The SWITCH edu-ID Affiliation API enables organisations to manage affiliations via the SCIM protocol.

In the context of SWITCH edu-ID, an affiliation (also known as linked organisational identity) is a relation of a user with an organisation, represented by a set of AAI attributes provided by the organisation. The Affiliation API allows creating, updating and expiring such affiliations using the SCIM protocol version 2.0, and its implementation follows RFC7643 and RFC7644. This document details the supported operations for developers of Affiliation API clients. A machine-readable representation of supported optional SCIM features is also available to help clients automatically discover them.

If you are not familiar with the SCIM protocol, we recommend reading more about it at http://www.simplecloud.info/. If you want to learn more about the SWITCH edu-ID architecture and affiliations, read the document Swiss edu-ID Architecture available at https://projects.switch.ch/eduid/documents/.

If you want to use the API, get in touch with the SWITCH edu-ID team at eduid@switch.ch to get dedicated credentials for your organisation.

The API is available for the production and test system at the following base URLs:

The examples below refer to the test system.

The following sections describe the available functionality of the API and how to use it.

1. Representation of Affiliations and Users in SCIM

SWITCH edu-ID affiliations are represented by our custom SCIM resource type Affiliation (specified by the resource schema urn:mace:switch.ch:eduid:scim:1.0:affiliation). Affiliation resources are meant for organisations to manage their student and staff data in SWITCH edu-ID.

SWITCH edu-ID users are represented by the standard SCIM resource type User (specified by the resource schema urn:ietf:params:scim:schemas:core:2.0:User) together with our extension schema under the urn:mace:switch.ch:eduid:scim:1.0:user namespace. User resources represent a person’s whole SWITCH edu-ID account and cannot be modified through this API.

2. Managing your organisation’s users in SWITCH edu-ID with Affiliations

The following sections describe the SCIM GET, POST, PUT and DELETE operations for getting, creating, updating (i.e. overwriting) and deleting (i.e. expiring) affiliations.

Access to these endpoints requires HTTP Basic Authentication.

Each section describes how to use the API method, followed by examples.

Important
Special behaviour for deleted affiliations

In terms of SCIM, DELETE means deleting an object, but in terms of the SWITCH edu-ID, deleting an affiliation means expiring it, i.e. changing its status from current to former. That is, the affiliation still exists as an object in the SWITCH edu-ID backend, but the Affiliation API will consider such an affiliation as deleted in terms of SCIM, which actually means that the Affiliation API doesn’t allow managing former affiliations. This is intended behaviour.

A previously deleted affiliation can be created again with POST using the same externalId, the new object won’t conflict with the existing former affiliation object. It is the client’s responsibility to provide a complete set of attributes for the "recreated" affiliation as no attributes are copied from the former affiliation.

The other operations, GET, PUT and DELETE, return a 404 Not Found error if called for a former affiliation.

2.1. Get Affiliation

GET /Affiliations/{swissEduPersonUniqueID}

Get an affiliation.

2.1.1. Path parameters

Parameter Type Optional Description

swissEduPersonUniqueID

String

false

The externalId, which must be the value of the swissEduPersonUniqueID attribute in the organisation’s identity system.

Must be a valid swissEduPersonUniqueID as defined in the SWITCHaai attribute specification.

2.1.2. Query parameters

No parameters.

2.1.3. Required request fields

No request body.

2.1.4. Optional request fields

No request body.

2.1.5. Response fields

Path Type Optional Description

schemas

Array[String]

false

SCIM Schema URNs. Must contain the single value 'urn:mace:switch.ch:eduid:scim:1.0:affiliation'.

id

String

false

The id, which must be the value of the swissEduPersonUniqueID attribute in the organisation’s identity system. Must be a valid swissEduPersonUniqueID as defined in the SWITCHaai attribute specification.

externalId

String

false

The externalId, which must be the value of the swissEduPersonUniqueID attribute in the organisation’s identity system. Must be a valid swissEduPersonUniqueID as defined in the SWITCHaai attribute specification.

eduPersonAffiliation

Array[String]

false

Type of affiliation.

eduPersonScopedAffiliation

Array[Object]

true

The person’s affiliation within a particular security domain.

email

Array[String]

false

Preferred address for the 'To:' field of e-mail to be sent to this person.

givenName

String

false

Given name of a person.

surname

String

false

Surname or family name.

swissEduIDAffiliationStatus

String

true

Status of the affilation. If no value is provided, defaults to "current" when creating a new affiliation, or the previous value when updating an affiliation.

Must be one of ["current", "suspended"], value "former" is reserved for internal use.

swissEduIDAffiliationPeriodBegin

String

true

Date the affiliation is valid from. If no value is provided, defaults to today when creating a new affiliation, or the previous value when updating an affiliation.

Must be in the past or the present.

swissEduPersonHomeOrganization

String

true

Domain name of a home organization.

Must be the domain name of the home organization.

swissEduPersonHomeOrganizationType

String

true

Type of a home organization.

Must be one of [university, uas, hospital, library, tertiaryb, uppersecondary, vho, others].

swissEduPersonUniqueID

String

false

A unique identifier for a person, mainly for inter-institutional user identification on personalized services.

swissEduID

String

false

The Swiss edu-ID persistent identifier for Swiss Higher Education users.

commonName

Array[String]

true

The names of an object.

displayName

String

true

The name(s) that should appear in white-pages-like applications.

eduPersonUniqueId

String

true

A long-lived, non re-assignable, omnidirectional identifier, the international version of the swissEduPersonUniqueID.

Must be equal to the swissEduPersonUniqueID.

eduPersonPrincipalName

String

true

A scoped identifier for a person.

Must contain one and only one '@' character.

schacHomeOrganization

String

true

A person’s home organization using the domain name of the organization.

Must be the domain name of the home organization.

schacHomeOrganizationType

Array[String]

true

Type of a home organization.

swissEduPersonCardUID

Array[String]

true

Card unique identifier.

swissEduPersonDateOfBirth

String

true

The date of birth of the person (see RFC 3339).

Must be a string of numerical characters of length 8.

swissEduPersonGender

String

true

The state of being male or female (see ISO 5218).

Must be one of [0, 1, 2, 9].

swissEduPersonMatriculationNumber

String

true

Matriculation number of a student.

Must be a string of numerical characters of length 8.

swissEduPersonStaffCategory

Array[Integer]

true

Workbranch of a staff member.

swissEduPersonStudyBranch1

Array[Integer]

true

Study branch of a student, first level of classification.

swissEduPersonStudyBranch2

Array[Integer]

true

Study branch of a student, intermediate level of classification.

swissEduPersonStudyBranch3

Array[Integer]

true

Study branch of a student.

swissEduPersonStudyLevel

Array[String]

true

Study level of a student in a particular study branch.

swissLibraryPersonAffiliation

Array[String]

true

Type of library affiliation.

swissLibraryPersonResidence

Array[String]

true

Defines the current residence of the patron.

eduPersonAssurance

Array[String]

true

Set of URIs that assert compliance with specific standards for identity assurance.

telephoneNumber

Array[String]

true

Office/campus phone number.

postalAddress

Array[String]

true

Campus or office address.

employeeNumber

String

true

Numerically identifies an employee within an organization.

eduPersonEntitlement

Array[String]

true

URI (either URL or URN) that indicates a set of rights to specific resources.

homePostalAddress

Array[String]

true

Home address of the user.

isMemberOf

Array[String]

true

The values of isMemberOf are identifiers for groups to which the containing entity belongs.

mobile

Array[String]

true

Mobile phone number.

eduPersonNickname

Array[String]

true

Person’s nickname.

eduPersonOrcid

Array[String]

true

ORCID iDs are persistent digital identifiers for individual researchers.

eduPersonOrgDN

String

true

The distinguished name (DN) of the directory entry representing the organization with which the person is associated.

ou

Array[String]

true

Organizational unit(s).

eduPersonOrgUnitDN

Array[String]

true

The distinguished name (DN) of the directory entries representing the person’s Organizational Unit(s).

preferredLanguage

String

true

Preferred written or spoken language for a person.

Must match the regular expression ^[\p{IsAlpha}]{2,3}(-[\p{IsAlpha}]{2})?$.

eduPersonPrimaryAffiliation

String

true

The person’s primary relationship to the institution.

Must be one of [faculty, student, staff, alum, member, affiliate, employee, library-walk-in].

eduPersonPrimaryOrgUnitDN

String

true

The distinguished name (DN) of the directory entry representing the person’s primary Organizational Unit(s).

homePhone

Array[String]

true

Private phone number.

uid

String

true

A unique identifier for a person, mainly used for user identification within the user’s home organization.

fhnwIDPerson

String

true

FHNW IDPerson (Evento): IDPerson aus SAS Evento (intern FHNW).

fhnwOeID

String

true

FHNW Organisationseinheit aus Metadirectory: FHNW Organisationseinheit aus Metadirectory.

fschImapPW

String

true

Fernuni Imap Password: This attribute used by Fernuni is used for Webmail IMAP authentication.

unibasChPublicId

String

true

Uni Basel personal public id: University of Basel personal public id.

unilFacultePrincipale

String

true

UniL faculte principale: Cet attribut contient le sigle de la faculte principale a l Universite de Lausanne; il est utilise pour les etudiants essentiellement.

zhawDepartmentCode

String

true

ZHAW Department Code: ZHAW Department Code.

zhawInstituteCode

String

true

ZHAW Institute Code: ZHAW Institute Code.

zhawInstitute

String

true

ZHAW Institute Name: ZHAW Institute Name.

extKerberosPrincipalName

Array[String]

true

Kerberos Principal Name of user at organisation, used to identify the user in SPNEGO Kerberos login.

unibasChRoles

Array[String]

true

Uni Basel specific roles: This attribute contain the specific member roles available at university Basel.

unilMemberOf

Array[String]

true

UniL group membership: Group membership at the Uni Lausanne.

extAzureADImmutableID

String

true

Azure AD ImmutableID: Unique identifier for user. Must not change for this user over the lifetime of the user. Must not contain domain information. Case sensitive.

userPrincipalName

String

true

Microsoft Active Directory User-Principal-Name.

meta

Object

true

meta.resourceType

String

true

meta.created

String

true

meta.lastModified

String

true

meta.location

String

true

meta.version

String

true

swissEduIDUser

Object

true

User account linked to this affiliation.

swissEduIDUser.value

String

true

swissEduIDUser.$ref

String

true

2.1.6. Example request

$ curl 'https://api.test.eduid.ch/scim/Affiliations/2490257@test.idph.switch.ch' -i -X GET \
    -H 'Accept: application/scim+json'
Note
This command runs on Linux. If running on Windows and using the -d parameter for sending data, store the JSON data to a file (e.g. data.json) and use -d @data.json instead of -d '…​'.

