SCIM Provisioning API
This documentation is to support our existing identity provider integrations
The following endpoints are not meant for self-serve use. See here for our supported identity provider integrations.
Overview
Twingate supports automatic user provisioning via SCIM 2.0. This allows seamless integration with your organization’s existing identity provider solution.
SCIM configuration
Endpoints
The base URL for SCIM endpoints is https://{network}.twingate.com/api/scim/v2/ where {network} is your Twingate network name. For example, if your network name is autoco, the base URL for your SCIM endpoints is https://autoco.twingate.com/api/scim/v2/ (v2 designates that we support SCIM version 2.0).
Authorization
A long-lived bearer token is required to access any SCIM endpoints. The token must be included in the Authorization header with a Bearer type. For example:
GET /Users?count=100Host: twingate.comAccept: application/scim+jsonAuthorization: Bearer h480dj...s93hd8This token can be created and replaced in the Twingate Admin console. Only the most recently generated token is valid at any point of time.
Users
Attributes
| Twingate User | SCIM Attribute | Required? | Unique? | Attribute Type |
|---|---|---|---|---|
| Twingate ID | id | True | True | Singular |
| Origin ID | externalId | True | True | Singular |
emails[primary eq true] | False | False | Multi-valued | |
| First name | name.givenName | False | False | Singular |
| Last name | name.lastName | False | False | Singular |
| Active | active | False | False | Singular |
| Username | userName | True | True | Singular |
- Twingate only stores one email value from the SCIM
emailsattribute’s multi-values. We looks for the email withprimary=trueortype="work".
Operations
GET /Users- to search and filter users. Pagination is supported.POST /Users- to create a new user.- Operations on a single user. The
{id}is Twingate user ID that is returned in the SCIMidfield of a user response.GET /Users/{id}- to retrieve a single user.PUT /Users/{id}- to replace a single user.PATCH /Users/{id}- to modify a single user.DELETE /Users/{id}- to delete a single user. This deletes the user in Twingate.
Groups
Attributes
| Twingate Group | SCIM Attribute | Required? | Unique? | Attribute Type |
|---|---|---|---|---|
| Group name | displayName | True | False | Singular |
| Members | members | False | False | Multi-valued |
| Twingate ID | id | True | True | Singular |
Operations
GET /Groups- to search and filter groups. Pagination is supported.POST /Groups- to create a new group.- Operations on a single group. The
{id}is Twingate group ID that is returned in the SCIMidfield of a group response.GET /Groups/{group-id}- to retrieve a single group.PUT /Groups/{group-id}- to replace a single group.PATCH /Groups/{group-id}- to modify a single group.DELETE /Groups/{group-id}- to delete a single group. This deletes the group in Twingate.
Service Provider Configuration
Coming soon
Miscellaneous
- SCIM endpoints support both
application/scim+json(as specified in RFC-7644 section 8.1) andapplication/jsoncontent types. - Error status and responses are formatted following RFC-7644 section 3.12.
- Requests are rate-limited to 25 requests per second per Twingate account.
Limitations
Twingate currently doesn’t support the following endpoints and operations:
/.searchendpoint for querying resources usingPOST(RFC-7644 section 3.4.3)/Bulkendpoint for bulk operations (RFC-7644 section 3.7)/Meendpoint (RFC-7644 section 3.11)- Sorting for filtering queries as specified in RFC-7644 section 3.4.2.3 is not supported.
attributesandexcludedAttributesquery params as specified in RFC-7644 section 3.4.2.5 and section 3.9 are not supported.
Last updated 2 years ago