# StrongDM SCIM API Specification The StrongDM SCIM 2.0 API allows apps that conform to the System for Cross-domain Identity Management (SCIM) specification to take advantage of our user and group provisioning capabilities. One example of this is [JumpCloud](/admin/principals/provisioning/jumpcloud-provisioning.md). If an identity provider that you would like to connect to StrongDM doesn't leverage the standard SCIM user object schema, some custom work may be needed to integrate with the StrongDM SCIM API. {% hint style="info" %} To leverage our SCIM API to connect to an identity provider that we do not have explicitly listed, go to the StrongDM Admin UI’s **Settings** > **User Management** and then the **Provisioning** section and select the **Generic** provider option. Select **activate** and then use the generated bearer token with the integration you are configuring. {% endhint %} This document details the endpoints and functionalities supported for the SCIM protocol by StrongDM's servers. These details cover the following: * The path to access the endpoint (for example, `GET /index.html`) * The parameters the endpoint accepts * A description of what the endpoint does when called * Example request and response bodies ### Paths All paths are served from `app.strongdm.com`. StrongDM's SCIM implementation serves different endpoints for different providers. For example: ``` GET /provisioning/generic/v2/Users GET /provisioning/okta/v2/Users GET /provisioning/azure/v2/Users ``` All of the listed endpoints use common logic. The behavior and response from StrongDM when requests are sent to these different endpoints is currently identical, but the endpoints are maintained separately in case there are issues with malformed requests or other similar issues coming from only Okta or Azure clients. If such issues happen, those requests are segmented out, and StrongDM can handle the issue efficiently and without impacting customers using the other endpoints. The `generic` endpoints are used in this document and will never have additional logic added to fix malformed SCIM requests. ### Data Format SCIM requests and responses follow a REST interface and have JSON bodies. Request bodies must follow the appropriate SCIM schemas as returned from `GET /provisioning/generic/v2/Schemas`. {% hint style="info" %} The returned schemas should match the examples in this documentation, but if the examples in the documentation disagree with the returned schemas, then these examples are not up to date, and the schemas should be followed. {% endhint %} ### General Notes Groups in SCIM are translated to roles within StrongDM, so the two terms are synonymous in these examples. All users or roles created by, modified by, or used in part of any SCIM endpoint request become marked as managed by an external party. Items returned by GET endpoints do not become marked in this way if they are not already marked. This marking prevents some actions from being taken in the Admin UI on those users and roles that could interfere with an ongoing synchronization from that external party. {% hint style="warning" %} CLI and API operations may interfere with SCIM synchronization. If CLI or API requests are used to update managed users or roles, it is possible that a custom SCIM sync job may not validate that the requested user or role matches in StrongDM, which may cause errors. If this happens, requested changes made via the CLI or API to managed users or roles are reverted as soon as the SCIM sync job notices, or the sync job stops. {% endhint %} When a user is suspended via any action, they lose their external management marking. A user who is suspended cannot be managed by an external party and suspension takes precedence over external management. {% content-ref url="/pages/Ugy10xlcCaN7l0trLXE5" %} [SCIM Groups](/references/scim/groups.md) {% endcontent-ref %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/references/scim.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.