2.1.7. Example response

HTTP/1.1 200 OK
Content-Disposition: inline;filename=f.txt
Content-Type: application/scim+json
Content-Length: 1858

{
  "schemas" : [ "urn:mace:switch.ch:eduid:scim:1.0:affiliation" ],
  "id" : "2490257@test.idph.switch.ch",
  "externalId" : "2490257@test.idph.switch.ch",
  "eduPersonAffiliation" : [ "student", "member" ],
  "eduPersonScopedAffiliation" : [ "member@test.idph.switch.ch", "student@test.idph.switch.ch" ],
  "email" : [ "test1.student@example.org" ],
  "givenName" : "Test1",
  "surname" : "Student",
  "swissEduIDAffiliationStatus" : "current",
  "swissEduIDAffiliationPeriodBegin" : "2016-09-01",
  "swissEduPersonHomeOrganization" : "test.idph.switch.ch",
  "swissEduPersonHomeOrganizationType" : "university",
  "swissEduPersonUniqueID" : "2490257@test.idph.switch.ch",
  "swissEduID" : "00000000-f706-45db-a5ec-03f181e79d96",
  "commonName" : [ "Test1 Student" ],
  "displayName" : "Test1 Student",
  "eduPersonUniqueId" : "2490257@test.idph.switch.ch",
  "eduPersonPrincipalName" : "2490257@test.idph.switch.ch",
  "schacHomeOrganization" : "test.idph.switch.ch",
  "schacHomeOrganizationType" : [ "urn:schac:homeOrganizationType:ch:university", "urn:schac:homeOrganizationType:eu:higherEducationalInstitution" ],
  "swissEduPersonDateOfBirth" : "19980401",
  "swissEduPersonGender" : 2,
  "swissEduPersonMatriculationNumber" : "12345678",
  "swissEduPersonStudyBranch1" : [ 4 ],
  "swissEduPersonStudyBranch2" : [ 70 ],
  "swissEduPersonStudyBranch3" : [ 4700 ],
  "swissEduPersonStudyLevel" : [ "4700-15" ],
  "swissLibraryPersonAffiliation" : [ "private" ],
  "eduPersonEntitlement" : [ "urn:mace:dir:entitlement:common-lib-terms", "http://example.org/" ],
  "eduPersonOrcid" : [ "https://orcid.org/0000-0002-1825-0097" ],
  "preferredLanguage" : "fr",
  "eduPersonPrimaryAffiliation" : "student",
  "uid" : "test1",
  "swissEduIDUser" : {
    "value" : "2490257@eduid.ch",
    "$ref" : "https://api.test.eduid.ch/scim/Users/2490257@eduid.ch"
  }
}

2.2. Get All Affiliations

GET /Affiliations

Get all affiliations from the authenticated user’s organisation.

2.2.1. Path parameters

No parameters.

2.2.2. Query parameters

No parameters.

2.2.3. Required request fields

No request body.

2.2.4. Optional request fields

No request body.

2.2.5. Response fields

Path Type Optional Description

schemas

Array[String]

true

id

String

true

externalId

String

true

meta

Object

true

meta.resourceType

String

true

meta.created

String

true

meta.lastModified

String

true

meta.location

String

true

meta.version

String

true

totalResults

Integer

true

The total number of results returned by the list or query operation.

Resources

Array[Object]

true

startIndex

Integer

true

The 1-based index of the first result in the current set of list results.

itemsPerPage

Integer

true

The number of resources returned in a list response page.

2.2.6. Example request

$ curl 'https://api.test.eduid.ch/scim/Affiliations' -i -X GET \
    -H 'Accept: application/scim+json'
Note
This command runs on Linux. If running on Windows and using the -d parameter for sending data, store the JSON data to a file (e.g. data.json) and use -d @data.json instead of -d '…​'.

2.2.7. Example response

HTTP/1.1 200 OK
Content-Type: application/scim+json
Content-Length: 3087

{
  "schemas" : [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ],
  "totalResults" : 2,
  "Resources" : [ {
    "schemas" : [ "urn:mace:switch.ch:eduid:scim:1.0:affiliation" ],
    "id" : "2490257@test.idph.switch.ch",
    "externalId" : "2490257@test.idph.switch.ch",
    "eduPersonAffiliation" : [ "student", "member" ],
    "eduPersonScopedAffiliation" : [ "member@test.idph.switch.ch", "student@test.idph.switch.ch" ],
    "email" : [ "test1.student@example.org" ],
    "givenName" : "Test1",
    "surname" : "Student",
    "swissEduIDAffiliationStatus" : "current",
    "swissEduIDAffiliationPeriodBegin" : "2016-09-01",
    "swissEduPersonHomeOrganization" : "test.idph.switch.ch",
    "swissEduPersonHomeOrganizationType" : "university",
    "swissEduPersonUniqueID" : "2490257@test.idph.switch.ch",
    "swissEduID" : "00000000-f706-45db-a5ec-03f181e79d96",
    "commonName" : [ "Test1 Student" ],
    "displayName" : "Test1 Student",
    "eduPersonUniqueId" : "2490257@test.idph.switch.ch",
    "eduPersonPrincipalName" : "2490257@test.idph.switch.ch",
    "schacHomeOrganization" : "test.idph.switch.ch",
    "schacHomeOrganizationType" : [ "urn:schac:homeOrganizationType:ch:university", "urn:schac:homeOrganizationType:eu:higherEducationalInstitution" ],
    "swissEduPersonDateOfBirth" : "19980401",
    "swissEduPersonGender" : 2,
    "swissEduPersonMatriculationNumber" : "12345678",
    "swissEduPersonStudyBranch1" : [ 4 ],
    "swissEduPersonStudyBranch2" : [ 70 ],
    "swissEduPersonStudyBranch3" : [ 4700 ],
    "swissEduPersonStudyLevel" : [ "4700-15" ],
    "swissLibraryPersonAffiliation" : [ "private" ],
    "eduPersonEntitlement" : [ "urn:mace:dir:entitlement:common-lib-terms", "http://example.org/" ],
    "eduPersonOrcid" : [ "https://orcid.org/0000-0002-1825-0097" ],
    "preferredLanguage" : "fr",
    "eduPersonPrimaryAffiliation" : "student",
    "uid" : "test1"
  }, {
    "schemas" : [ "urn:mace:switch.ch:eduid:scim:1.0:affiliation" ],
    "id" : "7622788@test.idph.switch.ch",
    "externalId" : "7622788@test.idph.switch.ch",
    "eduPersonAffiliation" : [ "staff", "member" ],
    "eduPersonScopedAffiliation" : [ "member@test.idph.switch.ch", "staff@test.idph.switch.ch" ],
    "email" : [ "test3.staff@example.org" ],
    "givenName" : "Test3",
    "surname" : "Staff",
    "swissEduIDAffiliationStatus" : "current",
    "swissEduIDAffiliationPeriodBegin" : "2018-01-01",
    "swissEduPersonHomeOrganization" : "test.idph.switch.ch",
    "swissEduPersonHomeOrganizationType" : "university",
    "swissEduPersonUniqueID" : "7622788@test.idph.switch.ch",
    "swissEduID" : "00000000-ec84-420d-bda3-23f6ad81f087",
    "commonName" : [ "Test3 Staff" ],
    "displayName" : "Test3 Staff",
    "eduPersonUniqueId" : "7622788@test.idph.switch.ch",
    "eduPersonPrincipalName" : "7622788@test.idph.switch.ch",
    "schacHomeOrganization" : "test.idph.switch.ch",
    "schacHomeOrganizationType" : [ "urn:schac:homeOrganizationType:ch:university", "urn:schac:homeOrganizationType:eu:higherEducationalInstitution" ],
    "uid" : "test3"
  } ]
}

2.3. Create Affiliation

POST /Affiliations

Create a new affiliation.

2.3.1. Path parameters

No parameters.

2.3.2. Query parameters

No parameters.

2.3.3. Required request fields

Path Type Optional Description

schemas

Array[String]

false

SCIM Schema URNs. Must contain the single value 'urn:mace:switch.ch:eduid:scim:1.0:affiliation'.

id

String

false

The id, which must be the value of the swissEduPersonUniqueID attribute in the organisation’s identity system. Must be a valid swissEduPersonUniqueID as defined in the SWITCHaai attribute specification.

externalId

String

false

The externalId, which must be the value of the swissEduPersonUniqueID attribute in the organisation’s identity system. Must be a valid swissEduPersonUniqueID as defined in the SWITCHaai attribute specification.

eduPersonAffiliation

Array[String]

false

Type of affiliation.

email

Array[String]

false

Preferred address for the 'To:' field of e-mail to be sent to this person.

givenName

String

false

Given name of a person.

surname

String

false

Surname or family name.

swissEduPersonUniqueID

String

false

A unique identifier for a person, mainly for inter-institutional user identification on personalized services.

swissEduID

String

false

The Swiss edu-ID persistent identifier for Swiss Higher Education users.

2.3.4. Optional request fields

Path Type Optional Description

eduPersonScopedAffiliation

Array[Object]

true

The person’s affiliation within a particular security domain.

swissEduIDAffiliationStatus

String

true

Status of the affilation. If no value is provided, defaults to "current" when creating a new affiliation, or the previous value when updating an affiliation.

Must be one of ["current", "suspended"], value "former" is reserved for internal use.

swissEduIDAffiliationPeriodBegin

String

true

Date the affiliation is valid from. If no value is provided, defaults to today when creating a new affiliation, or the previous value when updating an affiliation.

Must be in the past or the present.

swissEduPersonHomeOrganization

String

true

Domain name of a home organization.

Must be the domain name of the home organization.

swissEduPersonHomeOrganizationType

String

true

Type of a home organization.

Must be one of [university, uas, hospital, library, tertiaryb, uppersecondary, vho, others].

commonName

Array[String]

true

The names of an object.

displayName

String

true

The name(s) that should appear in white-pages-like applications.

eduPersonUniqueId

String

true

A long-lived, non re-assignable, omnidirectional identifier, the international version of the swissEduPersonUniqueID.

Must be equal to the swissEduPersonUniqueID.

eduPersonPrincipalName

String

true

A scoped identifier for a person.

Must contain one and only one '@' character.

schacHomeOrganization

String

true

A person’s home organization using the domain name of the organization.

Must be the domain name of the home organization.

schacHomeOrganizationType

Array[String]

true

Type of a home organization.

swissEduPersonCardUID

Array[String]

true

Card unique identifier.

swissEduPersonDateOfBirth

String

true

The date of birth of the person (see RFC 3339).

Must be a string of numerical characters of length 8.

swissEduPersonGender

String

true

The state of being male or female (see ISO 5218).

Must be one of [0, 1, 2, 9].

swissEduPersonMatriculationNumber

String

true

Matriculation number of a student.

