Getting Started With SCIM Auto User Provisioning

---

The SCIM specification is designed to make managing user identities easier. SCIM allows your Identity Provider (IdP) to manage users within your LambdaTest workspace

SSO must be integrated before enabling SCIM. Please see Getting Started With Single Sign On (SSO) or support@lambdatest.com for questions.

Benefits Of SCIM

---

Here are the following benefits of integrating SCIM with LambdaTest

• Efficiency and Automation: SCIM automates the process of user identity management, making it more efficient and less error-prone. It enables automatic provisioning and de-provisioning of user accounts, reducing manual administrative tasks and associated errors.

• Consistency:: SCIM ensures that user data is consistent across different systems and services. When a user's attributes (like role) are updated in the identity provider, SCIM can be used to propagate those changes to all connected service providers, maintaining accurate and up-to-date information.

• Security and Access Control:: By centralizing identity management through SCIM, organizations can better enforce access control policies and ensure that users have appropriate access rights to the resources they need. This can help mitigate security risks associated with improper access permissions.

Feature Of SCIM

---

LambdaTest provides the support for the below SCIM features.

• User Provisioning and De-provisioning: SCIM facilitates the automatic provisioning and de-provisioning of user accounts across different systems and services. When a user is added or removed from the identity provider, SCIM can be used to propagate these changes to your LambdaTest account.

• Updating User Attributes: Using SCIM you can update user attribute such as Organization Role directly from your Identity Provider.

Enable LambdaTest SCIM

---

Copy SCIM Base URL and Bearer Token (Auth Header Required by IdP)

Step 1: Sign in to your LambdaTest account. Don't have an account, register for free.

Step 2: Head to Settings and select Organization Settings from the dropdown.

Step 3: Head to the Security tab and click and copy the SCIM Base URL and Bearer Token option.

SCIM User Attributes

{
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User"
    ],
    "userName": "tester@test.com",
    "active": true,
    "name": {
        "formatted": "givenName familyName",
        "familyName": "familyName",
        "givenName": "givenName"
    },
  "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User": {
    "OrganizationRole" : "User"
  }
}

schemas(required): An array of schema URNs (Uniform Resource Names) that define the structure and attributes of the user object. In this case, the JSON conforms to the SCIM (System for Cross-domain Identity Management) schema for users, including an extension schema for enterprise-specific attributes.

id Unique Identifier assigned to provisioned users by LambdaTest

userName(required): The username associated with the user (Must be Email)

active(required): A boolean indicating whether the user's account is active or not.

name(required) An object containing the user's name information. The formatted property provides the full name, while familyName and givenName represent the family and given names respectively.

urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User:This extension schema is used to add custom attributes or properties to the user object that are not part of the standard SCIM (System for Cross-domain Identity Management) core schema. Here you can set OrganizationRole which can have either of (Admin/User/Guest) values. If this attribute is not passed OrganizationRole is set to User by default

Creating Users

If the user you want to add does not have a LambdaTest account, user will be created. If the user has an existing account with LambdaTest and is part of another organization then the user won't be auto provisioned, and you will need to add the user to your organization via team invite

Updating User Attributes

Only Organization Role can be updated for users, userName(email) can't be updated once user is created and Name can only be updated from LambdaTest Account Settings page

Deleting or Deactivating users

User accounts can only be deactivated (active:false) via PUT/PATCH or DELETE User requests, For permanently deleting account users need to request account deletion from LambdaTest Account Settings page

User Operations

Create User

Request

POST https://auth.lambdatest.com/api/scim/Users

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User"
  ],
  "userName": "tester@test.com",
  "active": true,
  "name": {
    "formatted": "givenName familyName",
    "familyName": "familyName",
    "givenName": "givenName"
  },
  "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User": {
    "OrganizationRole" : "User"
  }
}

Response

HTTP/1.1 201 Created

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User"
  ],
  "id": "23123",
  "userName": "tester@test.com",
  "active": true,
  "name": {
    "formatted": "givenName familyName",
    "familyName": "familyName",
    "givenName": "givenName"
  },
  "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User": {
    "OrganizationRole" : "User"
  }
}

GET Users

Request

GET https://auth.lambdatest.com/api/scim/USERS

Response

HTTP/1.1 200 OK

{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
    "totalResults": 1,
    "Resources": [{
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User"
      ],
      "id": "23123",
      "userName": "tester@test.com",
      "active": true,
      "name": {
        "formatted": "givenName familyName",
        "familyName": "familyName",
        "givenName": "givenName"
      },
      "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User": {
        "OrganizationRole" : "User"
      }
    }],
    "startIndex": 1,
    "itemsPerPage": 20
}

