Overview

The System for Cross-domain Identity Management (SCIM) standard is used to simplify user provisioning and management by integrating your own user management system to the Archer Evolv platform. Archer Evolv currently supports SCIM 2.0 to help you manage your users’ access rights, along with provisioning and de-provisioning users across multiple platforms from your corporation’s identity management systems like OKTA, SailPoint, etc. Our SCIM support relies on the the following setup:

• Schemas defining the API endpoints and expectations for request / response payloads
• RESTful API endpoints for all necessary user management operations

In order to access the SCIM Schemas and API endpoints, you will first need to register for an API key and client ID to authorize and authenticate requests to Archer Evolv’s Platform. Follow the API User Guide to get started. Once the API key is generated, it needs to be associated with your User account on Archer Evolv – please contact support@compliance.ai for assistance. 

Swagger References (Authoritative)

Swagger UI: https://assurance.compliance.ai/swagger

OpenAPI JSON: https://api-production.compliance.ai/api/swagger.json

Use these as the source of truth for:

• supported methods per endpoint
• required vs optional fields
• request/response payload shapes
• supported query parameters (filtering/pagination)
• error schemas and examples

Implementation

Once you are set up on the Developer Platform, Archer Evolv provides multiple endpoints that can be used to implement SCIM:

• GET /scim/ServiceProviderConfig
  Specification compliance, authentication schemes, data models.
• GET /scim/ResourceTypes
  An endpoint used to discover the types of resources available.
• GET /scim/ResourceTypes/:resource_type
  An endpoint used to discover information about a specific resource available.
• GET /scim/Schemas
  Introspect resources and attribute extensions.
• GET /scim/Schemas/:schema_type
  Attribute supported by a specific resource.

Archer Evolv supports modifying attributes for a specific User – the user’s roles (access rights), the ​​externalId, and enabled (activate or deactivate account status) can be updated using SCIM. SCIM also supports the creation/provisioning of a new user. If your organization decides to leverage Archer Evolv’s SCIM integration – you will create new users, manage and update user roles and account status via your own identity management system, and the role management within pro.Archer Evolv will be locked. The endpoints to retrieve, create, and modify user information are as follows:

Users

GET /scim/Users

Endpoint used to get a list of Users that are a part of your organization.

To filter the results based on the username, utilize the filter parameter using the format:

• userName eq “user@domain.com”

GET /scim/Users/:user_id

Endpoint used to get attributes associated with a specific User.

POST /scim/Users

Endpoint used to create a user account with the following attributes for a specific User:

• userName: Please make sure to use an email for this value so the new user can use that email to log into pro.Archer Evolv using your Corporate Login.
• userType: A userType collectively represents a user’s permissions within an organization on pro.compliance.ai, and can be assigned as one of the following: “Org Admin”, “Team Admin”, “Workflow Admin”, “Active Team User”, “Lite Team User”.
• externalId: An external id for the user to help it be identified in outside systems. This can be set as any string value.
• active: Status that reflects if the account is active or deactivated. This is set as a boolean value.

PUT /scim/Users/:user_id

Endpoint used to modify the following attributes for a specific User:

• userType: A userType collectively represents a user’s permissions within an organization on pro.compliance.ai, and can be assigned as one of the following: “Org Admin”, “Team Admin”, “Workflow Admin”, “Active Team User”, “Lite Team User”.
• externalId: An external id for the user to help it be identified in outside systems. This can be set as any string value.
• active: Status that reflects if the account is active or deactivated. This is set as a boolean value.

PATCH /scim/Users/:user_id

Endpoint is used to make partial updates to a user representation. It allows users to modify following specific attributes or properties of a user:

• userType: A userType collectively represents a user’s permissions within an organization on pro.compliance.ai, and can be assigned as one of the following: “Org Admin”, “Team Admin”, “Workflow Admin”, “Active Team User”, “Lite Team User”.
• externalId: An external id for the user to help it be identified in outside systems. This can be set as any string value.
• active: Status that reflects if the account is active or deactivated. This is set as a boolean value.

DELETE /scim/Users/:user_id

Endpoint used to remove (de‑provision) a user account.

Notes:

• Some identity providers deactivate accounts via PATCH (setting active=false) instead of calling DELETE.

Groups

GET /scim/Groups

Endpoint used to get a list of Groups that are a part of your organization.

To filter the results based on a group name, utilize the filter parameter using the SCIM format:

• `displayName eq “Group Name”`POST /scim/Groups

Endpoint used to create a Group with the following attributes for a specific Group:

• displayName: Human‑readable group name.
• members: List of members in the group. Each member object typically contains:
  • value: Identifier of the member (User or Group id).
  • display: Human‑readable display value for the member.
  • $ref: Reference URL for the member resource.GET /scim/Groups/:group_id

Endpoint used to get attributes associated with a specific Group.

Returned Group attributes commonly include:

• displayName: Human‑readable group name.
• members: List of members in the group (see member fields above).

POST /scim/Groups
Endpoint used to create a Group with the following attributes for a specific Group:

• displayName: Human‑readable group name.
• members: List of members in the group. Each member object typically contains:
  • value: Identifier of the member (User or Group id).
  • display: Human‑readable display value for the member.
  • $ref: Reference URL for the member resource.

PUT /scim/Groups/:group_id

Endpoint used to modify the following attributes for a specific Group:

• displayName: Update the group’s human‑readable name.

• members: Update the group’s membership list.

PATCH /scim/Groups/:group_id

Endpoint is used to make partial updates to a group representation. It allows users to modify following specific attributes or properties of a group:

• displayName: Update the group’s human‑readable name.
• members: Add, remove, or replace group members.

DELETE /scim/Groups/:group_id

Endpoint used to delete a Group.

These endpoints can be found and tested in our I/O Docs on Archer Evolv Developer Platform. Go to https://developer.compliance.ai/io-docs, and then select “SCIM” to get the full list of SCIM endpoints available.

Example API References

GET User by user_id

• Resource URL

• Header Parameter

• Sample Responses

PUT User by user_id

• Resource URL

• Header Parameter

• Request Body

• Sample Responses

GET User

• Resource URL

• Header Parameter

• Sample Responses

• Sample responses when filter is used:

POST User

• Resource URL

• Header Parameter

• Sample Responses

PATCH User

• Resource URL

• Header Parameter

• Request Body
  

• Sample Responses

Error Handling / Troubleshooting

Common troubleshooting patterns:

• 404 Not Found: Incorrect user_id / group_id, or resource not provisioned.
• 401 / 403: Missing, expired, or invalid token; or insufficient scope/role.
• 409 Conflict: Duplicate userName on create.
• 422 Unprocessable Entity: Unsupported attribute change in PUT/PATCH.
• Use the OpenAPI JSON for the authoritative list of error responses and payload schemas.

Next Steps

Contact us to schedule a demo and discuss implementing SCIM in detail.

If you’re a developer, join our Developer Program to learn more and begin using our interactive API.