Must be a string of numerical characters of length 8.

swissEduPersonStaffCategory

Array[Integer]

true

Workbranch of a staff member.

swissEduPersonStudyBranch1

Array[Integer]

true

Study branch of a student, first level of classification.

swissEduPersonStudyBranch2

Array[Integer]

true

Study branch of a student, intermediate level of classification.

swissEduPersonStudyBranch3

Array[Integer]

true

Study branch of a student.

swissEduPersonStudyLevel

Array[String]

true

Study level of a student in a particular study branch.

swissLibraryPersonAffiliation

Array[String]

true

Type of library affiliation.

swissLibraryPersonResidence

Array[String]

true

Defines the current residence of the patron.

eduPersonAssurance

Array[String]

true

Set of URIs that assert compliance with specific standards for identity assurance.

telephoneNumber

Array[String]

true

Office/campus phone number.

postalAddress

Array[String]

true

Campus or office address.

employeeNumber

String

true

Numerically identifies an employee within an organization.

eduPersonEntitlement

Array[String]

true

URI (either URL or URN) that indicates a set of rights to specific resources.

homePostalAddress

Array[String]

true

Home address of the user.

isMemberOf

Array[String]

true

The values of isMemberOf are identifiers for groups to which the containing entity belongs.

mobile

Array[String]

true

Mobile phone number.

eduPersonNickname

Array[String]

true

Person’s nickname.

eduPersonOrcid

Array[String]

true

ORCID iDs are persistent digital identifiers for individual researchers.

eduPersonOrgDN

String

true

The distinguished name (DN) of the directory entry representing the organization with which the person is associated.

ou

Array[String]

true

Organizational unit(s).

eduPersonOrgUnitDN

Array[String]

true

The distinguished name (DN) of the directory entries representing the person’s Organizational Unit(s).

preferredLanguage

String

true

Preferred written or spoken language for a person.

Must match the regular expression ^[\p{IsAlpha}]{2,3}(-[\p{IsAlpha}]{2})?$.

eduPersonPrimaryAffiliation

String

true

The person’s primary relationship to the institution.

Must be one of [faculty, student, staff, alum, member, affiliate, employee, library-walk-in].

eduPersonPrimaryOrgUnitDN

String

true

The distinguished name (DN) of the directory entry representing the person’s primary Organizational Unit(s).

homePhone

Array[String]

true

Private phone number.

uid

String

true

A unique identifier for a person, mainly used for user identification within the user’s home organization.

fhnwIDPerson

String

true

FHNW IDPerson (Evento): IDPerson aus SAS Evento (intern FHNW).

fhnwOeID

String

true

FHNW Organisationseinheit aus Metadirectory: FHNW Organisationseinheit aus Metadirectory.

fschImapPW

String

true

Fernuni Imap Password: This attribute used by Fernuni is used for Webmail IMAP authentication.

unibasChPublicId

String

true

Uni Basel personal public id: University of Basel personal public id.

unilFacultePrincipale

String

true

UniL faculte principale: Cet attribut contient le sigle de la faculte principale a l Universite de Lausanne; il est utilise pour les etudiants essentiellement.

zhawDepartmentCode

String

true

ZHAW Department Code: ZHAW Department Code.

zhawInstituteCode

String

true

ZHAW Institute Code: ZHAW Institute Code.

zhawInstitute

String

true

ZHAW Institute Name: ZHAW Institute Name.

extKerberosPrincipalName

Array[String]

true

Kerberos Principal Name of user at organisation, used to identify the user in SPNEGO Kerberos login.

unibasChRoles

Array[String]

true

Uni Basel specific roles: This attribute contain the specific member roles available at university Basel.

unilMemberOf

Array[String]

true

UniL group membership: Group membership at the Uni Lausanne.

extAzureADImmutableID

String

true

Azure AD ImmutableID: Unique identifier for user. Must not change for this user over the lifetime of the user. Must not contain domain information. Case sensitive.

userPrincipalName

String

true

Microsoft Active Directory User-Principal-Name.

meta

Object

true

meta.resourceType

String

true

meta.created

String

true

meta.lastModified

String

true

meta.location

String

true

meta.version

String

true

swissEduIDUser

Object

true

User account linked to this affiliation.

swissEduIDUser.value

String

true

swissEduIDUser.$ref

String

true

2.3.5. Response fields

Path Type Optional Description

schemas

Array[String]

false

SCIM Schema URNs. Must contain the single value 'urn:mace:switch.ch:eduid:scim:1.0:affiliation'.

id

String

false

The id, which must be the value of the swissEduPersonUniqueID attribute in the organisation’s identity system. Must be a valid swissEduPersonUniqueID as defined in the SWITCHaai attribute specification.

externalId

String

false

The externalId, which must be the value of the swissEduPersonUniqueID attribute in the organisation’s identity system. Must be a valid swissEduPersonUniqueID as defined in the SWITCHaai attribute specification.

eduPersonAffiliation

Array[String]

false

Type of affiliation.

eduPersonScopedAffiliation

Array[Object]

true

The person’s affiliation within a particular security domain.

email

Array[String]

false

Preferred address for the 'To:' field of e-mail to be sent to this person.

givenName

String

false

Given name of a person.

surname

String

false

Surname or family name.

swissEduIDAffiliationStatus

String

true

Status of the affilation. If no value is provided, defaults to "current" when creating a new affiliation, or the previous value when updating an affiliation.

Must be one of ["current", "suspended"], value "former" is reserved for internal use.

swissEduIDAffiliationPeriodBegin

String

true

Date the affiliation is valid from. If no value is provided, defaults to today when creating a new affiliation, or the previous value when updating an affiliation.

Must be in the past or the present.

swissEduPersonHomeOrganization

String

true

Domain name of a home organization.

Must be the domain name of the home organization.

swissEduPersonHomeOrganizationType

String

true

Type of a home organization.

Must be one of [university, uas, hospital, library, tertiaryb, uppersecondary, vho, others].

swissEduPersonUniqueID

String

false

A unique identifier for a person, mainly for inter-institutional user identification on personalized services.

swissEduID

String

false

The Swiss edu-ID persistent identifier for Swiss Higher Education users.

commonName

Array[String]

true

The names of an object.

displayName

String

true

The name(s) that should appear in white-pages-like applications.

eduPersonUniqueId

String

true

A long-lived, non re-assignable, omnidirectional identifier, the international version of the swissEduPersonUniqueID.

Must be equal to the swissEduPersonUniqueID.

eduPersonPrincipalName

String

true

A scoped identifier for a person.

Must contain one and only one '@' character.

schacHomeOrganization

String

true

A person’s home organization using the domain name of the organization.

Must be the domain name of the home organization.

schacHomeOrganizationType

Array[String]

true

Type of a home organization.

swissEduPersonCardUID

Array[String]

true

Card unique identifier.

swissEduPersonDateOfBirth

String

true

The date of birth of the person (see RFC 3339).

Must be a string of numerical characters of length 8.

swissEduPersonGender

String

true

The state of being male or female (see ISO 5218).

Must be one of [0, 1, 2, 9].

swissEduPersonMatriculationNumber

String

true

Matriculation number of a student.

Must be a string of numerical characters of length 8.

swissEduPersonStaffCategory

Array[Integer]

true

Workbranch of a staff member.

swissEduPersonStudyBranch1

Array[Integer]

true

Study branch of a student, first level of classification.

swissEduPersonStudyBranch2

Array[Integer]

true

Study branch of a student, intermediate level of classification.

swissEduPersonStudyBranch3

Array[Integer]

true

Study branch of a student.

swissEduPersonStudyLevel

Array[String]

true

Study level of a student in a particular study branch.

swissLibraryPersonAffiliation

Array[String]

true

Type of library affiliation.

swissLibraryPersonResidence

Array[String]

true

Defines the current residence of the patron.

eduPersonAssurance

Array[String]

true

Set of URIs that assert compliance with specific standards for identity assurance.

telephoneNumber

Array[String]

true

Office/campus phone number.

postalAddress

Array[String]

true

Campus or office address.

employeeNumber

String

true

Numerically identifies an employee within an organization.

eduPersonEntitlement

Array[String]

true

URI (either URL or URN) that indicates a set of rights to specific resources.

homePostalAddress

Array[String]

true

Home address of the user.

isMemberOf

Array[String]

true

The values of isMemberOf are identifiers for groups to which the containing entity belongs.

mobile

Array[String]

true

Mobile phone number.

eduPersonNickname

Array[String]

true

Person’s nickname.

eduPersonOrcid

Array[String]

true

ORCID iDs are persistent digital identifiers for individual researchers.

eduPersonOrgDN

String

true

The distinguished name (DN) of the directory entry representing the organization with which the person is associated.

ou

Array[String]

true

Organizational unit(s).

eduPersonOrgUnitDN

Array[String]

true

The distinguished name (DN) of the directory entries representing the person’s Organizational Unit(s).

preferredLanguage

String

true

Preferred written or spoken language for a person.

Must match the regular expression ^[\p{IsAlpha}]{2,3}(-[\p{IsAlpha}]{2})?$.

eduPersonPrimaryAffiliation

String

true

The person’s primary relationship to the institution.

Must be one of [faculty, student, staff, alum, member, affiliate, employee, library-walk-in].

eduPersonPrimaryOrgUnitDN

String

true

The distinguished name (DN) of the directory entry representing the person’s primary Organizational Unit(s).

homePhone

Array[String]

true

Private phone number.

uid

String

true

A unique identifier for a person, mainly used for user identification within the user’s home organization.

fhnwIDPerson

String

true

FHNW IDPerson (Evento): IDPerson aus SAS Evento (intern FHNW).

fhnwOeID

String

true

FHNW Organisationseinheit aus Metadirectory: FHNW Organisationseinheit aus Metadirectory.

fschImapPW

String

true

Fernuni Imap Password: This attribute used by Fernuni is used for Webmail IMAP authentication.

unibasChPublicId

String

true

Uni Basel personal public id: University of Basel personal public id.

unilFacultePrincipale

String

true

UniL faculte principale: Cet attribut contient le sigle de la faculte principale a l Universite de Lausanne; il est utilise pour les etudiants essentiellement.

zhawDepartmentCode

String

true

ZHAW Department Code: ZHAW Department Code.

zhawInstituteCode

String

true

ZHAW Institute Code: ZHAW Institute Code.

zhawInstitute

String

true

ZHAW Institute Name: ZHAW Institute Name.

extKerberosPrincipalName

Array[String]

true

Kerberos Principal Name of user at organisation, used to identify the user in SPNEGO Kerberos login.

unibasChRoles

Array[String]

true

Uni Basel specific roles: This attribute contain the specific member roles available at university Basel.

unilMemberOf

Array[String]

true

UniL group membership: Group membership at the Uni Lausanne.

extAzureADImmutableID

String

true

Azure AD ImmutableID: Unique identifier for user. Must not change for this user over the lifetime of the user. Must not contain domain information. Case sensitive.

userPrincipalName

String

true

Microsoft Active Directory User-Principal-Name.

meta

Object

true

meta.resourceType

String

true

meta.created

String

true

meta.lastModified

String

true

meta.location

String

true

meta.version

String

true

swissEduIDUser

Object

true

User account linked to this affiliation.

swissEduIDUser.value

String

true

swissEduIDUser.$ref

String

true

2.3.6. Example request

$ curl 'https://api.test.eduid.ch/scim/Affiliations' -i -X POST \
    -H 'Content-Type: application/scim+json' \
    -H 'Accept: application/scim+json' \
    -d '{"schemas":["urn:mace:switch.ch:eduid:scim:1.0:affiliation"],"externalId":"new1@example.org","swissEduPersonUniqueID":"new1@example.org","swissEduID":"00000000-5ffb-4d52-92ec-ebc53305ae03","eduPersonAffiliation":["student"],"email":["john.doe@example.org"],"givenName":"John","surname":"Doe","swissEduIDAffiliationStatus":"current","swissEduIDAffiliationPeriodBegin":"2018-01-01","swissEduPersonHomeOrganization":"example.org","eduPersonEntitlement":["urn:mace:dir:entitlement:common-lib-terms", "http://example.org/"],"eduPersonOrcid":["https://orcid.org/0000-0002-1825-0097"],"swissEduPersonStudyLevel":["4700-15"],"swissEduPersonStudyBranch3":[4700]}'
Note
This command runs on Linux. If running on Windows and using the -d parameter for sending data, store the JSON data to a file (e.g. data.json) and use -d @data.json instead of -d '…​'.

