SCIM API limitations
STA does not support the complete SCIM specification. Some SCIM functions are not supported.
Compatibility between a user directory that supports SCIM and the STA SCIM implementation is not guaranteed.
General limitations
The following operations are not supported for any SCIM resources:
-
Filters: Only eq and and filters are supported. All other filters are unsupported.
-
Bulk operations
-
Sort
-
eTag
-
Change password
Patch operation limitations
- Paths can be complex with the eq filter. Only eq is supported for the path filter with Patch. The and operator is not supported.
In addition, the patch implementation supports the following:
-
Path filters can be used to address attributes and sub-attributes.
-
Simple attributes, complex attributes, and complex multi-valued attributes can be patched.
Sample pathless patch
For a pathless patch the patch value must contain the attribute and attribute value.
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "replace",
"value": {
"userPrincipalName": “mike.smith@sas.com”
}
}
]
}
Sample path patch
A path patch can be used to select an attribute. In this case, the value attribute of the patch contains the value of the attribute that is being set.
{
"schemas":[
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations":[
{
"op":"replace",
"path":"userPrincipalName",
"value":"mike.smith@sas.com"
}
]
}
User limitations
The following limitations apply to user resources:
-
Two phone numbers are supported for a user, mobile and work. The default is mobile. If only one phone number is provided and it is labeled work, it is set as mobile to support SMS tokens.
-
If users are added or removed by a concurrent operation while paging through a list of results, some users may be missed
-
Groups cannot be assigned during user creation.
-
Operators cannot be removed.
-
Account managers cannot be removed.
-
You cannot remove the service account user who is mapped to the API key that was used for the request.
-
Group membership cannot be added or updated when creating or modifying a user. Update the group with new membership information instead.
-
In case of multiple emails or addresses in a request, the primary one is stored, regardless of the specified type.
-
When using filters with the GET method, only the eq and and filters are supported.
-
For PUT methods, if any of the specified attributes are unrecognized or unsupported, they are ignored rather than returning 400 Bad Request. This means that the attribute could be removed from the user if it is misspelled.
-
The user name is limited to 64 characters.
-
The scim attribute reference and GET /tenants/{tenantCode}/scim/v2/users operation identify which user attributes support filters.
Group limitations
The following limitations apply to group resources:
-
The maximum number of group members returned is 1000.
-
The maximum number of users that you can add to a group with PUT is 1000.
-
When using filters with the GET method, only the eq and and filters are supported.
-
The excludedAttributes property is supported only for use with GET groups, and the only valid attribute is members. Any other use of excludedAttributes is ignored.
-
Groups cannot be renamed when they are assigned to a token provisioning rule or operator role provisioning rule.
-
The scim attribute reference and GET /tenants/{tenantCode}/scim/v2/groups operation identify which group attributes support filters.