SCIM Playground

Appearance

SCIM implementation checklist

Use this checklist when you are building or validating a SCIM 2.0 integration. It focuses on the issues that usually decide whether provisioning works reliably in production: discovery endpoints, identifiers, PATCH behavior, filtering, pagination, group membership, and error handling.

Discovery and compatibility

  • Publish /ServiceProviderConfig so clients can discover supported features.
  • Publish /ResourceTypes and /Schemas with the user, group, and extension schemas your server supports.
  • Confirm whether PATCH, bulk, filtering, sorting, ETags, and password changes are supported.
  • Test discovery responses in the SCIM Playground.

Users

  • Support POST /Users for creating users from an identity provider.
  • Support GET /Users/{id} and GET /Users?filter=... for lookup flows.
  • Support PATCH /Users/{id} for profile updates and activation changes.
  • Decide how userName, externalId, and email addresses map to your application user model.
  • Handle duplicate users and missing required attributes with clear SCIM error responses.

Groups

  • Support POST /Groups and PATCH /Groups/{id} if your customers need group push.
  • Treat group membership changes as repeatable operations because identity providers may retry requests.
  • Verify that removing a user from a group does not delete the user account unless that is intentional.
  • Test membership changes with the Groups endpoint.

Filtering and pagination

  • Implement common filters such as userName eq "..." and externalId eq "...".
  • Return stable startIndex, itemsPerPage, totalResults, and Resources values.
  • Test empty result sets, exact matches, and paginated lists.
  • Use the .search playground for examples.

Security and operations

  • Require HTTPS and bearer-token authentication.
  • Scope tokens to the tenant or customer environment they belong to.
  • Log SCIM requests with enough detail to debug provisioning issues safely.
  • Avoid logging bearer tokens or sensitive profile values.
  • Provide a way to rotate credentials before launch.

Launch validation

Before going live, connect your identity provider to a test environment and run these flows end to end:

  1. Import or test connection from the identity provider.
  2. Create a user.
  3. Update a user profile attribute.
  4. Disable or deprovision a user.
  5. Create a group.
  6. Add and remove users from the group.
  7. Retry failed requests and confirm idempotent behavior.
  8. Review logs and error responses.

You can run these checks against the hosted SCIM test server before applying the same cases to your own implementation.