Applies to Free

Applies to Basic

Applies to Business

(Admin only) SCIM is an open API for managing identities between systems, primarily designed around the need to syndicate information between cloud services. In Stack Overflow Business, SCIM 2.0 support allows an Identity Provider to update the application with user activation status. A setting also allows a user's Admin status to be set via SCIM 2.0 as well. Unlike SAML 2.0, whose assertions are delivered to Stack Overflow Business at user logon, SCIM 2.0 sends requests as events occur on the Identity Provider. This gives near-real time updates to user status in the application when the change is made.

Supported activities

Setting up SCIM 2.0 on Stack Overflow for Teams
Configuring SCIM on your Identity Provider

Supported activities

The SCIM 2.0 integration supports the following activities for users that have already been created in Stack Overflow Business:

  • Deactivate a user

  • Reactivate a deactivated user

  • optionally promote/demote a user to/from Admin

SCIM 2.0 support does not allow users to be created. Users must still log on to Stack Overflow Business with a valid assertion from their Identity Provider to create an account. That is, Stack Overflow Business relies on Just In Time provisioning when a user presents a valid identity assertion, and does not support user creation over SCIM 2.0.

Enabling SCIM 2.0 support does not disable user management options within Stack Overflow Business. That is, a user may be active in the Identity Provider, yet disabled in Stack Overflow Business through the user management UI.

Setting up SCIM 2.0 support on Stack Overflow for Teams

Navigate to Settings -> Access -> SCIM Integration, where you will see three options:

  • Enable SCIM Determines whether or not the SCIM 2.0 API is active. This must be set to True to enable SCIM 2.0 support.

  • Generate a SCIM authorization token The shared secret needed to configure an Identity Provider for SCIM 2.0 integration. Treat this like a password. If lost, a new token must be generated and configured in your Identity Provider.

  • Allow SCIM to manage user roles Determines whether or not the ability to promote/demote users to/from Admin is enabled.

Once these settings are configured, the rest of the work is done at the Identity Provider

Configuring the Identity Provider

The following instructions are general instructions for SCIM 2.0 compliant systems. If you are using one of the following Identity Providers, please follow the links for detailed configuration information.

The Identity Provider must send SCIM 2.0 requests to /c/{your_site}/auth/scim/v2. In addition, the following values must be sent as part of the user resource to correctly map the user and set their status:

  • userName the User ID (must match the Display Name Assertion provided in /admin/access/authentication)

  • active true/false. Determines whether or not the user should be deactivated or reactivated in Stack Overflow Business

  • Required fields for SCIM 2.0 (these are commonly mapped for you by your Identity Provider. Usually no action is needed on your part): name.givenName, name.familyName, emails

  • optional userType Requires Allow SCIM to manage user roles to be checked on the SCIM Integration settings page on Stack Overflow Business. Takes values of either Registered or Admin. If set to Admin, the user is promoted to an Admin. If set to any other value (such as Registered), the user is demoted from Admin.

Need more help? Submit an issue or question through our support portal.

Did this answer your question?