summaryrefslogtreecommitdiff
path: root/doc/development/internal_api/index.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/development/internal_api/index.md')
-rw-r--r--doc/development/internal_api/index.md225
1 files changed, 219 insertions, 6 deletions
diff --git a/doc/development/internal_api/index.md b/doc/development/internal_api/index.md
index 68d9b88bc05..f0fdedd801f 100644
--- a/doc/development/internal_api/index.md
+++ b/doc/development/internal_api/index.md
@@ -5,7 +5,7 @@ info: "To determine the technical writer assigned to the Stage/Group associated
type: reference, api
---
-# Internal API **(FREE)**
+# Internal API
The internal API is used by different GitLab components, it cannot be
used by other consumers. This documentation is intended for people
@@ -964,17 +964,17 @@ Example response:
- CustomersDot
-## SCIM API **(PREMIUM SAAS)**
+## Group SCIM API **(PREMIUM SAAS)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/9388) in GitLab 11.10.
-The SCIM API implements the [RFC7644 protocol](https://www.rfc-editor.org/rfc/rfc7644). As this API is for
+The group SCIM API implements the [RFC7644 protocol](https://www.rfc-editor.org/rfc/rfc7644). As this API is for
**system** use for SCIM provider integration, it is subject to change without notice.
-To use this API, [Group SSO](../../user/group/saml_sso/index.md) must be enabled for the group.
+To use this API, enable [Group SSO](../../user/group/saml_sso/index.md) for the group.
This API is only in use where [SCIM for Group SSO](../../user/group/saml_sso/scim_setup.md) is enabled. It's a prerequisite to the creation of SCIM identities.
-Not to be confused with the [main SCIM API](../../api/scim.md).
+This API is different to the [main SCIM API](../../api/scim.md) and the [instance SCIM API](#instance-scim-api).
### Get a list of SCIM provisioned users
@@ -991,7 +991,7 @@ Parameters:
|:----------|:--------|:---------|:----------------------------------------------------------------------------------------------------------------------------------------|
| `filter` | string | no | A [filter](#available-filters) expression. |
| `group_path` | string | yes | Full path to the group. |
-| `startIndex` | integer | no | The 1-based index indicating where to start returning results from. A value of less than one will be interpreted as 1. |
+| `startIndex` | integer | no | The 1-based index indicating where to start returning results from. A value of less than one is interpreted as 1. |
| `count` | integer | no | Desired maximum number of query results. |
NOTE:
@@ -1185,6 +1185,219 @@ curl --verbose --request DELETE "https://gitlab.example.com/api/scim/v2/groups/t
Returns an empty response with a `204` status code if successful.
+## Instance SCIM API **(PREMIUM SELF)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/378599) in GitLab 15.8.
+
+The Instance SCIM API implements the [RFC7644 protocol](https://www.rfc-editor.org/rfc/rfc7644). As this API is for
+**system** use for SCIM provider integration, it is subject to change without notice.
+
+To use this API, enable [SAML SSO](../../integration/saml.md) for the instance.
+
+This API is different to the [main SCIM API](../../api/scim.md) and the [group SCIM API](#group-scim-api).
+
+### Get a list of SCIM provisioned users
+
+This endpoint is used as part of the SCIM syncing mechanism. It only returns
+a single user based on a unique ID which should match the `extern_uid` of the user.
+
+```plaintext
+GET /api/scim/v2/application/Users
+```
+
+Parameters:
+
+| Attribute | Type | Required | Description |
+|:----------|:--------|:---------|:----------------------------------------------------------------------------------------------------------------------------------------|
+| `filter` | string | no | A [filter](#available-filters) expression. |
+| `startIndex` | integer | no | The 1-based index indicating where to start returning results from. A value of less than one is interpreted as 1. |
+| `count` | integer | no | Desired maximum number of query results. |
+
+NOTE:
+Pagination follows the [SCIM spec](https://www.rfc-editor.org/rfc/rfc7644#section-3.4.2.4) rather than GitLab pagination as used elsewhere. If records change between requests it is possible for a page to either be missing records that have moved to a different page or repeat records from a previous request.
