SCIM and REST API Reference Sheet
To manage Salesforce user objects with SCIM, you can send REST API create, read, update, and disable (CRUD) operations to SCIM endpoints. You must supply an OAuth 2.0 access token to perform these operations.
Required Editions
| Available in: Salesforce Classic and Lightning Experience |
| Available in: All Editions |
For help with configuring your REST API operations, refer to these sections.
SCIM Endpoints and CRUD Operations
This table lists the SCIM endpoints and their supported operations.
| SCIM Endpoint | Description | Supported Operations |
|---|---|---|
| https://MyDomainName.my.salesforce.com/services/scim/v2/ServiceProviderConfigs | Request the capabilities of the Salesforce SCIM implementation. | Read: GET |
| https://MyDomainName.my.salesforce.com/services/scim/v2/Schemas | Introspect resources and attribute extensions. | Read: GET |
| https://MyDomainName.my.salesforce.com/services/scim/v2/ResourceTypes | Discover the types of resources available, such as users and entitlements. | Read: GET |
| https://MyDomainName.my.salesforce.com/services/scim/v2/Entitlements | View support entitlements, such as profiles and permission sets, assigned to users. When querying for all entitlements in an org, this endpoint returns a maximum of 200 records. To view more than 200 records, query for specific entitlements. |
Read: GET |
| https://MyDomainName.my.salesforce.com/services/scim/v2/Roles | View roles assigned to users. | Read: GET |
https://MyDomainName.my.salesforce.com /services/scim/v2/Users https://MyDomainName.my.salesforce.com/services/scim/v2/Users/<user_Id> |
Provision and manage user objects. | Create: Read: Update: Deactivate: |
| https://MyDomainName.my.salesforce.com/services/scim/v2/Groups | View and manage public groups to which users belong. | Read: Update: |
Operation Rules
When writing SCIM operations, keep these rules in mind.
- In a clause,
ANDdoesn’t have precedence overOR. If a clause contains bothANDandOR, explicitly add brackets to the clauses. - In a clause, attribute names and operators are case-sensitive.
- Filter these fields on their own.
- Users: entitlements, groups
- Groups: members
- Entitlements: members
Supported SCIM Extensions
Salesforce supports these Salesforce User extensions under the URN urn:salesforce:schemas:extension:2.0.
-
alias -
callCenterId -
extension
Note In the context of this URN, theextensionfield describes the user’s phone extension, not a SCIM schema extension.
Salesforce also supports these Enterprise User extensions, which show up under the URN urn:scim:schemas:extension:enterprise:2.0.
-
organization -
employeeNumber -
department manager(managerIdanddisplayName)delegatedApprover(delegatedApproverIdanddisplayName)-
division
Salesforce also supports custom fields, which show up under the URN urn:salesforce:schemas:extension:18CHARORGID.
These supported extensions for Experience Cloud and Salesforce Customer Identity users show up
under the URN urn:salesforce:schemas:extension:external:2.0. Customer Identity users have the
Entitlements profileId of type external identity. Likewise, Experience Cloud users have the Entitlements profileId of type community.
-
accountId -
contactId -
community
If accountId or contactId values aren't provided, Salesforce creates contact and account records for
the user. The new account name is in the format usernameJITUserAccount. For example: user@corpname.orgJITUserAccount.
These extensions show up under the URN urn:salesforce:schemas:extension:communities.
-
networkID -
networkName
REST API Mappings to SCIM Attributes
This table shows the supported mappings of REST API object fields to SCIM schema attributes. Use this sheet as a quick reference. For a more detailed view of the supported attributes for each schema, including characteristics, send a GET request to the https://MyDomainName.my.salesforce.com/services/scim/v2/Schemas endpoint. See Understand the SCIM Implementation.
| REST API Object Field | SCIM Schema Attribute |
|---|---|
City
|
address.[type eq "work"].locality
|
CommunityNickname
|
nickName
|
CompanyName
|
Not compatible |
Country
|
address.[type eq "work"].country
|
CreatedDate
|
created
|
Department
|
department
|
Division
|
division
|
Email
|
emails
|
EmailEncodingKey
|
emailEncodingKey
|
EmployeeNumber
|
employeeNumber
|
FederationIdentifier
|
ExternalID
|
FirstName
|
name.givenName
|
Id
|
Id
|
IsActive
|
active
|
LanguageLocaleKey
|
preferredLanguage
|
LastModifiedDate
|
lastModified
|
LastName
|
name.familyName
|
LocaleSidKey
|
locale
|
ManagerId
|
manager
|
MobilePhone
|
phoneNumbers.[type eq "mobile"].value
|
PermisisonSets
|
Entitlement
|
Phone
|
phoneNumbers.[type eq "work"].value
|
PostalCode
|
address.[type eq "work"].postalCode
|
ProfileId
|
Entitlement
|
ProfileName
|
Entitlement
|
State
|
address.[type eq "work"].region
|
TimeZoneSidKey
|
timezone
|
Title
|
title
|
Username
|
userName
|
UserPermissionsCallCenterAutoLogin
|
Not compatible |
UserPermissionsMarketingUser
|
Not compatible |
UserPermissionsOfflineUser
|
Not compatible |
UserRoleId
|
Role
|
