SCIM attribute reference
In the SCIM API for STA, the allowable contents of resources are defined by a set of schemas and a resource type, such as user or group. Each SCIM schema is a collection of attribute definitions that describe the contents of your user and group resources. The attribute definitions specify the attribute name and metadata, such as type (string, binary) and cardinality (singular, multi, complex).
The STA SCIM API maps the user attributes from the SCIM schema to the STA schema. It includes the following types of attributes:
-
SCIM common attributes
-
SCIM core user attributes
-
STA custom user attributes
-
SCIM core group attributes
-
STA custom group attributes
SCIM common attributes
The SCIM common attributes are defined in STA for all resources, including any custom STA resource types, except the ServiceProviderConfig and ResourceType server discovery endpoints and their associated resources. Common attributes are not defined in any particular schema.
For more information about the SCIM common attributes, see https://tools.ietf.org/html/rfc7643#section-3.1.
Each SCIM resource, such as a user or group, includes the following common attributes.
| SCIM attribute | Description | Attribute type | Required | Supports filters | |
|---|---|---|---|---|---|
id |
A unique identifier for a SCIM resource, such as a user, that is defined by STA. |
String |
True Read-only |
False |
|
externalId |
An identifier for a SCIM resource, such as a user, that is defined by the provisioning client. |
String Min: 0 Max: 128 |
False Read-write |
True |
|
meta |
A complex attribute containing resource metadata. All meta sub-attributes are assigned by STA and have a returned characteristic of default. The meta attribute contains the following sub-attributes: |
Multi-valued |
True Read-only |
False |
|
resourceType |
The name of the resource type of the resource. |
String |
True Read-only |
False |
|
created |
The DateTime when the resource was added to STA. This attribute must be a DateTime. |
DateTime |
True Read-only |
False |
|
lastModified |
The most recent DateTime when the details of this resource were updated in STA. If this resource has never been modified, the value is the same as the value of created. |
DateTime |
True Read-only |
False |
|
location |
The URI of the resource being returned. |
String |
True Read-only |
False |
|
version |
The version of the resource being returned. |
String |
True Read-only |
False |
|
SCIM core user attributes
Schema ID: urn:ietf:params:scim:schemas:core:2.0:User
Core attributes are listed in the resource type's schema.
For the complete description of the core attributes in the SCIM user schema, see https://tools.ietf.org/html/rfc7643#section-4.1.
See also the attribute limitations.
Each core user attribute corresponds to a user field in STA.
| STA user field | SCIM attribute | Description | Attribute type | Required | Supports filters |
|---|---|---|---|---|---|
userName |
userName |
A unique identifier for the user. |
String Min: 0 Max: 64 |
True |
True |
|
name |
The components of the user's real name. |
Multi-valued |
True |
False |
firstname |
name.givenName |
The given name, or first name, of the user, such as Barbara in the full name Barbara Jensen. |
String Min: 0 Max: 64 |
True |
True |
lastname |
name.familyName |
The family name, or last name, of the user, such as Jensen in the full name Barbara Jensen. |
String Min: 0 Max: 64 |
True |
True |
|
name.formatted |
The full name, including first and last name, formatted for display, such as Barbara Jensen. |
String READONLY (returned in response) |
False |
False |
user ID |
displayName |
The name of the user, suitable for display to end-users. This is mapped to the STA User ID. |
String READONLY (returned in response) Min: 0 Max: 64 |
False |
True |
emails[0]['value'] |
The email address includes these sub-attributes:
Only a single email address is stored. If a request is made to POST or PUT, and the data contains a list of email addresses, the following logic is used:
For PATCH, the email address is updated as long as the format is valid. |
Multi-valued Min: 0 Max: 96 |
True |
True |
|
PhoneNumber MobileNumber |
phoneNumbers['type']['value'] |
Phone numbers include these sub-attributes:
For PATCH operations, both the work and mobile phone number types are supported. The primary phone number is the mobile number. For GET requests, both the work and mobile numbers are returned, if they exist. |
Multi-valued |
False |
True |
isActive |
active |
Identifies whether the user's account is active or suspended. Default is True. When the user is suspended (isActive=false), the resulting suspension is displayed in the Account State. You can manually override the API lock from the consoles as described in Unlock account. |
Boolean |
False |
False |
|
addresses |
A physical mailing address for this user. |
Multi-valued |
False |
False |
address |
addresses[0]['streetAddress'] |
The full street address, which may include house number, street name, P.O. box, and multi-line extended street address information. This attribute may contain newlines. |
String Min: 0 Max: 64 |
False |
True |
city |
addresses[0]['locality'] |
The city or locality |
String Min: 0 Max: 64 |
False |
True |
state |
addresses[0]['region'] |
The state or region |
String Min: 0 Max: 64 |
False |
True |
country |
addresses[0]['country'] |
The country name |
String Min: 0 Max: 64 |
False |
True |
postalCode |
addresses[0]['postalCode'] |
The zip code or postal code |
String Min: 0 Max: 64 |
False |
True |
groups |
A list of groups to which the user belongs. |
Multi-valued READONLY (returned in response) |
False |
False |
|
value |
The ID |
String |
False |
False |
|
| name | display |
The name of the group |
String |
False |
True |
$ref |
The URI of the corresponding group resources to which the user belongs. |
String |
False |
True |
Unsupported core user attributes
The STA API does not support the following SCIM core user attributes:
-
name.middleName
-
name.honorificPrefix
-
name.honorificSuffix
-
nickName
-
profileUrl
-
title
-
userType
-
preferredLanguage
-
locale
-
timezone
-
password
-
ims
-
photos
-
groups are returned as read-only
-
entitlements
-
roles
-
x509Certificates
STA custom user attributes
Schema ID: urn:ietf:params:scim:schemas:extension:stauserextension:2.0:User
The STA SCIM API includes extensions to the user schema. These attributes correspond to custom fields in STA:
| STA user field | SCIM attribute | Description | Attribute type | Required | Supports filters |
|---|---|---|---|---|---|
alias1 |
None |
Aliases can be used as alternative user IDs, allowing the user to log on using their user ID or aliases and any of their assigned tokens. A common application of aliases is a user with two domain user IDs and two roles. For example, Bob and bob-sysadmin, the former being a standard user account, the latter being an account with elevated privileges. In this example, either ID can use the same token. |
String Min: 0 Max: 64 |
False |
True |
alias2 |
None |
String Min: 0 Max: 64 |
False |
True |
|
alias3 |
None |
String, READONLY Min: 0 Max: 64 |
False |
True |
|
alias4 |
None |
String, READONLY Min: 0 Max: 64 |
False |
True |
|
custom1 |
None |
These are optional fields that can be used to store additional data about the user. The Custom #1 field is displayed in the user list. The Custom labels can be changed from the Branding module. |
String Min: 0 Max: 64 |
False |
True |
custom2 |
None |
String Min: 0 Max: 64 |
False |
True |
|
custom3 |
None |
String Min: 0 Max: 64 |
False |
True |
|
isSynchronized |
None |
Identifies whether the user is synchronized from an external source. Set on resource creation and cannot be updated. The default value is false if not provided. By default, users that are created with the SCIM API are internal users, unless they are specified as synced users in the request. |
Boolean |
False |
False |
immutableId |
None |