2.3.7. Example response

HTTP/1.1 201 Created
Location: https://api.test.eduid.ch/scim/Affiliations/new1@example.org
Content-Type: application/scim+json
Content-Length: 1429

{
  "schemas" : [ "urn:mace:switch.ch:eduid:scim:1.0:affiliation" ],
  "id" : "new1@example.org",
  "externalId" : "new1@example.org",
  "eduPersonAffiliation" : [ "student", "member" ],
  "eduPersonScopedAffiliation" : [ "member@example.org", "student@example.org" ],
  "email" : [ "john.doe@example.org" ],
  "givenName" : "John",
  "surname" : "Doe",
  "swissEduIDAffiliationStatus" : "current",
  "swissEduIDAffiliationPeriodBegin" : "2018-01-01",
  "swissEduPersonHomeOrganization" : "example.org",
  "swissEduPersonHomeOrganizationType" : "university",
  "swissEduPersonUniqueID" : "new1@example.org",
  "swissEduID" : "00000000-5ffb-4d52-92ec-ebc53305ae03",
  "commonName" : [ "John Doe" ],
  "displayName" : "John Doe",
  "eduPersonUniqueId" : "new1@example.org",
  "eduPersonPrincipalName" : "new1@example.org",
  "schacHomeOrganization" : "example.org",
  "schacHomeOrganizationType" : [ "urn:schac:homeOrganizationType:ch:university", "urn:schac:homeOrganizationType:eu:higherEducationalInstitution" ],
  "swissEduPersonGender" : 0,
  "swissEduPersonStudyBranch3" : [ 4700 ],
  "swissEduPersonStudyLevel" : [ "4700-15" ],
  "eduPersonEntitlement" : [ "urn:mace:dir:entitlement:common-lib-terms", "http://example.org/" ],
  "eduPersonOrcid" : [ "https://orcid.org/0000-0002-1825-0097" ],
  "swissEduIDUser" : {
    "value" : "2490257@eduid.ch",
    "$ref" : "https://api.test.eduid.ch/scim/Users/2490257@eduid.ch"
  }
}

2.4. Replace Affiliation

PUT /Affiliations/{swissEduPersonUniqueID}

Overwrite an affiliation.

2.4.1. Path parameters

Parameter Type Optional Description

swissEduPersonUniqueID

String

false

The externalId, which must be the value of the swissEduPersonUniqueID attribute in the organisation’s identity system.

Must be a valid swissEduPersonUniqueID as defined in the SWITCHaai attribute specification.

2.4.2. Query parameters

No parameters.

2.4.3. Required request fields

Path Type Optional Description

schemas

Array[String]

false

SCIM Schema URNs. Must contain the single value 'urn:mace:switch.ch:eduid:scim:1.0:affiliation'.

id

String

false

The id, which must be the value of the swissEduPersonUniqueID attribute in the organisation’s identity system. Must be a valid swissEduPersonUniqueID as defined in the SWITCHaai attribute specification.

externalId

String

false

The externalId, which must be the value of the swissEduPersonUniqueID attribute in the organisation’s identity system. Must be a valid swissEduPersonUniqueID as defined in the SWITCHaai attribute specification.

eduPersonAffiliation

Array[String]

false

Type of affiliation.

email

Array[String]

false

Preferred address for the 'To:' field of e-mail to be sent to this person.

givenName

String

false

Given name of a person.

surname

String

false

Surname or family name.

swissEduPersonUniqueID

String

false

A unique identifier for a person, mainly for inter-institutional user identification on personalized services.

swissEduID

String

false

The Swiss edu-ID persistent identifier for Swiss Higher Education users.

2.4.4. Optional request fields

Path Type Optional Description

eduPersonScopedAffiliation

Array[Object]

true

The person’s affiliation within a particular security domain.

swissEduIDAffiliationStatus

String

true

Status of the affilation. If no value is provided, defaults to "current" when creating a new affiliation, or the previous value when updating an affiliation.

Must be one of ["current", "suspended"], value "former" is reserved for internal use.

swissEduIDAffiliationPeriodBegin

String

true

Date the affiliation is valid from. If no value is provided, defaults to today when creating a new affiliation, or the previous value when updating an affiliation.

Must be in the past or the present.

swissEduPersonHomeOrganization

String

true

Domain name of a home organization.

Must be the domain name of the home organization.

swissEduPersonHomeOrganizationType

String

true

Type of a home organization.

Must be one of [university, uas, hospital, library, tertiaryb, uppersecondary, vho, others].

commonName

Array[String]

true

The names of an object.

displayName

String

true

The name(s) that should appear in white-pages-like applications.

eduPersonUniqueId

String

true

A long-lived, non re-assignable, omnidirectional identifier, the international version of the swissEduPersonUniqueID.

Must be equal to the swissEduPersonUniqueID.

eduPersonPrincipalName

String

true

A scoped identifier for a person.

Must contain one and only one '@' character.

schacHomeOrganization

String

true

A person’s home organization using the domain name of the organization.

Must be the domain name of the home organization.

schacHomeOrganizationType

Array[String]

true

Type of a home organization.

swissEduPersonCardUID

Array[String]

true

Card unique identifier.

swissEduPersonDateOfBirth

String

true

The date of birth of the person (see RFC 3339).

Must be a string of numerical characters of length 8.

swissEduPersonGender

String

true

The state of being male or female (see ISO 5218).

Must be one of [0, 1, 2, 9].

swissEduPersonMatriculationNumber

String

true

Matriculation number of a student.

Must be a string of numerical characters of length 8.

swissEduPersonStaffCategory

Array[Integer]

true

Workbranch of a staff member.

swissEduPersonStudyBranch1

Array[Integer]

true

Study branch of a student, first level of classification.

swissEduPersonStudyBranch2

Array[Integer]

true

Study branch of a student, intermediate level of classification.

swissEduPersonStudyBranch3

Array[Integer]

true

Study branch of a student.

swissEduPersonStudyLevel

Array[String]

true

Study level of a student in a particular study branch.

swissLibraryPersonAffiliation

Array[String]

true

Type of library affiliation.

swissLibraryPersonResidence

Array[String]

true

Defines the current residence of the patron.

eduPersonAssurance

Array[String]

true

Set of URIs that assert compliance with specific standards for identity assurance.

telephoneNumber

Array[String]

true

Office/campus phone number.

postalAddress

Array[String]

true

Campus or office address.

employeeNumber

String

true

Numerically identifies an employee within an organization.

eduPersonEntitlement

Array[String]

true

URI (either URL or URN) that indicates a set of rights to specific resources.

homePostalAddress

Array[String]

true

Home address of the user.

isMemberOf

Array[String]

true

The values of isMemberOf are identifiers for groups to which the containing entity belongs.

mobile

Array[String]

true

Mobile phone number.

eduPersonNickname

Array[String]

true

Person’s nickname.

eduPersonOrcid

Array[String]

true

ORCID iDs are persistent digital identifiers for individual researchers.

eduPersonOrgDN

String

true

The distinguished name (DN) of the directory entry representing the organization with which the person is associated.

ou

Array[String]

true

Organizational unit(s).

eduPersonOrgUnitDN

Array[String]

true

The distinguished name (DN) of the directory entries representing the person’s Organizational Unit(s).

preferredLanguage

String

true

Preferred written or spoken language for a person.

Must match the regular expression ^[\p{IsAlpha}]{2,3}(-[\p{IsAlpha}]{2})?$.

eduPersonPrimaryAffiliation

String

true

The person’s primary relationship to the institution.

Must be one of [faculty, student, staff, alum, member, affiliate, employee, library-walk-in].

eduPersonPrimaryOrgUnitDN

String

true

The distinguished name (DN) of the directory entry representing the person’s primary Organizational Unit(s).

homePhone

Array[String]

true

Private phone number.

uid

String

true

A unique identifier for a person, mainly used for user identification within the user’s home organization.

fhnwIDPerson

String

true

FHNW IDPerson (Evento): IDPerson aus SAS Evento (intern FHNW).

fhnwOeID

String

true

FHNW Organisationseinheit aus Metadirectory: FHNW Organisationseinheit aus Metadirectory.

fschImapPW

String

true

Fernuni Imap Password: This attribute used by Fernuni is used for Webmail IMAP authentication.

unibasChPublicId

String

true

Uni Basel personal public id: University of Basel personal public id.

unilFacultePrincipale

String

true

UniL faculte principale: Cet attribut contient le sigle de la faculte principale a l Universite de Lausanne; il est utilise pour les etudiants essentiellement.

zhawDepartmentCode

String

true

ZHAW Department Code: ZHAW Department Code.

zhawInstituteCode

String

true

ZHAW Institute Code: ZHAW Institute Code.

zhawInstitute

String

true

ZHAW Institute Name: ZHAW Institute Name.

extKerberosPrincipalName

Array[String]

true

Kerberos Principal Name of user at organisation, used to identify the user in SPNEGO Kerberos login.

unibasChRoles

Array[String]

true

Uni Basel specific roles: This attribute contain the specific member roles available at university Basel.

unilMemberOf

Array[String]

true

UniL group membership: Group membership at the Uni Lausanne.

extAzureADImmutableID

String

true

Azure AD ImmutableID: Unique identifier for user. Must not change for this user over the lifetime of the user. Must not contain domain information. Case sensitive.

userPrincipalName

String

true

Microsoft Active Directory User-Principal-Name.

meta

Object

true

meta.resourceType

String

true

meta.created

String

true

meta.lastModified

String

true

meta.location

String

true

meta.version

String

true

swissEduIDUser

Object

true

User account linked to this affiliation.

swissEduIDUser.value

String

true

swissEduIDUser.$ref

String

true

2.4.5. Response fields

Path Type Optional Description

schemas

Array[String]

false

SCIM Schema URNs. Must contain the single value 'urn:mace:switch.ch:eduid:scim:1.0:affiliation'.

id

String

false

The id, which must be the value of the swissEduPersonUniqueID attribute in the organisation’s identity system. Must be a valid swissEduPersonUniqueID as defined in the SWITCHaai attribute specification.

externalId

String

false

The externalId, which must be the value of the swissEduPersonUniqueID attribute in the organisation’s identity system. Must be a valid swissEduPersonUniqueID as defined in the SWITCHaai attribute specification.

eduPersonAffiliation

Array[String]

false

Type of affiliation.

eduPersonScopedAffiliation

Array[Object]

true

The person’s affiliation within a particular security domain.

email

Array[String]

false

Preferred address for the 'To:' field of e-mail to be sent to this person.

givenName

String

false

Given name of a person.

surname

String

false

Surname or family name.

swissEduIDAffiliationStatus

String

true

Status of the affilation. If no value is provided, defaults to "current" when creating a new affiliation, or the previous value when updating an affiliation.