Response - Zero Results

HTTP/1.1 200 OK

{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
    "totalResults": 0,
    "Resources": [],
    "startIndex": 1,
    "itemsPerPage": 20
}

GET Users by query

Request

You can only filter users using email in the following format

GET https://auth.lambdatest.com/api/scim/Users?filter=userName eq "tester@test.com"

Response

{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
    "totalResults": 1,
    "Resources": [{
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User"
      ],
      "id": "23123",
      "userName": "tester@test.com",
      "active": true,
      "name": {
        "formatted": "givenName familyName",
        "familyName": "familyName",
        "givenName": "givenName"
      },
      "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User": {
        "OrganizationRole" : "User"
      }
    }],
    "startIndex": 1,
    "itemsPerPage": 20
}

Response Zero results

HTTP/1.1 200 OK

{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
    "totalResults": 0,
    "Resources": [],
    "startIndex": 1,
    "itemsPerPage": 20
}

Response User is part of a different org

HTTP/1.1 400 Bad Request

GET User by id

Request

GET https://auth.lambdatest.com/api/scim/Users/id

Response

HTTP/1.1 200 OK

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User"
  ],
  "id": "23123",
  "userName": "tester@test.com",
  "active": true,
  "name": {
    "formatted": "givenName familyName",
    "familyName": "familyName",
    "givenName": "givenName"
  },
  "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User": {
    "OrganizationRole" : "User"
  }
}

Response User not found

HTTP/1.1 404 Not Found

Response User is part of a different org

HTTP/1.1 400 Bad Request

Update a specific User (PUT)

Only OrganizationRole or Active Fields can be updated

Request

PUT https://auth.lambdatest.com/api/scim/Users/id HTTP/1.1

{
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User": {
    "OrganizationRole" : "User"
  },
  "active": true
}

Response

HTTP/1.1 200 OK

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User"
  ],
  "id": "23123",
  "userName": "tester@test.com",
  "active": true,
  "name": {
    "formatted": "givenName familyName",
    "familyName": "familyName",
    "givenName": "givenName"
  },
  "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User": {
    "OrganizationRole" : "User"
  }
}

Response User not found

HTTP/1.1 404 Not Found

Response User is part of a different org

HTTP/1.1 400 Bad Request

Update a specific User (PATCH)

Only OrganizationRole or Active Fields can be updated

Request

PATCH https://auth.lambdatest.com/api/scim/Users/id HTTP/1.1

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ],
  "Operations": [
    {
      "op": "Replace",
      "path": "active",
      "value": false
    },
    {
      "op": "Replace",
      "path": "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User:OrganizationRole",
      "value": "User"
    }
  ]
}

Response

HTTP/1.1 200 OK

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User"
  ],
  "id": "23123",
  "userName": "tester@test.com",
  "active": false,
  "name": {
    "formatted": "givenName familyName",
    "familyName": "familyName",
    "givenName": "givenName"
  },
  "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User": {
    "OrganizationRole" : "User"
  }
}

Response User not found

HTTP/1.1 404 Not Found

Response User is part of a different org

HTTP/1.1 400 Bad Request

Disable a specific User (PATCH)

Only OrganizationRole or Active Fields can be updated

Request

PATCH https://auth.lambdatest.com/api/scim/Users/id HTTP/1.1

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ],
  "Operations": [
    {
      "op": "Replace",
      "path": "active",
      "value": false
    }
  ]
}

Response

HTTP/1.1 200 OK

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User"
  ],
  "id": "23123",
  "userName": "tester@test.com",
  "active": false,
  "name": {
    "formatted": "givenName familyName",
    "familyName": "familyName",
    "givenName": "givenName"
  },
  "urn:ietf:params:scim:schemas:extension:LambdaTest:2.0:User": {
    "OrganizationRole" : "User"
  }
}

Response User not found

HTTP/1.1 404 Not Found

Response User is part of a different org

HTTP/1.1 400 Bad Request

Delete User

Note: Delete User Request only sets user account to inactive

Request

DELETE https://auth.lambdatest.com/api/scim/Users/id HTTP/1.1

Response

HTTP/1.1 204 No Content

Response User not found

HTTP/1.1 404 Not Found

Response User is part of a different org

HTTP/1.1 400 Bad Request

See Limitations

The following is the list of LambdaTest SCIM limitations

• Users existing in another organizations won't be auto provisioned
• Delete User Request only sets user account to inactive

That's all you need to know about Single sign-on(SSO) authentication feature.In case you have any questions please feel free to reach out to us via the 24/7 chat support or email us over support@lambdatest.com.