Brief Overview

WalkMe SCIM Service Provider allows you to programmatically manage users and groups using a SCIM 2.0 compliant endpoint. WalkMe exposes a REST API based on the System for Cross-domain Identity Management (SCIM 2.0) specification.

This API allows you to do the following:

• Create, read, update, patch, and delete users and groups.
• Search for users and groups with filtering and pagination.
• Get information on the WalkMe service provider, available schemas, and resource types

Prerequisites

• You must have a WalkMe account
• You must create SCIM integration on the WalkMe Admin Center and generate credentials

Set Up SCIM Integration

Enable SCIM in WalkMe

Before enabling SCIM, you first need to create a SCIM integration in the WalkMe Admin Center.

1. Sign in to the WalkMe Admin Center

2. Go to SCIM integration page

3. Select SCIM Integration

4. Select + Create SCIM Integration

5. In the Create SCIM integration panel:

   1. Enter the Integration Name to identify your integration (e.g., “Production” or “Staging”)

   2. Select the Authorization Type

      1. Basic Authentication: Uses a username and password for authentication

      2. Bearer Token: Uses a bearer token for authentication

6. Select Generate Credentials

1. If you selected Basic Authentication, a popup opens displaying the SCIM credentials generated for this integration:

   1. SCIM base URL: The endpoint URL for your Identity Provider's SCIM configuration

   2. Username: The auto-generated username for authentication

   3. Password: The auto-generated password for authentication

2. Select Done to complete the SCIM integration setup in WalkMe

1. If you selected Bearer Token, a popup opens displaying the SCIM credentials generated for this integration:

   1. SCIM base URL: The endpoint URL for your Identity Provider's SCIM configuration

   2. Bearer Token: The secure token used for authentication

2. Select Done to complete the SCIM integration setup in WalkMe

SCIM 2.0 API Endpoints and Parameters

This API uses SCIM 2.0. For more information, see SCIM Core Schema (RFC 7643)

Base URLS

• US: https://papi.walkme.com/deepui/api/scim/v2

• EU: https://eu-papi.walkme.com/deepui/api/scim/v2

• Canada: https://papi-ca1.walkmedap.com/deepui/api/scim/v2

• FedRAMP:https://papi.walkmegov.com/deepui/api/scim/v2

Authentication

All requests require either HTTP Basic Authentication or Bearer Token authentication:

• Basic Authentication:

  • Authorization: Basic <base64 (username:password)>

• Bearer Token:

  • Authorization: Bearer <generated bearer token>

User management

EndPoints

• /Users: Create a user (POST) or get a list of users (GET)

• /Users/{id}: Get (GET), update (PUT), patch (PATCH), or delete (DELETE) a user

GET /Users

Gets a list of users with optional filtering and pagination

URL parameters:

• startIndex: 1-based index of the first user to return. Default is 1. (Optional)

• count: (Optional) Number of users to return per page (max 1000). Default is 1000. (Optional)

• filter: SCIM filter expression (Optional)

  •  Supported operators: eq, ne, co, sw, ew, gt, ge, lt, le, pr

{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
    "totalResults": 1,
    "itemsPerPage": 1000,
    "startIndex": 1,
    "Resources": [
        {
            "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
            "userName": "john.doe@example.com",
            "name": {
                "formatted": "John Doe",
                "familyName": "Doe",
                "givenName": "John"
            },
            "displayName": "John Doe",
            "active": true,
            "emails": [
                {
                    "value": "john.doe@example.com",
                    "type": "work",
                    "primary": true
                }
            ],
            "groups": [],
            "schemas": [
                "urn:ietf:params:scim:schemas:core:2.0:User",
                "urn:ietf:params:scim:schemas:extension:sap:2.0:User"
            ],
            "urn:ietf:params:scim:schemas:extension:sap:2.0:User": {
                "userUuid": "b2c3d4e5-f6a7-8901-bcde-f23456789012"
            },
            "meta": {
                "resourceType": "User",
                "location": "<BASE_URL>/Users/a1b2c3d4-e5f6-7890-abcd-ef1234567890",
                "created": "2025-12-02T11:30:23Z",
                "lastModified": "2025-12-02T11:30:23Z",
                "version": "1.0"
            }
        }
    ]
}

Response codes:

• 200 OK: Success

• 400 Bad Request: Invalid request or filter

• 401 Unauthorized: Invalid credentials

• 403 Forbidden: Access denied

• 429 Too Many Requests: Rate limit exceeded

• 500 Internal Server Error

POST /Users

Creates a new user.