Must be one of ["current", "suspended"], value "former" is reserved for internal use.

swissEduIDAffiliationPeriodBegin

String

true

Date the affiliation is valid from. If no value is provided, defaults to today when creating a new affiliation, or the previous value when updating an affiliation.

Must be in the past or the present.

swissEduPersonHomeOrganization

String

true

Domain name of a home organization.

Must be the domain name of the home organization.

swissEduPersonHomeOrganizationType

String

true

Type of a home organization.

Must be one of [university, uas, hospital, library, tertiaryb, uppersecondary, vho, others].

swissEduPersonUniqueID

String

false

A unique identifier for a person, mainly for inter-institutional user identification on personalized services.

swissEduID

String

false

The Swiss edu-ID persistent identifier for Swiss Higher Education users.

commonName

Array[String]

true

The names of an object.

displayName

String

true

The name(s) that should appear in white-pages-like applications.

eduPersonUniqueId

String

true

A long-lived, non re-assignable, omnidirectional identifier, the international version of the swissEduPersonUniqueID.

Must be equal to the swissEduPersonUniqueID.

eduPersonPrincipalName

String

true

A scoped identifier for a person.

Must contain one and only one '@' character.

schacHomeOrganization

String

true

A person’s home organization using the domain name of the organization.

Must be the domain name of the home organization.

schacHomeOrganizationType

Array[String]

true

Type of a home organization.

swissEduPersonCardUID

Array[String]

true

Card unique identifier.

swissEduPersonDateOfBirth

String

true

The date of birth of the person (see RFC 3339).

Must be a string of numerical characters of length 8.

swissEduPersonGender

String

true

The state of being male or female (see ISO 5218).

Must be one of [0, 1, 2, 9].

swissEduPersonMatriculationNumber

String

true

Matriculation number of a student.

Must be a string of numerical characters of length 8.

swissEduPersonStaffCategory

Array[Integer]

true

Workbranch of a staff member.

swissEduPersonStudyBranch1

Array[Integer]

true

Study branch of a student, first level of classification.

swissEduPersonStudyBranch2

Array[Integer]

true

Study branch of a student, intermediate level of classification.

swissEduPersonStudyBranch3

Array[Integer]

true

Study branch of a student.

swissEduPersonStudyLevel

Array[String]

true

Study level of a student in a particular study branch.

swissLibraryPersonAffiliation

Array[String]

true

Type of library affiliation.

swissLibraryPersonResidence

Array[String]

true

Defines the current residence of the patron.

eduPersonAssurance

Array[String]

true

Set of URIs that assert compliance with specific standards for identity assurance.

telephoneNumber

Array[String]

true

Office/campus phone number.

postalAddress

Array[String]

true

Campus or office address.

employeeNumber

String

true

Numerically identifies an employee within an organization.

eduPersonEntitlement

Array[String]

true

URI (either URL or URN) that indicates a set of rights to specific resources.

homePostalAddress

Array[String]

true

Home address of the user.

isMemberOf

Array[String]

true

The values of isMemberOf are identifiers for groups to which the containing entity belongs.

mobile

Array[String]

true

Mobile phone number.

eduPersonNickname

Array[String]

true

Person’s nickname.

eduPersonOrcid

Array[String]

true

ORCID iDs are persistent digital identifiers for individual researchers.

eduPersonOrgDN

String

true

The distinguished name (DN) of the directory entry representing the organization with which the person is associated.

ou

Array[String]

true

Organizational unit(s).

eduPersonOrgUnitDN

Array[String]

true

The distinguished name (DN) of the directory entries representing the person’s Organizational Unit(s).

preferredLanguage

String

true

Preferred written or spoken language for a person.

Must match the regular expression ^[\p{IsAlpha}]{2,3}(-[\p{IsAlpha}]{2})?$.

eduPersonPrimaryAffiliation

String

true

The person’s primary relationship to the institution.

Must be one of [faculty, student, staff, alum, member, affiliate, employee, library-walk-in].

eduPersonPrimaryOrgUnitDN

String

true

The distinguished name (DN) of the directory entry representing the person’s primary Organizational Unit(s).

homePhone

Array[String]

true

Private phone number.

uid

String

true

A unique identifier for a person, mainly used for user identification within the user’s home organization.

fhnwIDPerson

String

true

FHNW IDPerson (Evento): IDPerson aus SAS Evento (intern FHNW).

fhnwOeID

String

true

FHNW Organisationseinheit aus Metadirectory: FHNW Organisationseinheit aus Metadirectory.

fschImapPW

String

true

Fernuni Imap Password: This attribute used by Fernuni is used for Webmail IMAP authentication.

unibasChPublicId

String

true

Uni Basel personal public id: University of Basel personal public id.

unilFacultePrincipale

String

true

UniL faculte principale: Cet attribut contient le sigle de la faculte principale a l Universite de Lausanne; il est utilise pour les etudiants essentiellement.

zhawDepartmentCode

String

true

ZHAW Department Code: ZHAW Department Code.

zhawInstituteCode

String

true

ZHAW Institute Code: ZHAW Institute Code.

zhawInstitute

String

true

ZHAW Institute Name: ZHAW Institute Name.

extKerberosPrincipalName

Array[String]

true

Kerberos Principal Name of user at organisation, used to identify the user in SPNEGO Kerberos login.

unibasChRoles

Array[String]

true

Uni Basel specific roles: This attribute contain the specific member roles available at university Basel.

unilMemberOf

Array[String]

true

UniL group membership: Group membership at the Uni Lausanne.

extAzureADImmutableID

String

true

Azure AD ImmutableID: Unique identifier for user. Must not change for this user over the lifetime of the user. Must not contain domain information. Case sensitive.

userPrincipalName

String

true

Microsoft Active Directory User-Principal-Name.

meta

Object

true

meta.resourceType

String

true

meta.created

String

true

meta.lastModified

String

true

meta.location

String

true

meta.version

String

true

swissEduIDUser

Object

true

User account linked to this affiliation.

swissEduIDUser.value

String

true

swissEduIDUser.$ref

String

true

2.4.6. Example request

$ curl 'https://api.test.eduid.ch/scim/Affiliations/2490257@test.idph.switch.ch' -i -X PUT \
    -H 'Content-Type: application/scim+json' \
    -H 'Accept: application/scim+json' \
    -d '{"schemas":["urn:mace:switch.ch:eduid:scim:1.0:affiliation"],"externalId":"2490257@test.idph.switch.ch","swissEduPersonUniqueID":"2490257@test.idph.switch.ch","swissEduID":"00000000-f706-45db-a5ec-03f181e79d96","eduPersonAffiliation":["student"],"email":["test1.student@example.org"],"givenName":"Test1","surname":"Student","swissEduIDAffiliationStatus":"current","swissEduIDAffiliationPeriodBegin":"2018-01-01","swissEduPersonHomeOrganization":"test.idph.switch.ch","eduPersonEntitlement":["urn:mace:dir:entitlement:common-lib-terms", "http://example.org/"],"eduPersonOrcid":["https://orcid.org/0000-0002-1825-0097"],"swissEduPersonStudyLevel":["4700-15"],"swissEduPersonStudyBranch3":[4700]}'
Note
This command runs on Linux. If running on Windows and using the -d parameter for sending data, store the JSON data to a file (e.g. data.json) and use -d @data.json instead of -d '…​'.

2.4.7. Example response

HTTP/1.1 200 OK
Location: https://api.test.eduid.ch/scim/Affiliations/2490257@test.idph.switch.ch
Content-Disposition: inline;filename=f.txt
Content-Type: application/scim+json
Content-Length: 1536

{
  "schemas" : [ "urn:mace:switch.ch:eduid:scim:1.0:affiliation" ],
  "id" : "2490257@test.idph.switch.ch",
  "externalId" : "2490257@test.idph.switch.ch",
  "eduPersonAffiliation" : [ "student", "member" ],
  "eduPersonScopedAffiliation" : [ "member@test.idph.switch.ch", "student@test.idph.switch.ch" ],
  "email" : [ "test1.student@example.org" ],
  "givenName" : "Test1",
  "surname" : "Student",
  "swissEduIDAffiliationStatus" : "current",
  "swissEduIDAffiliationPeriodBegin" : "2018-01-01",
  "swissEduPersonHomeOrganization" : "test.idph.switch.ch",
  "swissEduPersonHomeOrganizationType" : "university",
  "swissEduPersonUniqueID" : "2490257@test.idph.switch.ch",
  "swissEduID" : "00000000-f706-45db-a5ec-03f181e79d96",
  "commonName" : [ "Test1 Student" ],
  "displayName" : "Test1 Student",
  "eduPersonUniqueId" : "2490257@test.idph.switch.ch",
  "eduPersonPrincipalName" : "2490257@test.idph.switch.ch",
  "schacHomeOrganization" : "test.idph.switch.ch",
  "schacHomeOrganizationType" : [ "urn:schac:homeOrganizationType:ch:university", "urn:schac:homeOrganizationType:eu:higherEducationalInstitution" ],
  "swissEduPersonGender" : 0,
  "swissEduPersonStudyBranch3" : [ 4700 ],
  "swissEduPersonStudyLevel" : [ "4700-15" ],
  "eduPersonEntitlement" : [ "urn:mace:dir:entitlement:common-lib-terms", "http://example.org/" ],
  "eduPersonOrcid" : [ "https://orcid.org/0000-0002-1825-0097" ],
  "swissEduIDUser" : {
    "value" : "2490257@eduid.ch",
    "$ref" : "https://api.test.eduid.ch/scim/Users/2490257@eduid.ch"
  }
}

2.5. Delete Affiliation

DELETE /Affiliations/{swissEduPersonUniqueID}

Remove an affiliation.

2.5.1. Path parameters

Parameter Type Optional Description

swissEduPersonUniqueID

String

false

The externalId, which must be the value of the swissEduPersonUniqueID attribute in the organisation’s identity system.

Must be equal to the swissEduPersonUniqueID.
Size must be between 0 and 255 inclusive.

2.5.2. Query parameters

No parameters.

2.5.3. Required request fields

No request body.

2.5.4. Optional request fields

No request body.

2.5.5. Response fields

No response body.

2.5.6. Example request

$ curl 'https://api.test.eduid.ch/scim/Affiliations/2490257@test.idph.switch.ch' -i -X DELETE \
    -H 'Accept: application/scim+json'
Note
This command runs on Linux. If running on Windows and using the -d parameter for sending data, store the JSON data to a file (e.g. data.json) and use -d @data.json instead of -d '…​'.

