How can we help?

Torii's SCIM User Provisioning

Noga Tubi
Noga Tubi
  • Updated

Generate SCIM API key

  1. From the Settings page >> Security, enable the SCIM toggle 
    mceclip0.png
  2. Go to the API Access tab; From here, you can view and manage the Torii API keys and SCIM 
  3. Click on Generate API Key to generate a new SCIM 
    mceclip1.png

  4. Choose type: Torii SCIM
  5. Set an Expiration date: For security purposes, we recommend setting an expiration date when generating a new key.

    - The key will become invalid on the chosen expiration date.
    - Torii will send an email reminder a month before the expiration date reminding you to generate
       a new Key.

  6. Add a Description.
  7. Copy the key at this point. After this step, the whole key will become unavailable.
  8. Click Got it
    mceclip3.png
  9. The new key has been added; read about key rotation to learn about replacing the SCIM once it expires.
    mceclip3.png

SCIM

Use the Authorization header in the following format: Authorization: Bearer API_KEY

Base URL: https://api.toriihq.com/v1.0/scim/v2

* Read the API Documentation (requires to be logged in to Torii)

We support:

  • Provides details about our SCIM configuration

  • Provides the available resource types in the SCIM API

  • Provides the available resource types schemas with attributes information(as described in the attributes table

  • This endpoint will retrieve all the active users in Torii.

    • Active users can log into Torii/App catalog/Browser extension.

    Filter

    • Support only emails or userName as a filter key.
    • Not support complex filters(and/or/not).

    Sort

    All user fields can sort the results.

    Pagination

    • Results per page(default: 100, max: 200).
  • Returns the user associated with the user's ID

    • userName must be a valid email address with a valid domain.
    • userType(role):
      1. If userType is not sent in the request, the user will get Employee role as default.
      2. A role must be a valid Torii role or custom role(admin/read only/...)
    • New users can log in via SAML, Magic link or forgot password.
    • userName(email address) cannot be updated.
    • User role(userType) can be updated:
      1. If userType is not sent in the request, the userType(role) will not change.
      2. userType must be a valid Torii role or custom role(admin/read only/...)
      3. If the user is the last admin in the org, you cannot update his role.
    • Active:
      1. If active: false in the request, we will deactivate the user(cannot login).
  • Users cannot be deleted if they are the last admin in the org.

    • userName, emails meta, and id fields cannot be replaced.
    • userName, emails, meta, id, active and userType cannot be removed.
    • User role(userType) can be replace:
    • A. userType must be a valid Torii role or custom role(admin/read-only/...)
    • B. If the user is the last admin in the org, you cannot update his role.
    • Active:
    • C. If active: false in the request, we will deactivate the user(cannot log in)

SCIM & SAML

If SCIM is enabled for the org, SAML auto-provisioning will be disabled

Attributes 

SCIM Attribute Note Example
userName
  • It must be a valid email address
  • Read-only
userName: "user@toriihq.com"
name  

name:{

“givenName”: “First”

”familyName”: “Last”

}

active True: active/invite users.
False: inactive users.
active: true
userType
  • It must be exactly as appear at Torii
  • If userType is not sent in the put request, the user will get the Employee role as the default.
  • The user types(roles) appear here
  • Only admin users (not from type "Employee") will be displayed in Torii's UI

userType: “Admin”
emails Only one email address

emails: [{ ”primary”: true

“value”: “user@toriihq.com” }]

API/SCIM Key Rotation

Token expiration can not be changed after its creation.

The recommended way to rotate the key is to:

    • Generate a new API / SCIM key
    • Find and replace the old with the API in your system
    • Delete the old API
      mceclip4.png

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request