Skip to main content
API docs by Redocly

Signicat IAM SCIM API

Download OpenAPI specification:Download

  • Base URL: https://api.signicat.com/ownidp/
  • Documentation: See the SIAM developer documentation.
  • Support: Create a support ticket in the Signicat Dashboard.

Introduction

The Signicat IAM SCIM API allows you to perform identity and access management operations towards your SIAM instance programmatically. It is designed for you to:

  • Create new users
  • Get a user profile and its attributes
  • Update a user and its attributes
  • Deactivate users
  • Lock and unlock access for users

This REST API uses the OAuth 2.0 protocol for authorisation. All request and response bodies are formatted in JSON.

This API follows the System for Cross-domain Identity Management (SCIM) specification as a standard for managing user identities. Learn more about SCIM at https://scim.cloud/.

Get started

1. Request API client permissions

Before you can start making requests to this API, you need to set up an API client with the correct permissions. To receive the permissions, you need to contact us by creating a support ticket in the Signicat Dashboard.

2. Connect to the API

After you receive the correct permissions for your API client, you are ready to connect and make requests to this API. To learn how to connect, see the Connect to Signicat APIs Quick start guide.

Using this API

Audit logs

Use the Signicat Audit logs service to see documented evidence of the sequence of activities that have affected a system.

  • Access it: Signicat Dashboard > Settings > Audit logs
  • For information generic to all Signicat audit logs, see the general Audit logs documentation.

Errors

When you make an API call to Signicat and an error occurs, you will receive a response message with an error code.

  • For errors generic to all Signicat APIs, see the general Error codes documentation.

Events (callback)

Use the Signicat Events service to automatically receive information about when something happens in one of our services into your system.

Note: This is often referred to as callback.

  • Access it: Go to Signicat Dashboard > Settings > Events
  • For information generic to all Signicat events, see the general Events documentation.

SCIM - User management

Retrieve a list of users

Retrieves a paginated and filtered list of users.

The user is the main resource in the SCIM service, holding personal data and associations to other resources through roles and memberships.

Query Parameters

  • filter: A SCIM filter expression. Currently, support is limited to filtering by userName:
    • userName eq "<exact-value>": Exact match.
    • userName co "<substring>": Contains substring (case-insensitive).
  • searchQuery: A simple text search across user ID, name, and email fields.
  • startIndex: The 1-based index of the first result. Defaults to 1.
  • count: The number of results to return per page. Defaults to 20.
  • sortOrder: The sort direction. Accepts ASC or DESC. Defaults to DESC.

Access Requirements

  • Global permission signicat:ownidp:subjects:read.
  • On a specific membership, the permission signicat:ownidp:memberships:read is required. Giving read access to all users found on those memberships (with limited details)
Authorizations:
bearerAuth
query Parameters
filter
string
searchQuery
string
Default: ""
startIndex
integer <int32>
Default: 1
count
integer <int32>
Default: 20
sortOrder
string
Default: "DESC"
Enum: "ASC" "DESC"
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "totalResults": 0,
  • "itemsPerPage": 0,
  • "startIndex": 0,
  • "previousCursor": "string",
  • "nextCursor": "string",
  • "Resources": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "meta": {
    }
}

Create a user

The user is the main resource managed by this service. Users hold personal data and can be associated with other resources through roles and memberships.

This request creates a new user.

Access requirements

  • Global permission: signicat:ownidp:subjects:create,
Authorizations:
bearerAuth
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Request Body schema: application/json
required
schemas
Array of strings unique
id
string
externalId
string
userName
string
object (Name)
displayName
string
active
boolean
password
string
Array of objects (Email)
Array of objects (X509Certificate)
lastLogin
string
otpActive
boolean
resetPassword
boolean
Array of objects (ScimInboundCustomAttribute)
preferredLanguage
string
object (Meta)

Responses

Request samples

Content type
application/json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "userName": "string",
  • "name": {
    },
  • "displayName": "string",
  • "active": true,
  • "password": "string",
  • "emails": [
    ],
  • "x509Certificates": [
    ],
  • "lastLogin": "string",
  • "otpActive": true,
  • "resetPassword": true,
  • "customAttributes": [
    ],
  • "preferredLanguage": "string",
  • "meta": {
    }
}

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "userName": "string",
  • "name": {
    },
  • "displayName": "string",
  • "active": true,
  • "emails": [
    ],
  • "x509Certificates": [
    ],
  • "lastLogin": "string",
  • "otpActive": true,
  • "resetPassword": true,
  • "preferredLanguage": "string",
  • "meta": {
    }
}

Retrieve a single user

Retrieves a single user by their unique identifier.

