SCIM Provisioning API

Overview

Twingate supports automatic user provisioning via SCIM 2.0. This allows seamless integration with your organization’s existing identity provider solution.

SCIM configuration

Endpoints

The base URL for SCIM endpoints is https://{network}.twingate.com/api/scim/v2/ where {network} is your Twingate network name. For example, if your network name is autoco, the base URL for your SCIM endpoints is https://autoco.twingate.com/api/scim/v2/ (v2 designates that we support SCIM version 2.0).

Authorization

A long-lived bearer token is required to access any SCIM endpoints. The token must be included in the Authorization header with a Bearer type. For example:

GET /Users?count=100
Host: twingate.com
Accept: application/scim+json
Authorization: Bearer h480dj...s93hd8

This token can be created and replaced in the Twingate Admin console. Only the most recently generated token is valid at any point of time.

Users

Attributes

Twingate UserSCIM AttributeRequired?Unique?Attribute Type
Twingate IDidTrueTrueSingular
Origin IDexternalIdTrueTrueSingular
Emailemails[primary eq true]FalseFalseMulti-valued
First namename.givenNameFalseFalseSingular
Last namename.lastNameFalseFalseSingular
ActiveactiveFalseFalseSingular
UsernameuserNameTrueTrueSingular
  • Twingate only stores one email value from the SCIM emails attribute’s multi-values. We looks for the email with primary=true or type="work".

Operations

  • GET /Users - to search and filter users. Pagination is supported.
  • POST /Users - to create a new user.
  • Operations on a single user. The {id} is Twingate user ID that is returned in the SCIM id field of a user response.
    • GET /Users/{id} - to retrieve a single user.
    • PUT /Users/{id} - to replace a single user.
    • PATCH /Users/{id} - to modify a single user.
    • DELETE /Users/{id} - to delete a single user. This deletes the user in Twingate.

Groups

Attributes

Twingate GroupSCIM AttributeRequired?Unique?Attribute Type
Group namedisplayNameTrueFalseSingular
MembersmembersFalseFalseMulti-valued
Twingate IDidTrueTrueSingular

Operations

  • GET /Groups - to search and filter groups. Pagination is supported.
  • POST /Groups - to create a new group.
  • Operations on a single group. The {id} is Twingate group ID that is returned in the SCIM id field of a group response.
    • GET /Groups/{group-id} - to retrieve a single group.
    • PUT /Groups/{group-id} - to replace a single group.
    • PATCH /Groups/{group-id} - to modify a single group.
    • DELETE /Groups/{group-id} - to delete a single group. This deletes the group in Twingate.

Service Provider Configuration

Coming soon

Miscellaneous

  • SCIM endpoints support both application/scim+json (as specified in RFC-7644 section 8.1) and application/json content types.
  • Error status and responses are formatted following RFC-7644 section 3.12.
  • Requests are rate-limited to 25 requests per second per Twingate account.

Limitations

Twingate currently doesn’t support the following endpoints and operations:

Last updated 10 months ago