SCIM Provisioning API

Overview

Twingate supports automatic user provisioning via SCIM 2.0. This allows seamless integrate with your organization's existing identity provider solution.

📘

SCIM support is only available on Twingate Business and Enterprise plans

SCIM configuration

Endpoints

The base URL for SCIM endpoints is https://{network}.twingate.com/api/scim/v2/ where {network} is your Twingate network name. For example, if your network name is autoco, the base URL for your SCIM endpoints is https://autoco.twingate.com/api/scim/v2/ (v2 designates that we support SCIM version 2.0).

Authorization

A long-lived bearer token is required to access any SCIM endpoints. The token must be included in the Authorization header with a Bearer type. For example:

GET /Users?count=100
Host: twingate.com
Accept: application/scim+json
Authorization: Bearer h480dj...s93hd8

This token can be created and replaced in the Twingate Admin console. Only the most recently generated token is valid at any point of time.

Users

Attributes

Twingate User

SCIM Attribute

Required?

Unique?

Attribute Type

Twingate ID

id

True

True

Singular

Origin ID

externalId

True

True

Singular

Email

emails[primary eq true]

True

True

Multi-valued

First name

name.givenName

False

False

Singular

Last name

name.lastName

False

False

Singular

Active

active

False

False

Singular

  • Twingate only stores one email value from the SCIM emails attribute's multi-values. We looks for the email with primary=true.

🚧

When a user's email address is updated via a PATCH request with a specific path (RFC-7644 section 3.5.2), only the path emails[primary eq true] will result in an update to the user's email address. Other paths (eg. emails[type eq "work"]) are ignored.

  • User responses are returned with userName (set to the user's email address) and displayName attributes. However, these values cannot be created or updated via SCIM operations. If provided in those operation (e.g. POST /Users), they will be ignored.

Operations

  • GET /Users - to search and filter users. Pagination is supported.
  • POST /Users - to create a new user.
  • Operations on a single user. The {id} is Twingate user ID that is returned in the SCIM id field of a user response.
    • GET /Users/{id} - to retrieve a single user.
    • PUT /Users/{id} - to replace a single user.
    • PATCH /Users/{id} - to modify a single user.
    • DELETE /Users/{id} - to delete a single user. This deletes the user in Twingate.

Groups

Coming soon

Service Provider Configuration

Coming soon

Miscellaneous

  • SCIM endpoints support both application/scim+json (as specified in RFC-7644 section 8.1) and application/json content types.
  • Error status and responses are formatted following RFC-7644 section 3.12.
  • Requests are rate-limited to 25 requests per second per Twingate account.

Limitations

Twingate currently doesn't support the following endpoints and operations:


Did this page help you?