This article describes how to use Cato's SCIM API for user and user group provisioning with an identity provider (IdP).
For more information about custom SCIM apps in the IdP tenant, see Creating a Custom SCIM App for an IdP.
To use a custom SCIM app to provision users and user groups to your Cato account, create the app in the Cato Management Application (CMA). In addition, you need to map the Cato SCIM attributes to the attributes for your IdP.
To use the SCIM API, you must first create a custom SCIM app in the CMA. This app allows you to integrate your identity provider (IdP) with the Cato platform.
To create a custom SCIM app in the CMA:
-
From the navigation menu, select Access > Directory Services.
-
Under the SCIM tab, click New.
- Enter a name for the app.
- Under Provider, select Custom.
- Click Generate Token and copy the value; it will not be available after you save and you'll need to create a new token.
-
Click Save.
-
When calling the SCIM API endpoints described below, you'll need the following values to authenticate:
-
SCIM Base URL: Used as the base path for API requests
-
Bearer Token: Used for authenticating API requests
-
These are the SCIM attributes for Cato users and user groups that you need to map to the corresponding IdP attributes.
|
Cato User Attribute |
Description |
|---|---|
|
userName |
User name for authentication |
|
user.firstName |
First name of user |
|
user.lastName |
Last name of user |
|
user.email |
Email address |
|
user.displayName |
Display name for user |
|
phoneNumbers[type eq "work"].value |
Work phone number for the user (including prefix) |
|
externalId |
ID for user (used in events) |
|
Cato User Group Attribute |
Description |
|---|---|
|
active |
User is assigned and active in the SCIM app |
|
displayName |
Name of user group |
|
members |
Users who belong to the user group |
|
externalId |
ID for user group (used in events) |
Clients authenticate to the SCIM API using bearer token authentication, as defined by RFC 6750. All API requests must include the following HTTP headers:
Authorization: Bearer <access_token> Content-Type: application/json
You can obtain the access token from the Cato Management Application.
All SCIM API endpoints use the following base path:
/scim/v2/{accountId}/{sourceId}
Path Parameters:
-
accountId(string): Unique identifier of your Cato tenant account -
sourceId(integer): An identifier assigned by Cato to uniquely represent a specific IdP integration
These parameters are required in all requests but are omitted from individual endpoint paths in this article for brevity.
This section describes how to create, update, delete, and retrieve SCIM user entities using the Cato SCIM API.
HTTP Method: POST /Users
Required Fields:
-
userName(string): Unique username (e.g., email address) -
externalId(string): External identifier from the IdP -
active(boolean): Must betrueto activate the user
Note: id is returned by the SCIM service and must be used in subsequent API calls. externalId is optional and cannot be used in API paths.
Response:
-
Status:
201 Created
Errors:
-
400 Bad Request: Invalid schema -
401 Unauthorized -
409 Conflict: DuplicateuserNameorexternalId
HTTP Method: PUT /Users/{id}
Required Field:
-
id: Internal SCIM ID from Cato
Response:
-
Status:
200 OK
Errors:
-
401 Unauthorized -
404 Not Found -
409 Conflict: DuplicateuserNameorexternalId
HTTP Method:DELETE /Users/{id}
Response:
-
Status:
204 No Content
This is a soft delete. The user remains in the system but is not returned in searches.
HTTP Method:GET /Users/{id}
Response:
-
Status:
200 OK
Errors:
-
401 Unauthorized -
404 Not Found
HTTP Method:GET /Users
Query Parameters:
-
filter: Query to filter users (e.g.,userName eq "user@domain.com") -
count(optional) -
startIndex(optional)
Supported Filters:
-
Only
eqis supported -
Supported attributes:
userName,email,givenName,familyName -
Compound filters are supported only in this format:
filter=emails[type eq "work"] and email eq "bob@cato.com"
Response:
-
Status:
200 OK
Errors:
-
401 Unauthorized
This section explains how to use the SCIM API to create, update, delete, and retrieve group entities in your Cato environment.
HTTP Method:POST /Groups
Response:
-
Status:
201 Created
Errors:
-
401 Unauthorized -
409 Conflict: DuplicatedisplayNameor object ID
HTTP Method:PUT /Groups/{id}
Response:
-
Status:
200 OK
Errors:
-
401 Unauthorized -
404 Not Found -
409 Conflict
HTTP Method:DELETE /Groups/{id}
Response:
-
Status:
204 No Content
Note
Important: This is a hard delete. The group is permanently removed.
HTTP Method:GET /Groups/{id}
Optional Query Parameters:
-
excludeAttributes(e.g.,members)
Response:
-
Status:
200 OK
Errors:
-
401 Unauthorized -
404 Not Found
-
The
idfield is optional in user and group creation requests. -
If omitted, the SCIM service generates a unique
id. -
Always use the returned
idvalue in subsequent API calls.
Note
Important: Avoid using client-generated IDs unless required. The SCIM id is the authoritative identifier.
0 comments
Please sign in to leave a comment.