FreeSCIM Users API | SCIM Lifecycle, Active State, Filters

User lifecycle contract

Users endpoints expose create, replace, patch, delete, and active-state semantics under /scim/v2/Users. FreeSCIM normalizes incoming userName values to FreeIPA-safe uid values and keeps updates repeatable for Okta replay behavior.

Core examples

GET /scim/v2/Users?filter=userName eq "alice"&startIndex=1&count=25
POST /scim/v2/Users  (requires userName, givenName, familyName, email)
PATCH /scim/v2/Users/{id}  [{ "op": "replace", "path": "active", "value": false }]

Scale and consistency

Support bounded paging with startIndex and count.
Support practical filters: userName eq, email eq, emails.value eq, and active eq true|false.
Treat repeated deactivation as idempotent so Okta retry loops do not create noisy failures.

SCIM transcript example

GET /scim/v2/Users?filter=userName+eq+%22alice%22&startIndex=1&count=25
HTTP/2 200
{ "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"], "startIndex": 1, "itemsPerPage": 25, "totalResults": 1, "Resources": [ ... ] }

Patch surface:
- active false maps to enforceable disable behavior
- name, userName, email, and manager updates are supported
- password material is guarded and should not be logged or echoed