} }
PatchUser
The /Users endpoint allows a PATCH request to be made for partial changes to an existing user. In the body of the request, the target attribute and its new value must be specified as shown in the Examples section.
Not supported
The AWS SSO SCIM implementation does not support the following aspects of this API operation.
• Multiple PATCH operations on userName or active attribute
Constraints
• ims, photos, x509Certificates, entitlements, and password field
• displayName subattribute for manager
• display subattribute for emails, addresses, and phoneNumbers
Constraints
The AWS SSO SCIM implementation has the following constraints for this API operation.
• The supported operations are add, replace, and remove.
• The operation must be specified.
• The path is required for a remove operation.
• A value is required for add and replace.
• Modification is only allowed for the userName, active, externalId, displayName, nickName, profileUrl, title, userType, preferredLanguage, locale, timezone, name, enterprise, emails, addresses, and phoneNumbers attributes.
• Only the eq operator is supported in filters.
• The remove patch operation is not supported for userName or active attributes.
• We do not support having multi-valued attributes (such as emails, addresses, phoneNumbers. Only one value is permitted for each of those attributes.
Errors
The following AWS SSO SCIM implementation errors are common for this API operation.
Error Condition
UnauthorizedException Authorization header is invalid or missing. This error also occurs if the tenant ID is incorrect.
AccessDeniedException Operation is not permitted based on the supplied authorization.
ThrottlingException Too many requests were made that exceed the
limits.
ValidationException Request cannot be parsed, is syntactically
incorrect, or violates schema. This error also occurs if the operation is unsupported.
ConflictException User already exists.
InternalServerException Service failed to process the request.
Examples
Following are example requests and responses for this API operation.
Example Request
PATCH https://scim.us-east-1.amazonaws.com/{tenant_id}/scim/v2/Users/9067729b3d-94f1e0b3-c394-48d5-8ab1-2c122a167074
Examples
User-Agent: Mozilla/5.0
Authorization: Bearer <bearer_token>
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
Date: Tue, 31 Mar 2020 02:36:15 GMT Content-Type: application/json
x-amzn-RequestId: abbf9e53-9ecc-46d2-8efe-104a66ff128f { "id": "9067729b3d-94f1e0b3-c394-48d5-8ab1-2c122a167074", "externalId": "701984",
"meta": {
"resourceType": "User",
"created": "2020-03-31T02:36:15Z", "lastModified": "2020-04-03T06:02:47Z"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"userName": "bjensen", "name": {
"displayName": "Babs Jensen", "nickName": "Bas",
"title": "Tour Guide", "userType": "Employee", "preferredLanguage": "en-US", "locale": "en-US",
"timezone": "America/Los_Angeles", "active": false,
CreateGroup
"postalCode": "91608", "country": "USA", "type": "work", "primary": true }
],
"phoneNumbers": [ {
"value": "555-555-5555", "type": "work"
} ],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "701984",
"costCenter": "4130",
"organization": "Universal Studios", "division": "Theme Park",
"department": "Tour Operations", "manager": {
"value": "9067729b3d-ee533c18-538a-4cd3-a572-63fb863ed734"
} } }
CreateGroup
Groups can be created through a POST request to the /Groups endpoint with the body containing the information of the group.
Not supported
The AWS SSO SCIM implementation does not support the following aspects of this API operation.
• None
Constraints
The AWS SSO SCIM implementation has the following constraints for this API operation.
• displayName is required.
• A maximum of 100 members can be added in a single request.
Errors
The following AWS SSO SCIM implementation errors are common for this API operation.
Error Condition
UnauthorizedException Authorization header is invalid or missing. This error also occurs if the tenant ID is incorrect.
AccessDeniedException Operation is not permitted based on the supplied authorization.
Examples
Error Condition
ThrottlingException Too many requests were made that exceed the
limits.
ValidationException Request cannot be parsed, is syntactically
incorrect, or violates schema. This error also occurs if the operation is unsupported.
ConflictException Group already exists.
InternalServerException Service failed to process the request.
Examples
Following are example requests and responses for this API operation.
