What is SCIM?
SCIM (System for Cross-domain Identity Management) is an open standard that simplifies user management in multi-domain scenarios. It provides a standardized schema and API for creating, reading, updating, and deleting identity data between identity providers and service providers.SCIM Implementation Details
Supported SCIM Version
Paradigm supports SCIM 2.0 (RFC 7642, RFC 7643 and RFC 7644).Tested Identity Providers
Our SCIM implementation has been tested with:- Microsoft Entra ID
Base URL
All SCIM endpoints are accessible via:[paradigm-domain] being the domain name under which is hosted Paradigm. For the Saas platform of LightOn, its value would be https://paradigm.lighton.ai/scim/v2/.
Authentication
To secure the SCIM API, we implemented a token-based authentication using our API key authentication backend. Each request must include an authorization header:Supported Endpoints
Here are the SCIM endpoints supported by Paradigm together with their HTTP methods:It is currently not possible to manage groups through the
/Groups endpoint.Supported user SCIM attributes
The SCIM implementation of Paradigm supports the following user attributes: Core AttributesGroup Schema
The SCIM implementation of Paradigm supports the following group attributes:Error Handling
The Paradigm SCIM API endpoints return standard HTTP codes following the SCIM error format:
Here is an example of error response:
Provisioning Workflow
User Provisioning
- The Identity Provider (IdP) initiates a SCIM request to create a user on the
/Usersendpoint - Paradigm validates the request and user data
- A new user account is created with default permissions
- A success response is returned to the IdP
User Deprovisioning
- The Identity Provider (IdP) sends a request to deactivate or delete a user
- Paradigm validates the request
- For deactivation: User’s
activestatus is set tofalse - For deletion: User account is anonymized (Any user data is removed but the behavioral data)
- A success response is returned to the IdP
404 Not Found HTTP response.
API request/response examples
User Creation
Request data example:Update a User
Request data example:Troubleshooting
Authentication Failures
- Verify your API key is valid and not expired
- Verify the owner of the API key has permissions to manage users.
- Ensure the Authorization header is formatted correctly
Good Practices
- Implement Incremental Updates: Use PATCH operations instead of PUT when possible
- Handle API Failures Gracefully: Implement retry logic with exponential backoff
- Maintain IdP Synchronization: Schedule regular full syncs to ensure consistency
- Secure Your API keys: Rotate tokens regularly and store them securely