Required attributes:

• userName: Must be unique (case-insensitive)
• emails: Must include at least one email with primary: true

Auto-generated attributes:

• id: System-generated UUID
• urn:ietf:params:scim:schemas:extension:sap:2.0:User.userUuid: Auto-generated if not provided

{
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:sap:2.0:User"
    ],
    "userName": "john.doe@example.com",
    "name": {
        "formatted": "John Doe",
        "familyName": "Doe",
        "givenName": "John"
    },
    "displayName": "John Doe",
    "emails": [
        {
            "value": "john.doe@example.com",
            "type": "work",
            "primary": true
        }
    ],
    "active": true
}

Response codes:

• 201 Created: User created successfully

• 400 Bad Request: Missing required attributes or invalid values

• 401 Unauthorized: Invalid credentials

• 409 Conflict: userName already exists

• 429 Too Many Requests: Rate limit exceeded

• 500 Internal Server Error

GET /Users/{id}

Gets a specific user by their id (UUID).

Path parameters:

• id: User UUID (not userName)

Response codes:

• 200 OK: Success
• 401 Unauthorized: Invalid credentials
• 404 Not Found: User does not exist
• 429 Too Many Requests: Rate limit exceeded
• 500 Internal Server Error

PUT /Users/{id}

Replaces all user attributes. ReadOnly attributes are preserved and cannot be changed.

Path parameters:

id: User UUID (not userName)

Response codes:

• 200 OK: User updated successfully

• 400 Bad Request: Invalid request

• 401 Unauthorized: Invalid credentials

• 404 Not Found: User does not exist

• 409 Conflict: userName conflict

• 429 Too Many Requests: Rate limit exceeded

• 500 Internal Server Error

PATCH /Users/{id}

Path parameters:

• id: User UUID (not userName)

Supported operations:

• add, replace, remove

{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
    "Operations": [
        {
            "op": "replace",
            "path": "active",
            "value": false
        },
        {
            "op": "add",
            "path": "emails",
            "value": [
                {
                    "value": "secondary@example.com",
                    "type": "home"
                }
            ]
        }
    ]
}

Response codes:

• 200 OK: User updated successfully

• 400 Bad Request: Invalid operation or path

• 401 Unauthorized: Invalid credentials

• 404 Not Found: User does not exist

• 429 Too Many Requests: Rate limit exceeded

• 500 Internal Server Error

DELETE /Users{id}

Deletes a user.

Path parameters:

• id: User UUID (not userName)

Response codes:

• 204 No Content: User deleted successfully

• 401 Unauthorized: Invalid credentials

• 404 Not Found: User does not exist

• 429 Too Many Requests: Rate limit exceeded

• 500 Internal Server Error

Group management

EndPoints

• /Groups: Create a group (POST) or get a list of groups (GET)

• /Groups/{id}: Get (GET), update (PUT), patch (PATCH), or delete (DELETE) a group

GET /Groups

Gets a list of groups with optional filtering and pagination.

URL parameters:

• startIndex:1-based index of the first group to return. Default is 1. (Optional)

• count: Number of groups to return per page (maximum 1000). Default is 1000. (Optional)

• filter: SCIM filter expression used to search for specific groups. Default is none. (Optional)

GET /Groups?filter=displayName sw "Sales"&count=50

{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
    "totalResults": 1,
    "itemsPerPage": 1000,
    "startIndex": 1,
    "Resources": [
        {
            "id": "d737377c-f8ba-4df7-b290-78b9a2bff8e9",
            "displayName": "Sales Team",
            "members": [
                {
                    "value": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
                    "$ref": "<BASE_URL>/Users/a1b2c3d4-e5f6-7890-abcd-ef1234567890",
                    "type": "User"
                }
            ],
            "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
            "meta": {
                "resourceType": "Group",
                "location": "<BASE_URL>/Groups/d737377c-f8ba-4df7-b290-78b9a2bff8e9", 

Response codes:

• 200 OK: Success
• 400 Bad Request: Invalid filter
• 401 Unauthorized: Invalid credentials
• 429 Too Many Requests: Rate limit exceeded
• 500 Internal Server Error

POST /Groups

Creates a new group.

