require migration of all accounts to SCIM v2.0 by Oct 2022.

SCIM v2.0 is the latest standard for Cross-domain Identity Management, it builds on top of the v1.1 specification adding PATCH operations to facilitate management of users and groups at a scale far beyond the practical limitations of SCIM v1.1.

The key differences between the v1.1 and v2.0 specifications are outlined below, along with the changes to Workplace extension schemas.

Paths

SCIM v1.1SCIM v2.0

https://www.workplace.com/scim/v1/

https://scim.workplace.com/

https://www.workplace.com/scim/v1/Users

https://scim.workplace.com/Users

https://www.workplace.com/scim/v1/Groups

https://scim.workplace.com/Groups

https://www.workplace.com/scim/v1/Schemas

https://scim.workplace.com/Schemas

N/A

https://scim.workplace.com/ResourceTypes

https://www.workplace.com/scim/v1/ServiceProviderConfigs

https://scim.workplace.com/ServiceProviderConfig

Schemas

urn:scim:schemas:core:1.0 vs urn:ietf:params:scim:schemas:core:2.0:User

New Read Only Attributes have been added.

SCIM v1.1 AttributeSCIM v1.1 TypeSCIM v2.0 AttributeSCIM v2.0 Type

meta.resourceType

Constant String "User"

groups[].$ref

Read Only Reference

urn:scim:schemas:extension:enterprise:1.0 vs urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

Manager Data Type has been updated to match the SCIM v2.0 Multi-Valued Attribute structure.

SCIM v1.1 AttributeSCIM v1.1 TypeSCIM v2.0 AttributeSCIM v2.0 Type

manager.managerId

String

manager.value

String

manager.$ref

Read Only Reference

urn:scim:schemas:extension:facebook:accountstatusdetails:1.0 vs urn:ietf:params:scim:schemas:extension:facebook:accountstatusdetails:2.0:User

Date attributes have been updated from an Integer type representing an epoch timestamp, to the SCIM v2.0 DateTime type, which is a W3C data formatted string (xsd:dateTime).

SCIM v1.1 AttributeSCIM v1.1 TypeSCIM v2.0 AttributeSCIM v2.0 Type

accessCodeExpirationDate

Read Only Integer

accessCodeExpirationDate

Read Only DateTime

inviteDate

Read Only Integer

inviteDate

Read Only DateTime

claimDate

Read Only Integer

claimDate

Read Only DateTime

urn:scim:schemas:extension:facebook:auth_method:1.0 vs urn:ietf:params:scim:schemas:extension:facebook:authmethod:2.0:User

Attribute names updated to match SCIM v2.0 naming convention.

SCIM v1.1 AttributeSCIM v1.1 TypeSCIM v2.0 AttributeSCIM v2.0 Type

auth_method

String

authMethod

String

urn:scim:schemas:extension:facebook:frontline:1.0 vs urn:ietf:params:scim:schemas:extension:facebook:frontline:2.0:User

Attribute names updated to match SCIM v2.0 naming convention. New Workplace specific hasAccess attribute.

SCIM v1.1 AttributeSCIM v1.1 TypeSCIM v2.0 AttributeSCIM v2.0 Type

is_frontline

Boolean

frontline

Boolean

hasAccess

Boolean

urn:scim:schemas:extension:facebook:starttermdates:1.0 vs urn:ietf:params:scim:schemas:extension:facebook:starttermdates:2.0:User

Date attributes have been updated from an Integer type representing an epoch timestamp, to the SCIM DateTime type, which is a W3C data formatted string (xsd:dateTime).

SCIM v1.1 AttributeSCIM v1.1 TypeSCIM v2.0 AttributeSCIM v2.0 Type

startDate

Read Only Integer

startDate

Read Only DateTime

termDate

Read Only Integer

termDate

Read Only DateTime

urn:ietf:params:scim:schemas:core:2.0:Group

New Read Only Attributes have been added.

SCIM v1.1 AttributeSCIM v1.1 TypeSCIM v2.0 AttributeSCIM v2.0 Type

meta.resourceType

Constant String "Group"

members[].$ref

Read Only Reference

PATCH

PATCH operations are a new addition in SCIM v2.0 and thus no migration is required, their use is recommended.

PATCH operations allow update payloads to be reduced to only the attributes being updated. This reduces the payload size and avoids accidental overwriting of attributes with out of date values.

Use of PATCH operations is essential for effective group management at scale.

PATCH requests can make one or more update operations to the specified resource in a single request. Allowed operations are: add, replace and remove. The value property is not required for a remove operation. Filtering of multi-value attributes can be achiveved with filtering syntax in the path, see the remove user from group example above.

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "add",
            "path": "members",
            "value": [
                {
                    "value": "111111111111"
                }
            ]
        },
    ... + additional operations if needed ...
    ]
}