The user is the main resource in the SCIM service, holding personal data and associations to other resources through roles and memberships.

Access Requirements

  • Requires the global permission signicat:ownidp:subjects:read.
  • On a specific membership, the permission signicat:ownidp:subjects:read is required. Giving read access to all users found on those memberships
Authorizations:
bearerAuth
path Parameters
subjectId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "userName": "string",
  • "name": {
    },
  • "displayName": "string",
  • "active": true,
  • "emails": [
    ],
  • "x509Certificates": [
    ],
  • "lastLogin": "string",
  • "otpActive": true,
  • "resetPassword": true,
  • "preferredLanguage": "string",
  • "meta": {
    }
}

Delete a user by id

The user is the main resource managed by this service. Users hold personal data and can be associated with other resources through roles and memberships.

This request removes a user.

Access requirements

  • Global permission: signicat:ownidp:subjects:delete and the caller must have the same or higher permissions than the target user, OR
  • The caller has signicat:ownidp:subjects:delete permission on all organizations/groups the target user belongs to (the target user must belong to at least one organization).
Authorizations:
bearerAuth
path Parameters
subjectId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/json
{ }

Patch a user

The user is the main resource managed by this service. Users hold personal data and can be associated with other resources through roles and memberships.

This request changes the details of a user.

Access requirements

  • Global permission: signicat:ownidp:subjects:update and the caller must have the same or higher permissions than the target user, OR
  • The caller has signicat:ownidp:subjects:update permission on all organizations/groups the target user belongs to (the target user must belong to at least one organization).
Authorizations:
bearerAuth
path Parameters
subjectId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Request Body schema: application/json
required
schemas
Array of strings unique
id
string
externalId
string
required
Array of AddOperation (object) or RemoveOperation (object) or ReplaceOperation (object)
object (Meta)

Responses

Request samples

Content type
application/json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "Operations": [
    ],
  • "meta": {
    }
}

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "userName": "string",
  • "name": {
    },
  • "displayName": "string",
  • "active": true,
  • "emails": [
    ],
  • "x509Certificates": [
    ],
  • "lastLogin": "string",
  • "otpActive": true,
  • "resetPassword": true,
  • "preferredLanguage": "string",
  • "meta": {
    }
}

Start reset password

This request starts the reset password flow for a given user.

Access requirements

  • Requires a valid token and the signicat:ownidp:subjects:update permission in SCIM context.
Authorizations:
bearerAuth
path Parameters
subjectId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/json
{ }

Retrieve totp by id

Retrieve an existing totp configuration by identifier:
- totpDeviceId - identifier of the TOTP device.

Access requirements

  • Requires a valid token and the signicat:ownidp:subjects:read global permission.
Authorizations:
bearerAuth
path Parameters
totpDeviceId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/scim+json
{ }

Delete totp configuration

Delete an existing totp configuration by identifier.

Access requirements

  • Requires a valid token and the signicat:ownidp:subjects:update global permission.
Authorizations:
bearerAuth
path Parameters
totpDeviceId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/json
{ }

SCIM - Role management

Retrieve roles

This request retrieves all roles paginated with option to filter and search provided by:
- filter: option to provide a filter expression
- searchQuery: optional filter for role's name and external identifier
- startIndex: specifies the starting index for page results (default value: 1)
- count: number of results returned per page (default value 20)
- sortDirection: optional direction for sorting (default value: DESC)

Access requirements

  • Requires only a valid token.
Authorizations:
bearerAuth
query Parameters
filter
string
searchQuery
string
Default: ""
startIndex
integer <int32>
Default: 1
count
integer <int32>
Default: 20
sortOrder
string
Default: "DESC"
Enum: "ASC" "DESC"
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "totalResults": 0,
  • "itemsPerPage": 0,
  • "startIndex": 0,
  • "previousCursor": "string",
  • "nextCursor": "string",
  • "Resources": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "meta": {
    }
}

Create role

Create a new role.

