The 2022 Expert-In-The-Loop Forum by Compliance.ai is now available on-demand! Watch sessions here

NAVIGATION

SCIM Identity Management

Overview

The System for Cross-domain Identity Management (SCIM) standard is used to simplify user provisioning and management by integrating your own user management system to the Compliance.ai platform. Compliance.ai currently supports SCIM 2.0 to help you manage your users’ access rights, along with provisioning and de-provisioning users across multiple platforms from your corporation’s identity management systems like OKTA, SailPoint, etc. Our SCIM support relies on the the following setup:

  • Schemas defining the API endpoints and expectations for request / response payloads
  • RESTful API endpoints for all necessary user management operations

In order to access the SCIM Schemas and API endpoints, you will first need to register for an API key and client ID to authorize and authenticate requests to Compliance.ai’s Platform. Follow the API User Guide to get started. Once the API key is generated, it needs to be associated with your User account on Compliance.ai – please contact support@compliance.ai for assistance. 

Implementation

Once you are set up on the Developer Platform, Compliance.ai provides multiple endpoints that can be used to implement SCIM:

  • GET /scim/ServiceProviderConfig
    Specification compliance, authentication schemes, data models.
  • GET /scim/ResourceTypes
    An endpoint used to discover the types of resources available.
  • GET /scim/ResourceTypes/:resource_type
    An endpoint used to discover information about a specific resource available.
  • GET /scim/Schemas
    Introspect resources and attribute extensions.
  • GET /scim/Schemas/:schema_type
    Attribute supported by a specific resource.

Compliance.ai supports modifying attributes for a specific User – the user’s roles (access rights), the ​​externalId, and enabled (activate or deactivate account status) can be updated using SCIM. SCIM also supports the creation/provisioning of a new user. If your organization decides to leverage Compliance.ai’s SCIM integration – you will create new users, manage and update user roles and account status via your own identity management system, and the role management within pro.compliance.ai will be locked. The endpoints to retrieve, create, and modify user information are as follows:

  • GET /scim/Users
    Endpoint used to get a list of Users that are a part of your organization.
  • GET /scim/Users/:user_id
    Endpoint used to get attributes associated with a specific User.
  • PUT /scim/Users/:user_id
    Endpoint used to modify the following attributes for a specific User:

    • roles: A role collectively represents a user’s permissions within an organization on pro.compliance.ai, and can be assigned as one of the following: “Org Admin”, “Team Admin”, “Workflow Admin”, “Active Team User”, “Lite Team User”
    • ​​externalId: An external id for the user to help it be identified in outside systems. This can be set as any string value
    • ​​enabled: Status that reflects if the account is active or deactivated. This is set as a boolean value
  • POST /scim/Users
    Endpoint used to create a user account with the following attributes for a specific User:

    • ​​userName: Please make sure to use an email for this value so the new user can use that email to log into pro.compliance.ai using your Corporate Login.
    • roles
    • ​​externalId
    • enabled

These endpoints can be found and tested in our I/O Docs on Compliance.ai Developer Platform. Go to https://developer.compliance.ai/io-docs, and then select “SCIM” to get the full list of SCIM endpoints available.

Example API References

GET User by user_id

  • Resource URL
https://api.compliance.ai/scim/Users/:user_id
  • Header Parameter
Authorization: Bearer
Content-Type: application/json
  • Sample Responses

{   "active": true, 
    “enabled”: true,      
    "externalId": XYZ,
    "id": XYZ,
    "meta": {
        "created": "2021-12-13 17:10:51.234218",
        "lastModified": "2022-02-03 22:50:15.322791",
        "location": "https://api.compliance.ai/v1/Users/XYZ",
        "resourceType": "User" },
    "roles": ["Team Admin"],
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
    "timezone": "UTC",
    "userName": "test@compliance.ai" }

PUT User by user_id

  • Resource URL
https://api.compliance.ai/scim/Users/:user_id
  • Header Parameter
Authorization: Bearer
Content-Type: application/json
  • Request Body

{"externalId": "XYZ",
"roles":  "Org Admin"}
  • Sample Responses

{   "active": true,
    “enabled”: true,      
    "externalId": XYZ,
    "id": XYZ,
    "meta": {
        "created": "2021-12-13 17:10:51.234218",
        "lastModified": "2022-02-03 23:50:15.322791",
        "location": "https://api.compliance.ai/v1/Users/XYZ",
        "resourceType": "User" },
    "roles": ["Org Admin"],
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
    "timezone": "UTC",
    "userName": "test@compliance.ai" }

GET User

  • Resource URL
https://api.compliance.ai/scim/Users
  • Header Parameter
Authorization: Bearer
  • Sample Responses

{ "Resources": [{
    "active": true,
    “enabled”: true,
    "externalId": XYZ,
    "id": XYZ,
    "meta": {
        "created": "2021-12-13 17:10:51.234218",
        "lastModified": "2022-02-03 22:50:15.322791",
        "location": "https://api.compliance.ai/v1/Users/XYZ",
        "resourceType": "User" },
    "roles": ["Team Admin"],
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
    "timezone": "UTC",
    "userName": "test@compliance.ai" 
    }, {
    "active": true,
    “enabled”: true,
    "externalId": ABC,
    "id": ABC,
    "meta": {
        "created": "2021-11-18 17:10:51.234218",
        "lastModified": "2022-01-01 22:50:15.322791",
        "location": "https://api.compliance.ai/v1/Users/ABC",
        "resourceType": "User" },
    "roles": ["Active Team User"],
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
    "timezone": "UTC",
    "userName": "test2@compliance.ai" }],
  "itemsPerPage": 100,
  "schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
  "startIndex": 1,
  "totalResults": 2 }

POST User

  • Resource URL
https://api.compliance.ai/scim/Users
  • Header Parameter
Authorization: Bearer
  • Sample Responses

{ "Resources": [{
    "active": true,
    “enabled”: true,
    "externalId": XYZ,
    "id": XYZ,
    "meta": {
        "created": "2021-12-13 17:10:51.234218",
        "lastModified": "2022-02-03 22:50:15.322791",
        "location": "https://api.compliance.ai/v1/Users/XYZ",
        "resourceType": "User" },
    "roles": ["Team Admin"],
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
    "timezone": "UTC",
    "userName": "test@compliance.ai" 
    }

Next Steps

Contact us to schedule a demo and discuss implementing SCIM in detail.

If you’re a developer, join our Developer Program to learn more and begin using our interactive API.

X