2.5.7. Example response

HTTP/1.1 204 No Content

3. Reading private identities

This section describes SCIM operations for reading from SWITCH edu-ID users’s private identities, i.e. user-managed data. The only supported operation is reading one User resource and it returns a very limited set of information.

Warning
Not for managing your organisation’s users!

This API endpoint is not meant for organisation-provided data, use Affiliations for this (see above). It is read-only, only the person owning a SWITCH edu-ID account is allowed to modify data appearing here.

Note
Access to this endpoint requires HTTP Basic Authentication and a special authorisation.

3.1. Get User

GET /Users/{swissEduPersonUniqueID}

3.1.1. Path parameters

Parameter Type Optional Description

swissEduPersonUniqueID

Object

false

3.1.2. Query parameters

No parameters.

3.1.3. Required request fields

No request body.

3.1.4. Optional request fields

No request body.

3.1.5. Response fields

Of all the possible attributes defined for a standard SCIM User resource, only a few are returned (see table below). The id and userName attributes both contain the swissEduPersonUniqueID of the SWITCH edu-ID account (the one ending with @eduid.ch). Further SWITCH edu-ID specific attributes are provided under the urn:mace:switch.ch:eduid:scim:1.0:user namespace.

Path Type Optional Description

schemas

Array[String]

true

id

String

true

Identifier of the SWITCH edu-ID account: swissEduPersonUniqueID assigned by SWITCH edu-ID.

userName

String

true

Identifier of the SWITCH edu-ID account: swissEduPersonUniqueID assigned by SWITCH edu-ID.

name

Object

true

The components of the user’s real name.

name.familyName

String

true

Last name

name.givenName

String

true

First name

active

Boolean

true

State of the SWITCH edu-ID account: is true when swissEduPersonAccountState is "Active", false otherwise. Only "Active" accounts can authenticate via SWITCH edu-ID.

emails

Array[Object]

true

All email addresses for the user. The user’s preferred email address is flagged as "primary".

emails[].value

String

true

The actual email address value.

emails[].primary

Boolean

true

A Boolean value indicating the preferred email address. The primary attribute value "true" MUST appear no more than once. If not specified, the value of "primary" SHALL be assumed to be "false".

Response fields under the urn:mace:switch.ch:eduid:scim:1.0:user namespace
Path Type Description

swissEduPersonUniqueID

String

Identifier of the SWITCH edu-ID account: swissEduPersonUniqueID assigned by SWITCH edu-ID.

swissEduIDAffiliations

Array[Object]

List of affiliations linked to this user account

swissEduIDAffiliations[].value

String

Identifier of the affiliation: swissEduPersonUniqueID assigned by the organisation.

swissEduIDAffiliations[].$ref

String

URI reference to manage that affiliation.

swissEduPersonAccountState

String

State of the SWITCH edu-ID account, is one of ["Registered", "Active", "Inactive", "Deleted"]. Only "Active" accounts can authenticate via SWITCH edu-ID.

eduPersonEntitlement

Array[String]

URI that indicates a set of rights to specific resources

eduPersonOrcid

Array[String]

ORCID iDs are persistent digital identifiers for individual researchers.

description

String

3.1.6. Example request

$ curl 'https://api.test.eduid.ch/scim/Users/adfadsf8238u@test.eduid.ch' -i -X GET \
    -H 'Accept: application/scim+json'
Note
This command runs on Linux. If running on Windows and using the -d parameter for sending data, store the JSON data to a file (e.g. data.json) and use -d @data.json instead of -d '…​'.

3.1.7. Example response

HTTP/1.1 200 OK
Content-Disposition: inline;filename=f.txt
Content-Type: application/scim+json
Content-Length: 943

{
  "schemas" : [ "urn:mace:switch.ch:eduid:scim:1.0:user", "urn:ietf:params:scim:schemas:core:2.0:User" ],
  "id" : "adfadsf8238u@test.eduid.ch",
  "userName" : "adfadsf8238u@test.eduid.ch",
  "name" : {
    "familyName" : "Student",
    "givenName" : "Test1"
  },
  "active" : true,
  "emails" : [ {
    "value" : "test1.private@example.org",
    "primary" : true
  }, {
    "value" : "test1.student@example.org",
    "primary" : false
  } ],
  "urn:mace:switch.ch:eduid:scim:1.0:user" : {
    "swissEduPersonUniqueID" : "adfadsf8238u@test.eduid.ch",
    "swissEduID" : "00000000-f706-45db-a5ec-03f181e79d96",
    "swissEduIDAffiliations" : [ {
      "value" : "2490257@test.idph.switch.ch",
      "$ref" : "https://api.test.eduid.ch/scim/Affiliations/2490257@test.idph.switch.ch"
    } ],
    "swissEduPersonAccountState" : "Active",
    "eduPersonEntitlement" : [ ],
    "eduPersonOrcid" : [ "https://orcid.org/0000-0002-1825-0097" ]
  }
}

4. Creating technical accounts

A technical account is a SWITCH edu-ID account used primarily for testing, debugging or monitoring purposes. Once created, technical accounts can be managed like normal edu-ID user accounts. Read the technical accounts specification.

Note
Access to this endpoint requires HTTP Basic Authentication and a special authorisation.

4.1. Create Technical Account

POST /Users

4.1.1. Path parameters

No parameters.

4.1.2. Query parameters

No parameters.

4.1.3. Request fields

Path Type Optional Description

schemas

Array[String]

false

SCIM Schema URNs. Must contain both values 'urn:mace:switch.ch:eduid:scim:1.0:affiliation' and 'urn:ietf:params:scim:schemas:core:2.0:User'.

name

Object

false

The components of the user’s real name.

name.familyName

String

false

Last name

name.givenName

String

false

First name

password

String

false

The User’s clear text password. This attribute is intended to be used as a means to specify an initial password when creating a new User or to reset an existing User’s password.

emails

Array[Object]

false

All email addresses for the user. The user’s preferred email address is flagged as "primary".

emails[].value

String

false

The actual email address value.

emails[].primary

Boolean

true

A Boolean value indicating the preferred email address. The primary attribute value "true" MUST appear no more than once. If not specified, the value of "primary" SHALL be assumed to be "false".

Request fields under the urn:mace:switch.ch:eduid:scim:1.0:user namespace
Path Type Optional Description

eduPersonEntitlement

Array[String]

true

URI that indicates a set of rights to specific resources. Send value 'https://eduid.ch/spec/read-only-account/' to indicate that the account should be read-only. not yet implemented

description

String

false

Purpose of the technical account

4.1.4. Response fields

Of all the possible attributes defined for a standard SCIM User resource, only a few are returned (see table below). The id and userName attributes both contain the swissEduPersonUniqueID of the SWITCH edu-ID account (the one ending with @eduid.ch). Further SWITCH edu-ID specific attributes are provided under the urn:mace:switch.ch:eduid:scim:1.0:user namespace.

Path Type Optional Description

schemas

Array[String]

true

id

String

true

Identifier of the SWITCH edu-ID account: swissEduPersonUniqueID assigned by SWITCH edu-ID.

userName

String

true

Identifier of the SWITCH edu-ID account: swissEduPersonUniqueID assigned by SWITCH edu-ID.

name

Object

true

The components of the user’s real name.

name.familyName

String

true

Last name

name.givenName

String

true

First name

active

Boolean

true

State of the SWITCH edu-ID account: is true when swissEduPersonAccountState is "Active", false otherwise. Only "Active" accounts can authenticate via SWITCH edu-ID.

emails

Array[Object]

true

All email addresses for the user. The user’s preferred email address is flagged as "primary".

emails[].value

String

true

The actual email address value.

emails[].primary

Boolean

true

A Boolean value indicating the preferred email address. The primary attribute value "true" MUST appear no more than once. If not specified, the value of "primary" SHALL be assumed to be "false".

Response fields under the urn:mace:switch.ch:eduid:scim:1.0:user namespace
Path Type Description

swissEduPersonUniqueID

String

Identifier of the SWITCH edu-ID account: swissEduPersonUniqueID assigned by SWITCH edu-ID.

swissEduIDAffiliations

Array[Object]

List of affiliations linked to this user account

swissEduIDAffiliations[].value

String

Identifier of the affiliation: swissEduPersonUniqueID assigned by the organisation.

swissEduIDAffiliations[].$ref

String

URI reference to manage that affiliation.

swissEduPersonAccountState

String

State of the SWITCH edu-ID account, is one of ["Registered", "Active", "Inactive", "Deleted"]. Only "Active" accounts can authenticate via SWITCH edu-ID.

eduPersonEntitlement

Array[String]

URI that indicates a set of rights to specific resources

eduPersonOrcid

Array[String]

ORCID iDs are persistent digital identifiers for individual researchers.

description

String

4.1.5. Example request

$ curl 'https://api.test.eduid.ch/scim/Users' -i -X POST \
    -H 'Content-Type: application/scim+json' \
    -H 'Accept: application/scim+json' \
    -d '{  "schemas" : [ "urn:mace:switch.ch:eduid:scim:1.0:user", "urn:ietf:params:scim:schemas:core:2.0:User" ],  "name" : {    "familyName" : "Monitor",    "givenName" : "Service"  },  "emails" : [ {    "value" : "service-monitor@switch.ch",    "primary" : true  } ],  "password" : "myPassword1234",  "urn:mace:switch.ch:eduid:scim:1.0:user" : {    "description" : "This user is used to monitor service XYZ",    "eduPersonEntitlement" : ["https://eduid.ch/spec/read-only-account/"]  }}'
Note
This command runs on Linux. If running on Windows and using the -d parameter for sending data, store the JSON data to a file (e.g. data.json) and use -d @data.json instead of -d '…​'.

4.1.6. Example response

HTTP/1.1 201 Created
Location: https://api.test.eduid.ch/scim/Users/0000897371995476@eduid.ch
Content-Type: application/scim+json
Content-Length: 793

{
  "schemas" : [ "urn:mace:switch.ch:eduid:scim:1.0:user", "urn:ietf:params:scim:schemas:core:2.0:User" ],
  "id" : "0000897371995476@eduid.ch",
  "userName" : "0000897371995476@eduid.ch",
  "name" : {
    "familyName" : "Monitor",
    "givenName" : "Service"
  },
  "active" : true,
  "emails" : [ {
    "value" : "service-monitor@switch.ch",
    "primary" : true
  } ],
  "urn:mace:switch.ch:eduid:scim:1.0:user" : {
    "swissEduPersonUniqueID" : "0000897371995476@eduid.ch",
    "swissEduID" : "0000ba35-1322-45b2-a074-c30cd362ee94",
    "swissEduIDAffiliations" : [ ],
    "swissEduPersonAccountState" : "Active",
    "eduPersonEntitlement" : [ "https://eduid.ch/spec/read-only-account/" ],
    "eduPersonOrcid" : [ ],
    "description" : "This user is used to monitor service XYZ"
  }
}

5. SCIM service provider configuration endpoints

Endpoints to facilitate discovery of SCIM service provider features and schema that can be retrieved using HTTP GET.

  • /Schemas Provides a list of supported resource schemas.

  • /ResourceTypes Provides a list of available resources types. Affiliation and User are the only supported resource types.

