Skip to main content

System for Cross-domain Identity Management (SCIM) 2.0 Support

An overview of the SCIM 2.0 implementation in Stack Internal Enterprise.

Written by Joel Bradley
Updated this week

PDF VERSION

Tags | Security | Authentication | SCIM |

Applies to: Enterprise

This documentation is for Stack Internal Enterprise. Free, Basic, and Business users can access their documentation here. Find your plan.

Overview

System for Cross-domain Identity Management (SCIM) is an open API for securely sharing user information between online systems. In Stack Internal Enterprise, SCIM support allows an Identity Provider (IdP) to automatically update Stack Overflow with the user's activation status and/or role. Unlike SAML 2.0 single sign-on (SSO), which passes user information only at login, SCIM sends updates whenever they occur. This provides Stack Internal Enterprise near-real-time updates to user status and role as changes happen at the IdP.

THIS ARTICLE APPLIES TO STACK INTERNAL ENTERPRISE ONLY.
Other Stack Internal users should read this article instead. Find your plan.

Supported activities

The SCIM integration supports the following activities:

  • Create (provision) a new user.

  • Deactivate a user.

  • Reactivate a deactivated user.

  • Permanently delete a user. Learn more in the Automated User Deletion article.

  • Promote/demote a user between administrator, moderator, and regular user roles.

  • Update a user's display name, real name, or verified email address.

  • Update a user’s department and title.

NOTE: Enabling SCIM support does not disable user management options within Stack Internal Enterprise. This means a user may have an active status in the IdP, yet be deactivated in Stack Internal Enterprise through the admin user management settings. We recommend standardizing on a single provisioning workflow within your organization to avoid confusion.

Configure SCIM support on Stack Internal Enterprise

The SCIM configuration on Stack Internal Enterprise is the same regardless of IdP.

  1. As a Stack Internal Enterprise admin, click Admin Settings in the left-hand menu. Click SCIM under the "ACCESS MANAGEMENT" heading.

  2. Configure the following settings:

    • Click the Enable SCIM toggle to enable SCIM.

    • Create an Authorization bearer token you'll later enter into the SCIM configuration on the IdP. You can enter any string of characters, but be sure to follow best practices for creating a strong token. Stack Internal Enterprise hides the value by default. Click Show token to view and copy the value.

  3. If you want SCIM to promote users, enable Promote to moderator and/or Promote to admin in the "User promotion" section.

  4. If you want SCIM to update user profiles, enable Update display name and/or Update real name in the "User profile updates" section.

  5. Click Save settings.

Configure the Identity Provider

The following instructions are general instructions for SCIM compliant systems. If you're using one of the following IdPs, follow the links for detailed configuration information.

The IdP must send SCIM requests to https://[your_site].stackenterprise.co/api/scim/v2. In addition, the IdP must send the following values part of the user resource to correctly map the user and set their status:

  • userName The user ID (must match the User Identifier Assertion at https://[your_site].stackenterprise.co/enterprise/auth-settings).

  • active (true/false) Determines whether or not the user should be deactivated or reactivated in Stack Internal Enterprise.

  • Required fields for SCIM (these are commonly mapped for you by your IdP, requiring no action on your part):

    • name.givenName

    • name.familyName

    • emails

  • userType (optional, not used on Microsoft Entra ID) Requires enabling Allow Moderator Promotion via a userType property and/or Allow Admin Promotion via a userType property on the SCIM Integration settings page on Stack Internal Enterprise. Stack Internal Enterprise will change a user's role based on the following userType values: Registered, Moderator, or Admin.

  • stackUserType (optional, Microsoft Entra ID only) Because Entra ID uses the userType field for other purposes, you'll instead use the stackUserType Allows you to update the user's role on your Stack Internal Enterprise site. Values are Registered, Moderator, or Admin.

  • department (optional) Allows you to update the user's department on your Stack Internal Enterprise site.

  • title (optional) Allows you to update the user’s title on your Stack Internal Enterprise site.

NOTE: Adding the optional user department and job title fields allows you to use Stack Internal Enterprise's connectivity reporting feature. Learn more in the Connectivity article.

If your IdP does not support SCIM, an alternative is to have a separate application issuing the SCIM API calls to https://[your_site].stackenterprise.co/api/scim/v2 as outlined above.

If you need further support or have questions, contact your site administrator.

Did this answer your question?