Access requirements

  • Requires a valid token and the signicat:ownidp:roles:create global permission.
Authorizations:
bearerAuth
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Request Body schema: application/json
required
schemas
Array of strings unique
id
string
externalId
required
string non-empty
displayName
required
string non-empty
description
string
isEditable
boolean
required
Array of objects (ScimPermission) non-empty
object (Meta)

Responses

Request samples

Content type
application/json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "displayName": "string",
  • "description": "string",
  • "isEditable": true,
  • "permissions": [
    ],
  • "meta": {
    }
}

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "displayName": "string",
  • "description": "string",
  • "isEditable": true,
  • "permissions": [
    ],
  • "meta": {
    }
}

Retrieve role

This request retrieves a role by identifier.

Access requirements

  • Requires only a valid token.
Authorizations:
bearerAuth
path Parameters
roleId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "displayName": "string",
  • "description": "string",
  • "isEditable": true,
  • "permissions": [
    ],
  • "meta": {
    }
}

Delete role

Delete an existing role.

Access requirements

  • Requires a valid token and the signicat:ownidp:roles:delete global permission.
Authorizations:
bearerAuth
path Parameters
roleId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "detail": "string",
  • "status": 0,
  • "traceId": "string",
  • "spanId": "string",
  • "requestUri": "string",
  • "title": "string",
  • "code": "string",
  • "timestamp": "string",
  • "type": "string"
}

Patch role

Update an existing role by identifier.

Access requirements

  • Requires a valid token and the signicat:ownidp:roles:update global permission.
Authorizations:
bearerAuth
path Parameters
roleId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Request Body schema: application/json
required
schemas
Array of strings unique
id
string
externalId
string
required
Array of AddOperation (object) or RemoveOperation (object) or ReplaceOperation (object)
object (Meta)

Responses

Request samples

Content type
application/json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "Operations": [
    ],
  • "meta": {
    }
}

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "displayName": "string",
  • "description": "string",
  • "isEditable": true,
  • "permissions": [
    ],
  • "meta": {
    }
}

SCIM - Organization management

Retrieve a list of organizations

Retrieves a paginated and filtered list of organizations.

The organization is main resource in the SCIM service, holding organization data and associations to other resources through roles and memberships.

Query Parameters

  • filter: A SCIM filter expression. Currently, support is limited to filtering with contains operation by `name', 'id', 'parent':
    • name co "<substring>": Contains substring (case-insensitive).
  • searchQuery: A simple text search across organization ID and name fields.
  • startIndex: The 1-based index of the first result. Defaults to 1.
  • count: The number of results to return per page. Defaults to 20.
  • sortOrder: The sort direction. Accepts ASC or DESC. Defaults to DESC.

Access Requirements

  • Global permission signicat:ownidp:user-groups:read.
  • On a specific membership, the permission signicat:ownidp:user-groups:read is required. Giving read access to all organizations found on those memberships (with limited details)
Authorizations:
bearerAuth
query Parameters
filter
string
searchQuery
string
Default: ""
startIndex
integer <int32>
Default: 1
count
integer <int32>
Default: 20
sortOrder
string
Default: "DESC"
Enum: "ASC" "DESC"
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "name": "string",
  • "active": true,
  • "parent": {
    },
  • "meta": {
    }
}

Create organization

An organization is a type of group that can be arranged hierarchically. Users gain access to organizations through memberships, with roles or attributes defining their permissions.

This operation create a new organization. For convenience, passing custom attributes, can use either the id or the name of the attribute definition

Access requirements

  • Global: signicat:ownidp:user-groups:create permission
  • Scoped: signicat:ownidp:user-groups:create permission
    • Scoped access means the permission must be granted via a membership in this group or one of its parent groups. If created group does not have a parent, user requires global access
Authorizations:
bearerAuth
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Request Body schema: application/json
required
schemas
Array of strings unique
id
string
externalId
string
name
string
active
boolean
Array of objects (ScimInboundCustomAttribute)
parent
string
object (Meta)

Responses

Request samples

Content type
application/json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "name": "string",
  • "active": true,
  • "customAttributes": [
    ],
  • "parent": "string",
  • "meta": {
    }
}

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "name": "string",
  • "active": true,
  • "parent": {
    },
  • "meta": {
    }
}

Retrieve a single organization

Retrieves a single organization by their unique identifier.