  • /ServiceProviderConfig Informs about supported SCIM features and authentication requirements.

5.1. Get All Schemas

GET /Schemas

5.1.1. Path parameters

No parameters.

5.1.2. Query parameters

No parameters.

5.1.3. Required request fields

No request body.

5.1.4. Optional request fields

No request body.

5.1.5. Response fields

Path Type Optional Description

schemas

Array[String]

true

id

String

true

externalId

String

true

meta

Object

true

meta.resourceType

String

true

meta.created

String

true

meta.lastModified

String

true

meta.location

String

true

meta.version

String

true

totalResults

Integer

true

The total number of results returned by the list or query operation.

Resources

Array[Object]

true

startIndex

Integer

true

The 1-based index of the first result in the current set of list results.

itemsPerPage

Integer

true

The number of resources returned in a list response page.

5.1.6. Example request

$ curl 'https://api.test.eduid.ch/scim/Schemas' -i -X GET \
    -H 'Accept: application/scim+json'
Note
This command runs on Linux. If running on Windows and using the -d parameter for sending data, store the JSON data to a file (e.g. data.json) and use -d @data.json instead of -d '…​'.

5.1.7. Example response

HTTP/1.1 200 OK
Content-Type: application/scim+json
Content-Length: 51710

{
  "schemas" : [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ],
  "totalResults" : 3,
  "Resources" : [ {
    "schemas" : [ "urn:ietf:params:scim:schemas:core:2.0:Schema" ],
    "id" : "urn:mace:switch.ch:eduid:scim:1.0:affiliation",
    "name" : "Affiliation",
    "description" : "Affiliation",
    "attributes" : [ {
      "name" : "commonName",
      "type" : "string",
      "multiValued" : true,
      "description" : "The names of an object",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "displayName",
      "type" : "string",
      "multiValued" : false,
      "description" : "The name(s) that should appear in white-pages-like applications",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "eduPersonAffiliation",
      "type" : "complex",
      "multiValued" : true,
      "description" : "Type of affiliation",
      "required" : true,
      "canonicalValues" : [ "library-walk-in", "student", "member", "staff", "affiliate", "employee", "alum", "faculty" ],
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "eduPersonAssurance",
      "type" : "string",
      "multiValued" : true,
      "description" : "Set of URIs that assert compliance with specific standards for identity assurance",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "eduPersonEntitlement",
      "type" : "string",
      "multiValued" : true,
      "description" : "URI (either URL or URN) that indicates a set of rights to specific resources",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "eduPersonNickname",
      "type" : "string",
      "multiValued" : true,
      "description" : "Person's nickname",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "eduPersonOrcid",
      "type" : "string",
      "multiValued" : true,
      "description" : "ORCID iDs are persistent digital identifiers for individual researchers",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "eduPersonOrgDN",
      "type" : "string",
      "multiValued" : false,
      "description" : "The distinguished name (DN) of the directory entry representing the organization with which the person is associated",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "eduPersonOrgUnitDN",
      "type" : "string",
      "multiValued" : true,
      "description" : "The distinguished name (DN) of the directory entries representing the person's Organizational Unit(s)",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "eduPersonPrimaryAffiliation",
      "type" : "complex",
      "multiValued" : false,
      "description" : "The person's primary relationship to the institution",
      "required" : false,
      "canonicalValues" : [ "library-walk-in", "student", "member", "staff", "affiliate", "employee", "alum", "faculty" ],
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "eduPersonPrimaryOrgUnitDN",
      "type" : "string",
      "multiValued" : false,
      "description" : "The distinguished name (DN) of the directory entry representing the person's primary Organizational Unit(s)",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "eduPersonPrincipalName",
      "type" : "string",
      "multiValued" : false,
      "description" : "A scoped identifier for a person",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "eduPersonScopedAffiliation",
      "type" : "string",
      "multiValued" : true,
      "description" : "The person's affiliation within a particular security domain",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "eduPersonUniqueId",
      "type" : "string",
      "multiValued" : false,
      "description" : "A long-lived, non re-assignable, omnidirectional identifier, the international version of the swissEduPersonUniqueID",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "email",
      "type" : "string",
      "multiValued" : true,
      "description" : "Preferred address for the 'To:' field of e-mail to be sent to this person",
      "required" : true,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "employeeNumber",
      "type" : "string",
      "multiValued" : false,
      "description" : "Numerically identifies an employee within an organization",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "extAzureADImmutableID",
      "type" : "string",
      "multiValued" : false,
      "description" : "Azure AD ImmutableID: Unique identifier for user. Must not change for this user over the lifetime of the user. Must not contain domain information. Case sensitive.",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "extKerberosPrincipalName",
      "type" : "string",
      "multiValued" : true,
      "description" : "Kerberos Principal Name of user at organisation, used to identify the user in SPNEGO Kerberos login",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "fhnwIDPerson",
      "type" : "string",
      "multiValued" : false,
      "description" : "FHNW IDPerson (Evento): IDPerson aus SAS Evento (intern FHNW)",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "fhnwOeID",
      "type" : "string",
      "multiValued" : false,
      "description" : "FHNW Organisationseinheit aus Metadirectory: FHNW Organisationseinheit aus Metadirectory",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "fschImapPW",
      "type" : "string",
      "multiValued" : false,
      "description" : "Fernuni Imap Password: This attribute used by Fernuni is used for Webmail IMAP authentication.",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "givenName",
      "type" : "string",
      "multiValued" : false,
      "description" : "Given name of a person",
      "required" : true,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "homePhone",
      "type" : "string",
      "multiValued" : true,
      "description" : "Private phone number",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "homePostalAddress",
      "type" : "string",
      "multiValued" : true,
      "description" : "Home address of the user",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "isMemberOf",
      "type" : "string",
      "multiValued" : true,
      "description" : "The values of isMemberOf are identifiers for groups to which the containing entity belongs",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "mobile",
      "type" : "string",
      "multiValued" : true,
      "description" : "Mobile phone number",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "ou",
      "type" : "string",
      "multiValued" : true,
      "description" : "Organizational unit(s)",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "postalAddress",
      "type" : "string",
      "multiValued" : true,
      "description" : "Campus or office address",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "preferredLanguage",
      "type" : "string",
      "multiValued" : false,
      "description" : "Preferred written or spoken language for a person",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "schacHomeOrganization",
      "type" : "string",
      "multiValued" : false,
      "description" : "A person's home organization using the domain name of the organization",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "schacHomeOrganizationType",
      "type" : "complex",
      "multiValued" : true,
      "description" : "Type of a home organization",
      "required" : false,
      "canonicalValues" : [ "urn:schac:homeOrganizationType:ch:uas", "urn:schac:homeOrganizationType:int:NREN", "urn:schac:homeOrganizationType:int:NRENAffiliate", "urn:schac:homeOrganizationType:eu:higherEducationalInstitution", "urn:schac:homeOrganizationType:ch:others", "urn:schac:homeOrganizationType:ch:tertiaryb", "urn:schac:homeOrganizationType:ch:university", "urn:schac:homeOrganizationType:ch:library", "urn:schac:homeOrganizationType:int:other", "urn:schac:homeOrganizationType:ch:vho", "urn:schac:homeOrganizationType:int:universityHospital", "urn:schac:homeOrganizationType:ch:hospital", "urn:schac:homeOrganizationType:eu:educationalInstitution", "urn:schac:homeOrganizationType:ch:uppersecondary" ],
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "surname",
      "type" : "string",
      "multiValued" : false,
      "description" : "Surname or family name",
      "required" : true,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduID",
      "type" : "complex",
      "multiValued" : false,
      "description" : "The Swiss edu-ID persistent identifier for Swiss Higher Education users",
      "required" : true,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduIDAffiliationPeriodBegin",
      "type" : "complex",
      "multiValued" : false,
      "description" : "Date the affiliation is valid from. If no value is provided, defaults to today when creating a new affiliation, or the previous value when updating an affiliation.",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduIDAffiliationStatus",
      "type" : "complex",
      "multiValued" : false,
      "description" : "Status of the affilation. If no value is provided, defaults to \"current\" when creating a new affiliation, or the previous value when updating an affiliation.",
      "required" : false,
      "canonicalValues" : [ "current", "suspended" ],
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduIDUser",
      "type" : "complex",
      "subAttributes" : [ {
        "name" : "$ref",
        "type" : "reference",
        "multiValued" : false,
        "description" : "URI of the SCIM User resource",
        "required" : true,
        "caseExact" : true,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none",
        "referenceTypes" : [ "User" ]
      }, {
        "name" : "value",
        "type" : "complex",
        "multiValued" : false,
        "description" : "Identifier of the SCIM User resource",
        "required" : true,
        "caseExact" : true,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      } ],
      "multiValued" : false,
      "description" : "User account linked to this affiliation",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduPersonCardUID",
      "type" : "string",
      "multiValued" : true,
      "description" : "Card unique identifier",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduPersonDateOfBirth",
      "type" : "string",
      "multiValued" : false,
      "description" : "The date of birth of the person (see RFC 3339)",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduPersonGender",
      "type" : "complex",
      "multiValued" : false,
      "description" : "The state of being male or female (see ISO 5218)",
      "required" : false,
      "canonicalValues" : [ "0", "1", "2", "9" ],
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduPersonHomeOrganization",
      "type" : "string",
      "multiValued" : false,
      "description" : "Domain name of a home organization",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduPersonHomeOrganizationType",
      "type" : "complex",
      "multiValued" : false,
      "description" : "Type of a home organization",
      "required" : false,
      "canonicalValues" : [ "library", "university", "uas", "tertiaryb", "uppersecondary", "hospital", "vho", "others" ],
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduPersonMatriculationNumber",
      "type" : "string",
      "multiValued" : false,
      "description" : "Matriculation number of a student",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduPersonStaffCategory",
      "type" : "integer",
      "multiValued" : true,
      "description" : "Workbranch of a staff member",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduPersonStudyBranch1",
      "type" : "integer",
      "multiValued" : true,
      "description" : "Study branch of a student, first level of classification",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduPersonStudyBranch2",
      "type" : "integer",
      "multiValued" : true,
      "description" : "Study branch of a student, intermediate level of classification",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduPersonStudyBranch3",
      "type" : "integer",
      "multiValued" : true,
      "description" : "Study branch of a student",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduPersonStudyLevel",
      "type" : "string",
      "multiValued" : true,
      "description" : "Study level of a student in a particular study branch",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduPersonUniqueID",
      "type" : "complex",
      "multiValued" : false,
      "description" : "A unique identifier for a person, mainly for inter-institutional user identification on personalized services",
      "required" : true,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissLibraryPersonAffiliation",
      "type" : "complex",
      "multiValued" : true,
      "description" : "Type of library affiliation",
      "required" : false,
      "canonicalValues" : [ "private", "company", "guest" ],
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissLibraryPersonResidence",
      "type" : "string",
      "multiValued" : true,
      "description" : "Defines the current residence of the patron",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "telephoneNumber",
      "type" : "string",
      "multiValued" : true,
      "description" : "Office/campus phone number",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "uid",
      "type" : "string",
      "multiValued" : false,
      "description" : "A unique identifier for a person, mainly used for user identification within the user's home organization",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "unibasChPublicId",
      "type" : "string",
      "multiValued" : false,
      "description" : "Uni Basel personal public id: University of Basel personal public id",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "unibasChRoles",
      "type" : "string",
      "multiValued" : true,
