Generate SCIM API key
- From the Settings page >> Security, enable the SCIM toggle
- Go to the API Access tab; From here, you can view and manage the Torii API keys and SCIM
-
Click on Generate API Key to generate a new SCIM
- Choose type: Torii SCIM
-
Set an Expiration date: For security purposes, we recommend setting an expiration date when generating a new key.
- The key will become invalid on the chosen expiration date.
- Torii will send an email reminder a month before the expiration date reminding you to generate
a new Key. - Add a Description.
- Copy the key at this point. After this step, the whole key will become unavailable.
- Click Got it
- The new key has been added; read about key rotation to learn about replacing the SCIM once it expires.
SCIM
Use the Authorization header in the following format: Authorization: Bearer API_KEY
Base URL: https://api.toriihq.com/v1.0/scim/v2
* Read the API Documentation (requires to be logged in to Torii)
We support:
-
Provides details about our SCIM configuration
-
Provides the available resource types in the SCIM API
-
Provides the available resource types schemas with attributes information(as described in the attributes table
-
This endpoint will retrieve all the active users in Torii.
- Active users can log into Torii/App catalog/Browser extension.
Filter
- Support only
emailsoruserNameas a filter key. - Not support complex filters(and/or/not).
Sort
All user fields can sort the results.
Pagination
- Results per page(default: 100, max: 200).
-
Returns the user associated with the user's ID
-
- userName must be a valid email address with a valid domain.
- userType(role):
- If userType is not sent in the request, the user will get Employee role as default.
- A role must be a valid Torii role or custom role(admin/read only/...)
- New users can log in via SAML, Magic link or forgot password.
-
- userName(email address) cannot be updated.
- User role(userType) can be updated:
- If userType is not sent in the request, the userType(role) will not change.
- userType must be a valid Torii role or custom role(admin/read only/...)
- If the user is the last admin in the org, you cannot update his role.
- Active:
- If
active: falsein the request, we will deactivate the user(cannot login).
- If
-
Users cannot be deleted if they are the last admin in the org.
-
- userName, emails meta, and id fields cannot be replaced.
- userName, emails, meta, id, active and userType cannot be removed.
- User role(userType) can be replace:
- A. userType must be a valid Torii role or custom role(admin/read-only/...)
- B. If the user is the last admin in the org, you cannot update his role.
- Active:
- C. If active: false in the request, we will deactivate the user(cannot log in)
SCIM & SAML
If SCIM is enabled for the org, SAML auto-provisioning will be disabled
Attributes
| SCIM Attribute | Note | Example |
| userName |
|
userName: "user@toriihq.com" |
| name |
name:{ “givenName”: “First” ”familyName”: “Last” } |
|
| active | True: active/invite users. False: inactive users. |
active: true |
| userType |
|
userType: “Admin” |
| emails | Only one email address |
emails: [{ ”primary”: true “value”: “user@toriihq.com” }] |
API/SCIM Key Rotation
Token expiration can not be changed after its creation.
The recommended way to rotate the key is to:
-
- Generate a new API / SCIM key
- Find and replace the old with the API in your system
- Delete the old API
Related articles