SCIM Discovery Endpoints
SCIM 2.0 defines three discovery endpoints that let an identity provider learn what the SCIM server supports without trying every operation by hand. SecureCodingHub serves all three; most IdPs call them automatically during the initial connection test.
The three endpoints
All three live under the same prefix as the rest of the SCIM API. Replace {base} with https://api.limeplate.com/api/sch/scim/v2:
| Endpoint | Purpose |
|---|---|
{base}/ServiceProviderConfig | The SCIM Service Provider Config document. Tells the IdP which operations the server supports (PATCH, filtering, bulk, sort, change password, etc.) and what their bounds are. |
{base}/Schemas | Returns the SCIM schemas served by this tenant, including the Core User and Core Group schemas plus any extensions. |
{base}/ResourceTypes | Returns the resource types this tenant exposes (User, Group) and the URL prefix for each. |
When you need them
Most of the time, you do not — Okta and Azure AD both call these endpoints automatically during the SCIM connection test and during attribute mapping setup, and you never see the responses. The endpoints become relevant when:
- You are writing a custom SCIM client and need to know which operators the filter parser accepts.
- An IdP's connection test fails and the error references one of the three discovery endpoints — looking at the actual response often surfaces the misconfiguration faster than reading vendor docs.
- An auditor asks for documentation of the SCIM capabilities advertised by your tenant; the three endpoints together form that documentation, refreshed on every request.
What the responses tell you
The ServiceProviderConfig is the most useful of the three day-to-day. It tells the IdP that filter operations are supported but limited to the eq operator, that PATCH is supported, that bulk operations are not, that the password-change endpoint is not implemented, and where the SCIM-side documentation lives (this site). Most SCIM bugs are misalignments between what the IdP expects to do and what the SP says it can do; reading the config response is the fastest way to confirm which side is wrong.
Auth
The discovery endpoints are protected by the same Bearer token as the rest of the SCIM API. Use the SCIM token issued from Organization → SSO — the same token that handles /Users and /Groups requests. Discovery endpoints respond with the standard application/scim+json content type.