SCIM service provider configuration
SCIM 2.0 discovery endpoint (RFC 7644 §4) - returns the supported feature set (patch, bulk, filter, authentication schemes). IdP provisioners hit this first to negotiate capabilities. Authentication is Bearer-token against KONTORION_SCIM_TOKEN.
SCIM service provider configuration › Responses
ServiceProviderConfig resource (application/scim+json)
List SCIM users
SCIM 2.0 user listing (RFC 7644 §3.4.2) - paginated via startIndex + count, optionally filtered via the SCIM filter grammar (filter=userName eq "alice"). Admin-only; authentication is Bearer-token against KONTORION_SCIM_TOKEN. Returns a ListResponse envelope (application/scim+json).
query Parameters
filterSCIM filter expression (e.g. `userName eq \
startIndex1-based page start (default 1, max 1048576)
countPage size (default 100, max 200)
List SCIM users › Responses
ListResponse envelope
itemsPerPageschemasstartIndextotalResultsCreate a SCIM user
SCIM 2.0 user provisioning (RFC 7644 §3.3) - the IdP pushes a new user. The concrete provider joins users + organization_members in PG and forwards to Keycloak Admin API. Admin-only; authentication is Bearer-token against KONTORION_SCIM_TOKEN.
Create a SCIM user › Request Body
activedisplayNameidschemasuserNameCreate a SCIM user › Responses
Created SCIM User resource
activedisplayNameidschemasuserNameGet a SCIM user
SCIM 2.0 single-user retrieval (RFC 7644 §3.4.1). Admin-only; authentication is Bearer-token against KONTORION_SCIM_TOKEN.
path Parameters
idUser UUID
Get a SCIM user › Responses
SCIM User resource
activedisplayNameidschemasuserNameReplace a SCIM user
SCIM 2.0 full-resource replacement (RFC 7644 §3.5.1, PUT semantics - the body fully replaces the stored resource, attributes not present are cleared). Admin-only; authentication is Bearer-token against KONTORION_SCIM_TOKEN.
path Parameters
idUser UUID
Replace a SCIM user › Request Body
activedisplayNameidschemasuserNameReplace a SCIM user › Responses
Updated SCIM User resource
activedisplayNameidschemasuserName