The organization is main resource in the SCIM service, holding organization data and associations to other resources through roles and memberships.

Access Requirements

  • Requires the global permission signicat:ownidp:user-groups:read.
  • On a specific membership, the permission signicat:ownidp:user-groups:read is required. Giving read access to all organizations found on those memberships
Authorizations:
bearerAuth
path Parameters
organizationId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "name": "string",
  • "active": true,
  • "parent": {
    },
  • "meta": {
    }
}

Delete organization

An organization is a type of group that can be arranged hierarchically. Users gain access to organizations through memberships, with roles or attributes defining their permissions.

This operation removes an existing organization.

Access requirements

  • Global: signicat:ownidp:user-groups:delete permission
  • Scoped: signicat:ownidp:user-groups:delete permission
    • Scoped access means the permission must be granted via a membership in this group or one of its parent groups.
Authorizations:
bearerAuth
path Parameters
organizationId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/json
{ }

Patch organization

An organization is a type of group that can be arranged hierarchically. Users gain access to organizations through memberships, with roles or attributes defining their permissions.

This operation changes an existing organization. For convenience, passing custom attributes in the path, can use either the id or the name of the attribute definition

Access requirements

  • Global: signicat:ownidp:user-groups:update permission
  • Scoped: signicat:ownidp:user-groups:update permission
    • Scoped access means the permission must be granted via a membership in this group or one of its parent groups.
Authorizations:
bearerAuth
path Parameters
organizationId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Request Body schema: application/json
required
schemas
Array of strings unique
id
string
externalId
string
required
Array of AddOperation (object) or RemoveOperation (object) or ReplaceOperation (object)
object (Meta)

Responses

Request samples

Content type
application/json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "Operations": [
    ],
  • "meta": {
    }
}

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "name": "string",
  • "active": true,
  • "parent": {
    },
  • "meta": {
    }
}

SCIM - Membership management

Retrieve memberships

This request retrieves a list of memberships, with support for filtering by providing the following optional parameters:
- filter: A SCIM filter expression. Currently, support is limited to filtering by each value exactly with AND between each added filter.
The supported properties are: id, externalId, userId, organizationId and roleId. Examples:
- userId eq "<exact-value>" and roleId eq "<exact-value>": Filtering by userId and roleId - exact match.
- id eq "<exact-value>" and externalId eq "<exact-value> and organizationId eq "": Filtering by id, externalId, and organization - exact match. - searchQuery: A string to filter results. The query is applied to fields: name and external identifier - startIndex: The 1-based index of the first result to return (for pagination) - count: The maximum number of results to return - sortDirection: The direction to sort the results (ASCorDESC`).

Authentication and Authorization:

  • The results will be scoped to the memberships the authenticated user is permitted to see.
Authorizations:
bearerAuth
query Parameters
filter
string
searchQuery
string
Default: ""
startIndex
integer <int32>
Default: 1
count
integer <int32>
Default: 20
sortOrder
string
Default: "DESC"
Enum: "ASC" "DESC"
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "totalResults": 0,
  • "itemsPerPage": 0,
  • "startIndex": 0,
  • "previousCursor": "string",
  • "nextCursor": "string",
  • "Resources": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "meta": {
    }
}

Create membership

This endpoint creates a new membership, linking a subject (user) to a group.

Authentication and Authorization:

  • A valid JWT Bearer token must be provided in the Authorization header.
  • The token must grant the signicat:ownidp:memberships:create permission on the group specified in the organization field of the request body.
Authorizations:
bearerAuth
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Request Body schema: application/json
required
id
string
externalId
string
organization
string
user
string
roles
Array of strings
Array of objects (ScimInboundCustomAttribute)

Responses

Request samples

Content type
application/json
{
  • "id": "string",
  • "externalId": "string",
  • "organization": "string",
  • "user": "string",
  • "roles": [
    ],
  • "customAttributes": [
    ]
}

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "displayName": "string",
  • "active": true,
  • "roles": [
    ],
  • "organization": {
    },
  • "user": {
    },
  • "customAttributes": [
    ],
  • "meta": {
    }
}

Retrieve single membership

This request retrieves a single membership by its unique identifier.

