InstallationUser's ManualReleasesHostedPro SupportAPI Reference
Guides

SCIM

Suggest Edits

To enable SCIM support, you first need to generate an API key for a Superuser. As a superuser, go to the user menu near the upper-right, and choose "Manage API keys." Click "Create New Token." Copy the token and paste that in as a "Bearer Token" on your SCIM client's configuration pages. Sometimes this means you may have to add the word "Bearer" with a space and then your API token. The full authorization header should look something like:

Authorization: Bearer abcdefghijklmnopqrstuvwxyz1234567890

The SCIM client will be able to create users from your directory, and Snipe-IT will try to map every field it can to the appropriate field within Snipe-IT.

The Snipe-IT SCIM URL’s will start with https://your_servername/scim/v2/ - in most SCIM providers, you need to just place that prefix of https://your_servername/scim/v2 and the SCIM protocol will handle the rest for you.

❗️

Entra ID/Azure AD SCIM v2 issues with 'active' flag

In Azure, you may need to append ?aadOptscim062020 to your SCIM URL to ensure that Azure correctly uses SCIM v2 protocol to update your users' active flag.

So your URL will look like: https://your_servername/scim/v2/?aadOptscim062020

Microsoft documents their SCIM compliance flag here: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-config-problem-scim-compatibility#scim-20-compliance-issues-and-status

❗️

Snipe-IT can only sync Users, not Groups

Snipe-IT only has built-in mappings for Users, but not yet for the Groups section. Snipe-IT cannot sync Groups via SCIM at this time.

Fields that Snipe-IT Cannot Handle (yet)

  • displayName
  • Mobile Phone Number
  • Manager

Unsupported HTTP Verbs

DELETE is not supported by the underlying library yet

🚧

Azure SCIM and User Databases

If you restore from a backup, or regenerate your Users table somehow, you may need to delete your provisioning profile and re-create it. This is because Azure will "remember" your old user ID's and will refuse to "learn" the new ones. The only way to make it "forget" is to delete your provisioning profile and re-create it.

All supported mappings into Snipe-IT

SCIM NameSnipe-IT Users fieldData TypeRequired?
userNameusernamestringYES
givenNameFirst NamestringYES
familyNameLast Namestring
emails.work.valueEmailstring
activeActivatedboolean
phoneNumbers.work.valuePhonestring
addresses.work.streetAddressAddressstring
addresses.work.localityCitystring
addresses.work.regionStatestring
addresses.work.postalCodeZIPstring
addresses.work.countryCountrystring
titlejobtitlestring
preferredLanguagelocalestring
(Enterprise Namespace):employeeNumberemployee_numstring
department(Lookup by name to set department_id)string

Environment Variables

In your .env file, you can specify two new environment values that modify how Snipe-IT's SCIM server works.

NameDescriptionDefault value
SCIM_TRACEWhen set to true, all SCIM requests and responses will be logged to a scim.log file in the storage/logs directoryfalse
SCIM_STANDARDS_COMPLIANCE When set to true, Snipe-IT tries to more closely follow the SCIM specifications. Definitely needed for OneLogin. When set to false, Snipe-IT maintains its original behavior. (This seems to rarely need to be changed)true

🚧

SCIM support did not previously support changing email addresses via Azure and some other SCIM clients. Since v6.2, that has been fixed, but if you were depending on the previous behavior, you may get unexpected results.

Okta Notes

If you get an error message of "User Account is Inactive" when trying to synchronize the 'login enabled' checkbox, make sure to enable "Deactivate Users" in the "Provisioning Settings" within the App settings on Okta. Read more in their support document here: https://support.okta.com/help/s/article/Smartsheet-provisioning-error-Automatic-provisioning-of-user-to-app-Smartsheet-failed-User-account-is-inactive?language=en_US

Updated about 1 month ago