The *immutableId* attribute uniquely identifies a user in Microsoft Entra ID. It must be synchronized between Microsoft Entra ID and STA, and it must be returned in the authentication request response. |
String Min: 0 Max: 128 |
False |
True |
userPrincipleName |
None |
The user principal name (UPN) of the user in the following format: userName@domain.name |
String Min: 0 Max: 256 |
False |
True |
SCIM user object
The following example of a user object includes the custom user attributes:
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:stauserextension:2.0:User"
],
"id": "88DB21A2ECB28E6BE962FF05BB4C0000000E",
"userName": "apascal",
"name": {
"formatted": "Anna Pascal",
"familyName": "Pascal",
"givenName": "Anna"
},
"displayName": "apascal",
"emails": [
{
"value": "apascal@yandex.com",
"type": "work",
"primary": true
}
],
"addresses": [
{
"streetAddress": "Knorrstraße 24",
"locality": "Wels",
"region": "Upper Austria",
"postalCode": "4600",
"country": "Austria",
"type": "work",
"primary": true
}
],
"phoneNumbers": [
{
"value": "+43724253019",
"type": "mobile",
"primary": true
},
{
"value": "+31644815518",
"type": "work",
"primary": false
}
],
"active": true,
"urn:ietf:params:scim:schemas:extension:stauserextension:2.0:User": {
"alias1": "apascal-alias1",
"alias2": "apascal-alias2",
"custom1": "apascal-custom1",
"custom2": "apascal-custom2",
"custom3": "apascal-custom3",
"isSynchronized": false,
"immutableId": "9Iu9yr40rpkro340",
"userPrincipalName": "anna.pascal@thalesgroup.com"
},
"groups": [
{
"value": "50331650",
"$ref": "https://api.sta.test.gemalto.com/tenants/K8WQQJOQWG/scim/v2/groups/50331650",
"display": "Fiction",
"type": "direct"
}
],
"meta": {
"resourceType": "User",
"created": "2023-03-10T20:06:24.26Z",
"lastModified": "2023-03-10T20:06:24.26Z",
"location": "https://api.sta.test.gemalto.com/tenants/K8WQQJOQWG/scim/v2/users/88DB21A2ECB28E6BE962FF05BB4C0000000E"
}
}
Core group attributes
Schema ID: urn:ietf:params:scim:schemas:core:2.0:Group
Core attributes are listed in the resource type's schema.
For the complete description of the core attributes in the SCIM group schema, see https://tools.ietf.org/html/rfc7643#section-4.2.
Each SCIM core group attribute corresponds to a field in STA.
| STA group field | SCIM attribute | Description | Attribute type | Required | Supports filters | |-----------------|----------------|--------------------------------------|----------------|----------| | name | displayName | A human-readable name for the group. | String, Min: 0, Max: 64 | True | False | | | members | A list of group members. | Multi-Valued | False | False | | id | value | STA user ID for a user in the group. | String | True | True | | type | type | The type is Group. | String | True | False | | name | displayName | The name of a user in the group. | String | True | False |
STA custom group attributes
Schema ID: urn:ietf:params:scim:schemas:extension:stagroupextension:2.0:Group
The STA SCIM API includes extensions to the group schema for group fields in STA.
| STA group field | SCIM attribute | Description | Attribute type | Required | Supports filters |
|---|---|---|---|---|---|
description |
None |
A description of the group. |
String Min: 0 Max: 256 |
False |
True |
isSynchronized |
None |
Set when the group is created and cannot be updated. The default value is false if it is not provided. |
Boolean, READONLY |
False |
True |
SCIM group object
The following example shows a group object:
!#text
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group",
"urn:ietf:params:scim:schemas:extension:stagroupextension:2.0:Group"
],
"id": "50331650",
"displayName": "Fiction",
"urn:ietf:params:scim:schemas:extension:stagroupextension:2.0:Group": {
"isSynchronized": false
},
"members": [
{
"value": "88DB21A2ECB28E6BE962FF05BB4C0000000E",
"$ref": "https://api.sta.test.gemalto.com/tenants/K8WQQJOQWG/scim/v2/users/88DB21A2ECB28E6BE962FF05BB4C0000000E",
"display": "apascal"
}
],
"meta": {
"resourceType": "Group",
"location": "https://api.sta.test.gemalto.com/tenants/K8WQQJOQWG/scim/v2/groups/50331650"
}
}