SCIM 2.0 Provisioning

Connect your identity provider for automated user lifecycle management. Covers users, the Enterprise User extension, groups, and bulk operations.

Overview

The SCIM 2.0 endpoint implements RFC 7644 and is compatible with identity providers including Okta, Microsoft Entra ID (Azure AD), OneLogin, and JumpCloud. Use it to automate user provisioning, deprovisioning, and attribute synchronisation without writing custom integration code.

SCIM base path: https://api.whoot.me/scim/v2 Configure your identity provider to use this URL as the SCIM connector base URL. Set the authentication type to Bearer Token and use an API key with the scim:read and scim:write scopes.

Connecting an Identity Provider

In your dashboard, go to Settings → API Keys and create a new key with the scim:read and scim:write scopes. Copy the key value — it is shown only once.
In your IdP's SCIM provisioning settings, set the Base URL to https://api.whoot.me/scim/v2 and the API Token to the key you just created.
Map IdP attributes to SCIM attributes. whoot. requires userName (must be a valid email address) and at least one of name.formatted or name.givenName + name.familyName. All other attributes are optional.
Trigger a provisioning test in your IdP. A successful response to GET /scim/v2/Users confirms the connection is working.

Users

The /scim/v2/Users resource manages the full user lifecycle: provisioning, profile updates, activation, deactivation, and permanent removal.

List users — GET /scim/v2/Users returns all provisioned users. Supports ?filter=active eq true or ?filter=active eq false to filter by activation status.
Get user — GET /scim/v2/Users/{id} returns a single user by SCIM id.
Create user — POST /scim/v2/Users provisions a new user. userName (email) must be unique within the organisation.
Update user — PATCH /scim/v2/Users/{id} applies one or more patch operations to user attributes.
Deactivate user — Set active: false in a PATCH operation. The user's session is terminated and they cannot sign in.
Delete user — DELETE /scim/v2/Users/{id} permanently removes the provisioned identity.

// POST /scim/v2/Users — provision a new user
{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "userName": "alice@acme.com",
  "name": {
    "givenName": "Alice",
    "familyName": "Chen"
  },
  "displayName": "Alice Chen",
  "active": true
}

// Response — 201 Created
{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "userName": "alice@acme.com",
  "displayName": "Alice Chen",
  "active": true,
  "meta": {
    "resourceType": "User",
    "location": "https://api.whoot.me/scim/v2/Users/a1b2c3d4-e5f6-7890-abcd-ef1234567890"
  }
}

// PATCH /scim/v2/Users/{id} — deactivate a user
{
  "schemas": ["urn:ietf:params:scim:schemas:api:messages:2.0:PatchOp"],
  "Operations": [
    { "op": "replace", "path": "active", "value": false }
  ]
}

Enterprise User Extension

whoot. supports the urn:ietf:params:scim:schemas:extension:enterprise:2.0:User schema extension. Enterprise attributes are stored alongside the SCIM identity and returned in all user responses when present.

department — The user's department within the organisation.
division — The division or business unit.
organization — The organisation name (useful for multi-entity deployments).
costCenter — Cost centre identifier for chargebacks.
employeeNumber — The HR system employee identifier.
manager.value — The SCIM id of the user's manager.

// POST /scim/v2/Users — with Enterprise User extension
{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
  ],
  "userName": "bob@acme.com",
  "name": { "givenName": "Bob", "familyName": "Okafor" },
  "active": true,
  "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
    "department": "Trading",
    "division": "Equities",
    "employeeNumber": "E-00421",
    "manager": { "value": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" }
  }
}

Groups

SCIM Groups map to whoot. rooms. Creating a group mapping links an IdP group to an existing room by name, enabling your IdP to control room membership automatically as users are assigned or removed from the group in your directory.

List groups — GET /scim/v2/Groups returns all active group-to-room mappings.
Get group — GET /scim/v2/Groups/{id} returns a single mapping including its current members.
Create group — POST /scim/v2/Groups creates a new mapping. The displayName must exactly match an existing room name in your organisation.
Update group — PATCH /scim/v2/Groups/{id} updates the display name, external id, or membership list.
Delete group — DELETE /scim/v2/Groups/{id} removes the mapping. The underlying room is not affected.

// POST /scim/v2/Groups — create a group mapping
{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
  "displayName": "Equities Desk",
  "members": [
    { "value": "a1b2c3d4-e5f6-7890-abcd-ef1234567890" },
    { "value": "b2c3d4e5-f6a7-8901-bcde-f01234567891" }
  ]
}

// Response — 201 Created
{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
  "id": "c3d4e5f6-a7b8-9012-cdef-012345678902",
  "displayName": "Equities Desk",
  "members": [
    { "value": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "display": "Alice Chen" },
    { "value": "b2c3d4e5-f6a7-8901-bcde-f01234567891", "display": "Bob Okafor" }
  ],
  "meta": {
    "resourceType": "Group",
    "location": "https://api.whoot.me/scim/v2/Groups/c3d4e5f6-a7b8-9012-cdef-012345678902"
  }
}

Bulk Operations

POST /scim/v2/Bulk executes multiple SCIM operations in a single request. Operations are processed sequentially in the order they appear. Requires both scim:read and scim:write scopes.

Maximum 50 operations per request.
failOnErrors — Set to an integer N to stop processing after N failures. Omit or set to 0 to attempt all operations regardless of individual failures.
bulkId references — Assign a bulkId to any POST operation and reference the created resource as bulkId:<value> in subsequent operations within the same batch. This lets you provision a user and immediately add them to a group in a single round-trip.

// POST /scim/v2/Bulk — provision a user and add them to a group
{
  "schemas": ["urn:ietf:params:scim:schemas:api:messages:2.0:BulkRequest"],
  "failOnErrors": 1,
  "Operations": [
    {
      "method": "POST",
      "path": "/Users",
      "bulkId": "newuser",
      "data": {
        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
        "userName": "carol@acme.com",
        "name": { "givenName": "Carol", "familyName": "Santos" },
        "active": true
      }
    },
    {
      "method": "PATCH",
      "path": "/Groups/c3d4e5f6-a7b8-9012-cdef-012345678902",
      "data": {
        "schemas": ["urn:ietf:params:scim:schemas:api:messages:2.0:PatchOp"],
        "Operations": [
          {
            "op": "add",
            "path": "members",
            "value": [{ "value": "bulkId:newuser" }]
          }
        ]
      }
    }
  ]
}

bulkId references are resolved after each successful POST. If the preceding POST fails, subsequent operations referencing its bulkId are skipped automatically.

Service Provider Configuration

GET /scim/v2/ServiceProviderConfig returns the SCIM capabilities advertised by the server. Your identity provider typically fetches this automatically during initial setup to discover which features are available.

Patch: supported
Bulk: supported — maximum 50 operations per request
Filter: supported — eq operator on active and userName
ETag: not supported
changePassword: not supported
Sort: not supported