Skip to main content

Celonis Product Documentation

SCIM API

Quick Start

It is now possible to leverage SCIM API as an alternative option to SAML-JIT for provisioning users and groups. SCIM is available for many of the common identity providers explained further in this help page.

  1. SCIM stands for System for Cross-domain Identity Management.

  2. An industry standard API to manage identities securely between systems.

  3. The spec defines interfaces for managing user and group entities.

  4. The standard allows extensions to match extra customer requirements.

  5. The spec can be found in rfc7644, rfc7643 and rfc7642.

  6. SCIM should NOT be used in combination with SAML-JIT. It must be one or the other!

Problem

The existing user and group provisioning solutions, such as SAML-JIT, do not allow for de-provisioning. SCIM fills this gap and allows for the provisioning and de-provisioning of users and groups (Not permissions).

Potential Use Cases
  • Sync from LDAP

  • Sync from Snowflake

  • Sync from HANA

  • Sync from source X

Used to involve custom development. Now it can be done by anyone.

Use a script to query the data, transform it and then talk to the API.

Integration with many Identity Providers

Let your IDPs do the provisioning and de-provisioning of users, groups and group memberships.

Our Logic
  • When importing users, the API will take the team license into consideration.

  • Users can set user and group roles when creating or updating a user/group.

  • Removing a user will remove that user’s membership but will not delete the user from EMS.

  • The API only supports basic auth with custom authentication headers (either Bearer or AppKey).

Supported IDPs
  • OKTA

  • MS Azure

  • Salesforce - Only exposes its own API for SCIM. Outgoing SCIM provisioning is not supported by default, but may be enabled with flows/plugins.

  • jumpcloud

  • Pingidentity

  • Onelogin

SCIM Documentation
  • https://[team name].celonis.cloud/user-provisioning/scim/docs

  • https://[team name].celonis.cloud/scim/docs

SCIM Authentication

API Keys:

  • The user that creates the key should have the admin role or have the SCIM permission.

  • The API Key impersonates the user that created it.

Authorization: Bearer <API key>

AppKeys:

  • AppKeys can be created by admins.

  • Needs permission to SCIM by going to Admin and Settings > User Provisioning.

  • The AppKey is treated like a separate user inside the EMS.

Authorization: AppKey <Application key>

See also Application Keys.

Set up SCIM via API Key

In order to set the API key you need to go to the User setting, by:

  1. Clicking on the bottom left, which is your Avatar or the first letter of your username, and then clicking Edit profile or navigate to this URL: https://{{TEAM_DOMAIN}}.{{REALM}}.celonis.cloud/ui/my-account

  2. On the Edit profile page, scroll down to “API-Keys”.

  3. Set a name, such as “SCIM”, and then click Create API Key.

    Important

    Copy the API key. If you lose this key, you will need to generate a new one as there is no way to retrieve it.

  4. You need to set permissions to the API key by following the steps explained in Set permission to the API/App Key below.

  5. You can use this API Key by adding it to the authorization header of your request.

    1. Authorization: Bearer API_KEY

Set up SCIM via AppKey

In order to set app key you need to go to team setting:

  1. Click Admin & Setting on the bottom left and then choose Application from the left menu, or navigate to this URL: https://{{TEAM_DOMAIN}}.{{REALM}}.celonis.cloud/ui/team/applications

  2. Click New Application Key in the upper right.

  3. Set a name and click Save.

    Important

    Copy the API key. If you lose this key, you will need to generate a new one as there is no way to retrieve it.

  4. Set permissions to the App key by following the steps below.

  5. You can use this App Key by adding it to the authorization header of your request.

    1. Authorization: AppKey APPLICATION_KEY

Set permission to the API/App Key
  1. Click Admin & Setting on the bottom left and choose Permissions from the left menu, or navigate to this URL: https://{{TEAM_DOMAIN}}.{{REALM}}.celonis.cloud/ui/team/permissions

  2. Scroll down to “User Provisioning Permissions” and click Edit.

  3. Set the permission base on the Key you created.

    1. App Key - Appears with the correct name.

    2. API Key - Links to your user and verifies that your user has the correct permissions.

    You have now completed your setup and can now start using the API.

    The next step would be to learn a bit more about our functionality and what we support.