Authentication and Authorization:

  • A valid JWT Bearer token must be provided in the Authorization header.
  • The token must grant the signicat:ownidp:memberships:read permission on the group associated with the membership.
Authorizations:
bearerAuth
path Parameters
membershipId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "displayName": "string",
  • "active": true,
  • "roles": [
    ],
  • "organization": {
    },
  • "user": {
    },
  • "customAttributes": [
    ],
  • "meta": {
    }
}

Delete membership

This endpoint deletes an existing membership by its unique identifier.

Authentication and Authorization:

  • A valid JWT Bearer token must be provided in the Authorization header.
  • The token must grant the signicat:ownidp:memberships:delete permission on the group associated with the membership.
Authorizations:
bearerAuth
path Parameters
membershipId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/json
{ }

Patch membership

This endpoint partially updates an existing membership using the SCIM Patch standard (RFC 7644). This allows for atomic operations like adding, replacing, or removing attributes of the membership.

Authentication and Authorization:

  • A valid JWT Bearer token must be provided in the Authorization header.
  • The token must grant the signicat:ownidp:memberships:update permission on the group associated with the membership.

Example Patch Operations:
The request body must be a PatchRequest resource. Here is an example to replace the roles of a membership.

Example Request Body for replace operation: 

{  
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],  
  "Operations": [  
    {  
      "op": "replace",  
      "path": "roles",  
      "value": [  
        { "value": "new-role-id-1" },  
        { "value": "new-role-id-2" }  
      ]  
    }  
  ]  
}

Example Request Body for add/remove operation: 

{  
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],  
  "Operations": [  
    {  
      "op": "add/remove",  
      "path": "roles",  
      "value": [  
        { "value": "new-role-id-1" },  
        { "value": "new-role-id-2" }  
      ]  
    }  
  ]  
}
Authorizations:
bearerAuth
path Parameters
membershipId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Request Body schema: application/json
required
schemas
Array of strings unique
id
string
externalId
string
required
Array of AddOperation (object) or RemoveOperation (object) or ReplaceOperation (object)
object (Meta)

Responses

Request samples

Content type
application/json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "Operations": [
    ],
  • "meta": {
    }
}

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "displayName": "string",
  • "active": true,
  • "roles": [
    ],
  • "organization": {
    },
  • "user": {
    },
  • "customAttributes": [
    ],
  • "meta": {
    }
}

SCIM - User invitation management

Send new invitation

This request invites a new user by providing the metadata in the request body.

Access requirements

  • Requires a valid token and the access signicat:ownidp:invitations:create in the scoped group.
Authorizations:
bearerAuth
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Request Body schema: application/json
required
email
required
string <email> non-empty
organization
required
string non-empty
roles
Array of strings unique
Array of objects (ScimAttributeCommand)
Array of objects (ScimAttributeCommand)

Responses

Request samples

Content type
application/json
{
  • "email": "user@example.com",
  • "organization": "string",
  • "roles": [
    ],
  • "customAttributes": [
    ],
  • "subjectAttributes": [
    ]
}

Response samples

Content type
application/scim+json
{ }

Retrieve invitations

This request retrieves a list of invitations paginated provided by:
- startIndex: specifies the starting index for page results (default value: 1)
- count: number of results returned per page (default value 20)
- sortDirection: optional direction for sorting (default value: DESC)

Access requirements

  • Requires only a valid token.
Authorizations:
bearerAuth
query Parameters
startIndex
integer <int32>
Default: 1
count
integer <int32>
Default: 20
sortOrder
string
Default: "DESC"
Enum: "ASC" "DESC"
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "totalResults": 0,
  • "itemsPerPage": 0,
  • "startIndex": 0,
  • "previousCursor": "string",
  • "nextCursor": "string",
  • "Resources": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "meta": {
    }
}

Retrieve single invitation

This request retrieves a single invitation by identifier.

Access requirements

  • Requires a valid token and the global signicat:ownidp:invitations:read permission.
Authorizations:
bearerAuth
path Parameters
invitationId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/scim+json
{ }

Delete invitation

This request deletes an existing invitation by identifier.