URL parameters:

• displayName: Human-readable name (not required, not unique - multiple groups can have the same name) (Required)

• members: Array of member objects (Optional)

{
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
    "displayName": "Engineering Team",
    "members": [
        {
            "value": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
            "type": "User"
        }
    ]
}

{
    "id": "e8f9a0b1-c2d3-4567-89ab-cdef01234567",
    "displayName": "Engineering Team",
    "members": [
        {
            "value": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
            "$ref": "<BASE_URL>/Users/a1b2c3d4-e5f6-7890-abcd-ef1234567890",
            "type": "User"
        }
    ],
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
    "meta": {
        "resourceType": "Group",
        "location": "<BASE_URL>/Groups/e8f9a0b1-c2d3-4567-89ab-cdef01234567",
        "created": "2025-12-02T11:30:23Z",
        "lastModified": "2025-12-02T11:30:23Z",
        "version": "1.0"
    }
}

Response codes:

• 201 Created: Group created successfully

• 400 Bad Request: Invalid request

• 401 Unauthorized: Invalid credentials

• 429 Too Many Requests: Rate limit exceeded

• 500 Internal Server Error

GET /Groups/{id}

Gets a specific group by UUID.

Path parameters:

• id: Group UUID

Response codes:

• 200 OK: Success

• 401 Unauthorized: Invalid credentials

• 404 Not Found: Group does not exist

• 429 Too Many Requests: Rate limit exceeded

• 500 Internal Server Error

PUT /Groups/{id}

Replaces all group attributes including members.

Path parameters:

• id: Group UUID

Response codes:

• 200 OK: Group updated successfully

• 400 Bad Request: Invalid operation

• 401 Unauthorized: Invalid credentials

• 404 Not Found: Group does not exist

• 429 Too Many Requests: Rate limit exceeded

• 500 Internal Server Error

PATCH /Groups/{id}

Partially updates a group. Commonly used to add/remove members.

Path parameters:

• id - Group UUID

{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
    "Operations": [
        {
            "op": "add",
            "path": "members",
            "value": [
                {
                    "value": "user-uuid-here",
                    "type": "User"
                }
            ]
        }
    ]
}

{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
    "Operations": [
        {
            "op": "remove",
            "path": "members[value eq \"user-uuid-here\"]"
        }
    ]
}

Response codes:

• 200 OK: Group updated successfully

• 400 Bad Request: Invalid operation

• 401 Unauthorized: Invalid credentials

• 404 Not Found: Group does not exist

• 429 Too Many Requests: Rate limit exceeded

• 500 Internal Server Error

DELETE /Groups/{id}

Deletes a group.

Path Parameters:

• id: Group UUID

Response codes:

• 204 No Content: Group deleted successfully

• 401 Unauthorized: Invalid credentials

• 404 Not Found: Group does not exist

• 429 Too Many Requests: Rate limit exceeded

• 500 Internal Server Error

Service provider information

EndPoints

• /ServiceProviderConfig: Get information about the Service Provider

• /Schemas: Get information on the schemas used for user and group management

GET /ServiceProviderConfig

Gets information about the SCIM service provider capabilities.

{
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
    "patch": {
        "supported": true
    },
    "bulk": {
        "supported": false
    },
    "filter": {
        "supported": true,
        "maxResults": 1000
    },
    "changePassword": {
        "supported": false
    },
    "sort": {
        "supported": false
    },
    "etag": {
        "supported": false
    },
    "authenticationSchemes": [
        {
            "name": "HTTP Basic",
            "description": "Basic authentication scheme",
            "specUri": "https://www.ietf.org/rfc/rfc2617",
            "primary": true,
            "type": "Basic authentication"
        }
    ],
    "meta": {
        "location": "<BASE_URL>/ServiceProviderConfig",
        "resourceType": "ServiceProviderConfig"
    }
}

GET /Schemas

Gets information on all supported SCIM schemas.

Supported schemas:

• urn:ietf:params:scim:schemas:core:2.0:User

• urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

• urn:ietf:params:scim:schemas:extension:sap:2.0:User

• urn:ietf:params:scim:schemas:core:2.0:Group