+
+Example request:
+
+```shell
+curl "https://gitlab.example.com/api/scim/v2/application/Users?filter=id%20eq%20%220b1d561c-21ff-4092-beab-8154b17f82f2%22" \
+ --header "Authorization: Bearer <your_scim_token>" \
+ --header "Content-Type: application/scim+json"
+```
+
+Example response:
+
+```json
+{
+ "schemas": [
+ "urn:ietf:params:scim:api:messages:2.0:ListResponse"
+ ],
+ "totalResults": 1,
+ "itemsPerPage": 20,
+ "startIndex": 1,
+ "Resources": [
+ {
+ "schemas": [
+ "urn:ietf:params:scim:schemas:core:2.0:User"
+ ],
+ "id": "0b1d561c-21ff-4092-beab-8154b17f82f2",
+ "active": true,
+ "name.formatted": "Test User",
+ "userName": "username",
+ "meta": { "resourceType":"User" },
+ "emails": [
+ {
+ "type": "work",
+ "value": "name@example.com",
+ "primary": true
+ }
+ ]
+ }
+ ]
+}
+```
+
+### Get a single SCIM provisioned user
+
+```plaintext
+GET /api/scim/v2/application/Users/:id
+```
+
+Parameters:
+
+| Attribute | Type | Required | Description |
+|:----------|:--------|:---------|:----------------------------------------------------------------------------------------------------------------------------------------|
+| `id` | string | yes | External UID of the user. |
+
+Example request:
+
+```shell
+curl "https://gitlab.example.com/api/scim/v2/application/Users/f0b1d561c-21ff-4092-beab-8154b17f82f2" \
+ --header "Authorization: Bearer <your_scim_token>" --header "Content-Type: application/scim+json"
+```
+
+Example response:
+
+```json
+{
+ "schemas": [
+ "urn:ietf:params:scim:schemas:core:2.0:User"
+ ],
+ "id": "0b1d561c-21ff-4092-beab-8154b17f82f2",
+ "active": true,
+ "name.formatted": "Test User",
+ "userName": "username",
+ "meta": { "resourceType":"User" },
+ "emails": [
+ {
+ "type": "work",
+ "value": "name@example.com",
+ "primary": true
+ }
+ ]
+}
+```
+
+### Create a SCIM provisioned user
+
+```plaintext
+POST /api/scim/v2/application/Users
+```
+
+Parameters:
+
+| Attribute | Type | Required | Description |
+|:---------------|:----------|:----|:--------------------------|
+| `externalId` | string | yes | External UID of the user. |
+| `userName` | string | yes | Username of the user. |
+| `emails` | JSON string | yes | Work email. |
+| `name` | JSON string | yes | Name of the user. |
+| `meta` | string | no | Resource type (`User`). |
+
+Example request:
+
+```shell
+curl --verbose --request POST "https://gitlab.example.com/api/scim/v2/application/Users" \
+ --data '{"externalId":"test_uid","active":null,"userName":"username","emails":[{"primary":true,"type":"work","value":"name@example.com"}],"name":{"formatted":"Test User","familyName":"User","givenName":"Test"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"meta":{"resourceType":"User"}}' \
+ --header "Authorization: Bearer <your_scim_token>" --header "Content-Type: application/scim+json"
+```
+
+Example response:
+
+```json
+{
+ "schemas": [
+ "urn:ietf:params:scim:schemas:core:2.0:User"
+ ],
+ "id": "0b1d561c-21ff-4092-beab-8154b17f82f2",
+ "active": true,
+ "name.formatted": "Test User",
+ "userName": "username",
+ "meta": { "resourceType":"User" },
+ "emails": [
+ {
+ "type": "work",
+ "value": "name@example.com",
+ "primary": true
+ }
+ ]
+}
+```
+
+Returns a `201` status code if successful.
+
+### Update a single SCIM provisioned user
+
+Fields that can be updated are:
+
+| SCIM/IdP field | GitLab field |
+|:---------------------------------|:-----------------------------------------------------------------------------|
+| `id/externalId` | `extern_uid` |
+| `active` | Identity removal if `active` = `false` |
+
+```plaintext
+PATCH /api/scim/v2/application/Users/:id
+```
+
+Parameters:
+
+| Attribute | Type | Required | Description |
+|:----------|:--------|:---------|:----------------------------------------------------------------------------------------------------------------------------------------|
+| `id` | string | yes | External UID of the user. |
+| `Operations` | JSON string | yes | An [operations](#available-operations) expression. |
+
+Example request:
+
+```shell
+curl --verbose --request PATCH "https://gitlab.example.com/api/scim/v2/application/Users/f0b1d561c-21ff-4092-beab-8154b17f82f2" \
+ --data '{ "Operations": [{"op":"Add","path":"name.formatted","value":"New Name"}] }' \
+ --header "Authorization: Bearer <your_scim_token>" --header "Content-Type: application/scim+json"
+```
+
+Returns an empty response with a `204` status code if successful.
+
+### Remove a single SCIM provisioned user
+
+Removes the user's SSO identity.
+
+```plaintext
+DELETE /api/scim/v2/application/Users/:id
+```
+
+Parameters:
+
+| Attribute | Type | Required | Description |
+| ------------ | ------ | -------- | ------------------------- |
+| `id` | string | yes | External UID of the user. |
+
+Example request:
+
+```shell
+curl --verbose --request DELETE "https://gitlab.example.com/api/scim/v2/application/Users/f0b1d561c-21ff-4092-beab-8154b17f82f2" \
+ --header "Authorization: Bearer <your_scim_token>" --header "Content-Type: application/scim+json"
+```
+
+Returns an empty response with a `204` status code if successful.
+
### Available filters
They match an expression as specified in [the RFC7644 filtering section](https://www.rfc-editor.org/rfc/rfc7644#section-3.4.2.2).
View Lorry Controller Status