Example Request
POST https://scim.us-east-1.amazonaws.com/{tenant_id}/scim/v2/Groups User-Agent: Mozilla/5.0
Authorization: Bearer <bearer_token>
{
"displayName": "Group Bar", "members": [
{
"value": "9067729b3d-94f1e0b3-c394-48d5-8ab1-2c122a167074",
"$ref": "../Users/9067729b3d-94f1e0b3-c394-48d5-8ab1-2c122a167074", "type": "User"
} ] }
Example Response
HTTP/1.1 201
Date: Mon, 06 Apr 2020 16:48:19 GMT Content-Type: application/json
x-amzn-RequestId: abbf9e53-9ecc-46d2-8efe-104a66ff128f {
"id": "9067729b3d-a2cfc8a5-f4ab-4443-9d7d-b32a9013c554", "meta": {
"resourceType": "Group",
"created": "2020-04-06T16:48:19Z", "lastModified": "2020-04-06T16:48:19Z"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
],
"displayName": "Group Bar"
}
GetGroup
GetGroup
Information about an existing group can be retrieved by making a request to the /Groups endpoint with the group ID.
Not supported
The AWS SSO SCIM implementation does not support the following aspects of this API operation.
• None
Constraints
The AWS SSO SCIM implementation has the following constraints for this API operation.
• None
Errors
The following AWS SSO SCIM implementation errors are common for this API operation.
Error Condition
UnauthorizedException Authorization header is invalid or missing. This error also occurs if the tenant ID is incorrect.
AccessDeniedException Operation is not permitted based on the supplied authorization.
ThrottlingException Too many requests were made that exceed the
limits.
ResourceNotFoundException Specified group does not exist.
InternalServerException Service failed to process the request.
Examples
Following are example requests and responses for this API operation.
Example Request
GET https://scim.us-east-1.amazonaws.com/{tenant_id}/scim/v2/Groups/9067729b3d-a2cfc8a5-f4ab-4443-9d7d-b32a9013c554
User-Agent: Mozilla/5.0
Authorization: Bearer <bearer_token>
Example Response
HTTP/1.1 200
ListGroups
Date: Mon, 06 Apr 2020 17:16:53 GMT Content-Type: application/json
x-amzn-RequestId: abbf9e53-9ecc-46d2-8efe-104a66ff128f {
"id": "9067729b3d-a2cfc8a5-f4ab-4443-9d7d-b32a9013c554", "meta": {
"resourceType": "Group",
"created": "2020-04-06T16:48:19Z", "lastModified": "2020-04-06T16:48:19Z"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Group"
],
"displayName": "Group Bar"
}
ListGroups
You can use the /Groups endpoint to filter queries on a list of existing groups by making a GET request with additional filter information. Only a maximum of 50 results can be returned. See the Constraints section for a list of available filters.
Not supported
The AWS SSO SCIM implementation does not support the following aspects of this API operation.
• GetGroup and ListGroup return an empty member list. To see group info for a certain member, call ListGroup with a member filter. (See the examples that follow.)
Constraints
The AWS SSO SCIM implementation has the following constraints for this API operation.
• At this time, the ListGroups API is only capable of returning up to 50 results.
• Supported filter combinations: (displayName), (id and member), (member and id). Note that the use of id as an individual filter, while valid, should be avoided as there is already a getGroup endpoint available.
• Supported comparison operator in filters: eq
• Filter must be specified as: <filterAttribute> eq "<filterValue>"
Errors
The following AWS SSO SCIM implementation errors are common for this API operation.
Error Condition
UnauthorizedException Authorization header is invalid or missing. This error also occurs if the tenant ID is incorrect.
AccessDeniedException Operation is not permitted based on the supplied authorization.
Examples
Error Condition
ThrottlingException Too many requests were made that exceed the
limits.
ResourceNotFound When filter querying with a nonexisting member.
ValidationException Request cannot be parsed, is syntactically
incorrect, or violates schema. This error also occurs if the operation is unsupported.
InternalServerException Service failed to process the request.
Examples
Following are example requests and responses for this API operation.
Example Request
Date: Thu, 23 Jul 2020 00:37:15 GMT Content-Type: application/json
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"Resources": [ {
"id": "90677c608a-ef9cb2da-d480-422b-9901-451b1bf9e607", "meta": {
"id": "90677c608a-95aca21b-4bb7-4161-94cb-d885e2920414", "meta": {