Access requirements

  • Requires a valid token and the global signicat:ownidp:invitations:delete permission.
Authorizations:
bearerAuth
path Parameters
invitationId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/json
{ }

SCIM - External idp management

Retrieve external idps

This request retrieves external idps paginated with optional filtering and pagination by providing:
- filter: provides a filter expression
- searchQuery: A string to filter results. The query is applied to fields: name, issuer and external identifier
- startIndex: The 1-based index of the first result to return (default value: 1)
- count: The maximum number of results to return (default value: 20)
- sortDirection: The direction to sort the results (ASC or DESC).

Access requirements

  • Requires a valid token anf the global signicat:ownidp:external-idp:read permission.
Authorizations:
bearerAuth
query Parameters
filter
string
searchQuery
string
Default: ""
startIndex
integer <int32>
Default: 1
count
integer <int32>
Default: 20
sortOrder
string
Default: "DESC"
Enum: "ASC" "DESC"
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "totalResults": 0,
  • "itemsPerPage": 0,
  • "startIndex": 0,
  • "previousCursor": "string",
  • "nextCursor": "string",
  • "Resources": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "meta": {
    }
}

Create External IDP

Create a new External IDP For schema definition please check the '/schemas/v2/Schemas' endpoint, with the following resourceId: 'urn:ownidp:scim:schemas:core:1.0:ExternalIdp'

Authorizations:
bearerAuth
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Request Body schema: application/json
required
name
required
string
issuer
required
string

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "issuer": "string"
}

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "name": "string",
  • "issuer": "string",
  • "meta": {
    }
}

Retrieve external idp

This request retrieves a single external idp by id.

Access requirements

  • Requires a valid token anf the global signicat:ownidp:external-idp:read permission.
Authorizations:
bearerAuth
path Parameters
externalIdpId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "displayName": "string",
  • "description": "string",
  • "isEditable": true,
  • "permissions": [
    ],
  • "meta": {
    }
}

Delete External IDP

Delete an External IDP For schema definition please check the '/schemas/v2/Schemas' endpoint, with the following resourceId: 'urn:ownidp:scim:schemas:core:1.0:ExternalIdp'

Authorizations:
bearerAuth
path Parameters
externalIdpId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/json
{
  • "schemas": [
    ],
  • "detail": "string",
  • "status": 0,
  • "traceId": "string",
  • "spanId": "string",
  • "requestUri": "string",
  • "title": "string",
  • "code": "string",
  • "timestamp": "string",
  • "type": "string"
}

Update external idp

Update a single External IDP by id For schema definition please check the '/schemas/v2/Schemas' endpoint, with the following resourceId: 'urn:ownidp:scim:schemas:core:1.0:ExternalIdp'

Authorizations:
bearerAuth
path Parameters
externalIdpId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Request Body schema: application/json
required
schemas
Array of strings unique
id
string
externalId
string
required
Array of AddOperation (object) or RemoveOperation (object) or ReplaceOperation (object)
object (Meta)

Responses

Request samples

Content type
application/json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "Operations": [
    ],
  • "meta": {
    }
}

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "name": "string",
  • "issuer": "string",
  • "meta": {
    }
}

SCIM Schemas

Retrieve all schemas

This request retrieves all the SCIM schemas with pagination support provided by:
- startIndex: The 1-based index of the first result to return (default value: 1)
- count: The maximum number of results to return (default value: 20)

Access requirements

  • Requires a valid token.
Authorizations:
bearerAuth
query Parameters
startIndex
integer <int32>
Default: 1
count
integer <int32>
Default: 20
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/scim+json
{
  • "schemas": [
    ],
  • "totalResults": 0,
  • "itemsPerPage": 0,
  • "startIndex": 0,
  • "previousCursor": "string",
  • "nextCursor": "string",
  • "Resources": [
    ],
  • "id": "string",
  • "externalId": "string",
  • "meta": {
    }
}

Retrieve SCIM schema

This request retrieves a SCIM schema for a specific resource provided by the resource identifier.

Access requirements

  • Requires a valid token.
Authorizations:
bearerAuth
path Parameters
resourceId
required
string
query Parameters
signicat-accountid
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

header Parameters
Signicat-AccountId
string

Identifies the DTP account for the request.

One of the following must be provided:

  • Signicat-AccountId header
  • signicat-accountid query parameter

If neither is provided, the system will attempt to resolve the account from the token claims. If both are provided, the values must be identical.

Responses

Response samples

Content type
application/scim+json
"string"