Skip to main content

Celonis Product Documentation

SCIM API

You can use SCIM API as an alternative option to SAML-JIT for provisioning users and groups. SCIM is available for many common identity providers, and unlike SAML-JIT, it allows for de-provisioning as well as provisioning. SCIM must not be used in combination with SAML-JIT- you have to pick one or the other.

SCIM stands for System for Cross-domain Identity Management. It's an industry standard API to manage identities securely between systems. The spec defines interfaces for managing user and group entities, and allows extensions to match your extra requirements. The SCIM spec is defined in RFC 7644, RFC 7643 , and RFC 7642.

Potential Use Cases

  • Sync from LDAP

  • Sync from Snowflake

  • Sync from HANA

  • Sync from source X

Used to involve custom development. Now it can be done by anyone.

Use a script to query the data, transform it and then talk to the API.

Integration with many Identity Providers

Let your IDPs do the provisioning and de-provisioning of users, groups and group memberships.

Our Logic

  • When importing users, the API will take the team license into consideration.

  • Users can set user and group roles when creating or updating a user/group.

  • Removing a user will remove that user’s membership but will not delete the user from EMS.

  • The API only supports basic auth with custom authentication headers (either Bearer or AppKey).

Supported IDPs

  • OKTA

  • MS Azure

  • Salesforce - Only exposes its own API for SCIM. Outgoing SCIM provisioning is not supported by default, but may be enabled with flows/plugins.

  • jumpcloud

  • Pingidentity

  • Onelogin

SCIM Documentation

  • https://[team name].celonis.cloud/user-provisioning/scim/docs

  • https://[team name].celonis.cloud/scim/docs

SCIM Authentication

API Keys:

  • The user that creates the key should have the admin role or have the SCIM permission.

  • The API Key impersonates the user that created it.

Authorization: Bearer <API key>

AppKeys:

Warning

App Keys are not supported by Azure. Only API keys can be used with Azure.

  • AppKeys can be created by admins.

  • Needs permission to SCIM by going to Admin and Settings > User Provisioning.

  • The AppKey is treated like a separate user inside the EMS.

Authorization: AppKey <Application key>

See also Application Keys.

Set up SCIM via API Key

In order to set the API key you need to go to the User setting, by:

  1. Clicking on the bottom left, which is your Avatar or the first letter of your username, and then clicking Edit profile or navigate to this URL: https://{{TEAM_DOMAIN}}.{{REALM}}.celonis.cloud/ui/my-account

  2. On the Edit profile page, scroll down to “API-Keys”.

  3. Set a name, such as “SCIM”, and then click Create API Key.

    Important

    Copy the API key. If you lose this key, you will need to generate a new one as there is no way to retrieve it.

  4. You need to set permissions to the API key by following the steps explained in Set permission to the API/App Key below.

  5. You can use this API Key by adding it to the authorization header of your request.

    1. Authorization: Bearer API_KEY

Set up SCIM via AppKey

In order to set app key you need to go to team setting:

  1. Click Admin & Setting on the bottom left and then choose Application from the left menu, or navigate to this URL: https://{{TEAM_DOMAIN}}.{{REALM}}.celonis.cloud/ui/team/applications

  2. Click New Application Key in the upper right.

  3. Set a name and click Save.

    Important

    Copy the API key. If you lose this key, you will need to generate a new one as there is no way to retrieve it.

  4. Set permissions to the App key by following the steps below.

  5. You can use this App Key by adding it to the authorization header of your request.

    1. Authorization: AppKey APPLICATION_KEY

Set permission to the API/App Key

  1. Click Admin & Setting on the bottom left and choose Permissions from the left menu, or navigate to this URL: https://{{TEAM_DOMAIN}}.{{REALM}}.celonis.cloud/ui/team/permissions

  2. Scroll down to “User Provisioning Permissions” and click Edit.

  3. Set the permission base on the Key you created.

    1. App Key - Appears with the correct name.

    2. API Key - Links to your user and verifies that your user has the correct permissions.

    You have now completed your setup and can now start using the API.

    The next step would be to learn a bit more about our functionality and what we support.