      "description" : "Uni Basel specific roles: This attribute contain the specific member roles available at university Basel",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "unilFacultePrincipale",
      "type" : "string",
      "multiValued" : false,
      "description" : "UniL faculte principale: Cet attribut contient le sigle de la faculte principale a l Universite de Lausanne; il est utilise pour les etudiants essentiellement.",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "unilMemberOf",
      "type" : "string",
      "multiValued" : true,
      "description" : "UniL group membership: Group membership at the Uni Lausanne",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "userPrincipalName",
      "type" : "string",
      "multiValued" : false,
      "description" : "Microsoft Active Directory User-Principal-Name",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "zhawDepartmentCode",
      "type" : "string",
      "multiValued" : false,
      "description" : "ZHAW Department Code: ZHAW Department Code",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "zhawInstitute",
      "type" : "string",
      "multiValued" : false,
      "description" : "ZHAW Institute Name: ZHAW Institute Name",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "zhawInstituteCode",
      "type" : "string",
      "multiValued" : false,
      "description" : "ZHAW Institute Code: ZHAW Institute Code",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    } ],
    "meta" : {
      "resourceType" : "Schema",
      "location" : "https://api.test.eduid.ch/scim/Schemas/urn:mace:switch.ch:eduid:scim:1.0:affiliation"
    }
  }, {
    "schemas" : [ "urn:ietf:params:scim:schemas:core:2.0:Schema" ],
    "id" : "urn:ietf:params:scim:schemas:core:2.0:User",
    "name" : "User",
    "description" : "User Account",
    "attributes" : [ {
      "name" : "active",
      "type" : "boolean",
      "multiValued" : false,
      "description" : "A Boolean value indicating the User's administrative status.",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "addresses",
      "type" : "complex",
      "subAttributes" : [ {
        "name" : "country",
        "type" : "string",
        "multiValued" : false,
        "description" : "The country name component.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "formatted",
        "type" : "string",
        "multiValued" : false,
        "description" : "The full mailing address, formatted for display or use with a mailing label. This attribute MAY contain newlines.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "locality",
        "type" : "string",
        "multiValued" : false,
        "description" : "The city or locality component.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "postalCode",
        "type" : "string",
        "multiValued" : false,
        "description" : "The zipcode or postal code component.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "primary",
        "type" : "boolean",
        "multiValued" : false,
        "description" : "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred address. The primary attribute value 'true' MUST appear no more than once.",
        "required" : false,
        "caseExact" : true,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "region",
        "type" : "string",
        "multiValued" : false,
        "description" : "The state or region component.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "streetAddress",
        "type" : "string",
        "multiValued" : false,
        "description" : "The full street address component, which may include house number, street name, PO BOX, and multi-line extended street address information. This attribute MAY contain newlines.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "type",
        "type" : "string",
        "multiValued" : false,
        "description" : "A label indicating the attribute's function; e.g., 'work' or 'home'.",
        "required" : false,
        "canonicalValues" : [ "other", "work", "home" ],
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      } ],
      "multiValued" : true,
      "description" : "Physical mailing addresses for this User.",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "displayName",
      "type" : "string",
      "multiValued" : false,
      "description" : "The name of the User, suitable for display to end-users. The name SHOULD be the full name of the User being described if known.",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "emails",
      "type" : "complex",
      "subAttributes" : [ {
        "name" : "display",
        "type" : "string",
        "multiValued" : false,
        "description" : "A human readable name, primarily used for display purposes.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "primary",
        "type" : "boolean",
        "multiValued" : false,
        "description" : "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred mailing address or primary e-mail address. The primary attribute value 'true' MUST appear no more than once.",
        "required" : false,
        "caseExact" : true,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "type",
        "type" : "string",
        "multiValued" : false,
        "description" : "A label indicating the attribute's function; e.g., 'work' or 'home'.",
        "required" : false,
        "canonicalValues" : [ "other", "work", "home" ],
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "value",
        "type" : "string",
        "multiValued" : false,
        "description" : "E-mail addresses for the user. The value\nSHOULD be canonicalized by the Service Provider, e.g.\nbjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type\nvalues of work, home, and other.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      } ],
      "multiValued" : true,
      "description" : "E-mail addresses for the user. The value SHOULD be canonicalized by the Service Provider, e.g., bjensen@example.com instead of bjensen@EXAMPLE.COM. Canonical Type values of work, home, and other.",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "entitlements",
      "type" : "complex",
      "subAttributes" : [ {
        "name" : "display",
        "type" : "string",
        "multiValued" : false,
        "description" : "A human readable name, primarily used for display purposes.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "primary",
        "type" : "boolean",
        "multiValued" : false,
        "description" : "A Boolean value indicating the 'primary' or preferred attribute value for this attribute. The primary attribute value 'true' MUST appear no more than once.",
        "required" : false,
        "caseExact" : true,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "type",
        "type" : "string",
        "multiValued" : false,
        "description" : "A label indicating the attribute's function.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "value",
        "type" : "string",
        "multiValued" : false,
        "description" : "The value of an entitlement.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      } ],
      "multiValued" : true,
      "description" : "A list of entitlements for the User that represent a thing the User has.",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "groups",
      "type" : "complex",
      "subAttributes" : [ {
        "name" : "display",
        "type" : "string",
        "multiValued" : false,
        "description" : "A human readable name, primarily used for display purposes.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readOnly",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "$ref",
        "type" : "reference",
        "multiValued" : false,
        "description" : "The URI of the corresponding Group resource to which the user belongs",
        "required" : false,
        "caseExact" : true,
        "mutability" : "readOnly",
        "returned" : "default",
        "uniqueness" : "none",
        "referenceTypes" : [ "Group", "User" ]
      }, {
        "name" : "type",
        "type" : "string",
        "multiValued" : false,
        "description" : "A label indicating the attribute's function; e.g., 'direct' or 'indirect'.",
        "required" : false,
        "canonicalValues" : [ "indirect", "direct" ],
        "caseExact" : false,
        "mutability" : "readOnly",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "value",
        "type" : "string",
        "multiValued" : false,
        "description" : "The identifier of the User's group.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readOnly",
        "returned" : "default",
        "uniqueness" : "none"
      } ],
      "multiValued" : true,
      "description" : "A list of groups that the user belongs to, either thorough direct membership, nested groups, or dynamically calculated.",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readOnly",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "ims",
      "type" : "complex",
      "subAttributes" : [ {
        "name" : "display",
        "type" : "string",
        "multiValued" : false,
        "description" : "A human readable name, primarily used for display purposes.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "primary",
        "type" : "boolean",
        "multiValued" : false,
        "description" : "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred messenger or primary messenger. The primary attribute value 'true' MUST appear no more than once.",
        "required" : false,
        "caseExact" : true,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "type",
        "type" : "string",
        "multiValued" : false,
        "description" : "A label indicating the attribute's function; e.g., 'aim', 'gtalk', 'mobile' etc.",
        "required" : false,
        "canonicalValues" : [ "qq", "skype", "gtalk", "aim", "icq", "yahoo", "msn", "xmpp" ],
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "value",
        "type" : "string",
        "multiValued" : false,
        "description" : "Instant messaging address for the User.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      } ],
      "multiValued" : true,
      "description" : "Instant messaging addresses for the User.",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "locale",
      "type" : "string",
      "multiValued" : false,
      "description" : "Used to indicate the User's default location for purposes of localizing items such as currency, date time format, numerical representations, etc.",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "name",
      "type" : "complex",
      "subAttributes" : [ {
        "name" : "familyName",
        "type" : "string",
        "multiValued" : false,
        "description" : "The family name of the User, or Last Name in most Western languages (for example, Jensen given the full name Ms. Barbara J Jensen, III.).",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "formatted",
        "type" : "string",
        "multiValued" : false,
        "description" : "The full name, including all middle names, titles, and suffixes as appropriate, formatted for display (for example, Ms. Barbara J Jensen, III.).",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "givenName",
        "type" : "string",
        "multiValued" : false,
        "description" : "The given name of the User, or First Name in most Western languages (for example, Barbara given the full name Ms. Barbara J Jensen, III.).",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "honorificPrefix",
        "type" : "string",
        "multiValued" : false,
        "description" : "The honorific prefix(es) of the User, or Title in most Western languages (for example, Ms. given the full name Ms. Barbara J Jensen, III.).",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "honorificSuffix",
        "type" : "string",
        "multiValued" : false,
        "description" : "The honorific suffix(es) of the User, or Suffix in most Western languages (for example, III. given the full name Ms. Barbara J Jensen, III.)",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "middleName",
        "type" : "string",
        "multiValued" : false,
        "description" : "The middle name(s) of the User (for example, Robert given the full name Ms. Barbara J Jensen, III.).",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      } ],
      "multiValued" : false,
      "description" : "The components of the user's real name.",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "nickName",
      "type" : "string",
      "multiValued" : false,
      "description" : "The casual way to address the user in real life, e.g.'Bob' or 'Bobby' instead of 'Robert'. This attribute SHOULD NOT be used to represent a User's username (e.g., bjensen or mpepperidge)",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "password",
      "type" : "string",
      "multiValued" : false,
      "description" : "The User's clear text password. This attribute is intended to be used as a means to specify an initial password when creating a new User or to reset an existing User's password.",
      "required" : false,
      "caseExact" : false,
      "mutability" : "writeOnly",
      "returned" : "never",
      "uniqueness" : "none"
    }, {
      "name" : "phoneNumbers",
      "type" : "complex",
      "subAttributes" : [ {
        "name" : "display",
        "type" : "string",
        "multiValued" : false,
        "description" : "A human readable name, primarily used for display purposes.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "primary",
        "type" : "boolean",
        "multiValued" : false,
        "description" : "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred phone number or primary phone number. The primary attribute value 'true' MUST appear no more than once.",
        "required" : false,
        "caseExact" : true,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "type",
        "type" : "string",
        "multiValued" : false,
        "description" : "A label indicating the attribute's function; e.g., 'work' or 'home' or 'mobile' etc.",
        "required" : false,
        "canonicalValues" : [ "other", "pager", "work", "mobile", "fax", "home" ],
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "value",
        "type" : "string",
        "multiValued" : false,
        "description" : "Phone number of the User",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      } ],
      "multiValued" : true,
      "description" : "Phone numbers for the User.  The value SHOULD be canonicalized by the Service Provider according to format in RFC3966 e.g., 'tel:+1-201-555-0123'.  Canonical Type values of work, home, mobile, fax, pager and other.",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "photos",
      "type" : "complex",
      "subAttributes" : [ {
        "name" : "display",
        "type" : "string",
        "multiValued" : false,
        "description" : "A human readable name, primarily used for display purposes.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "primary",
        "type" : "boolean",
        "multiValued" : false,
        "description" : "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred messenger or primary messenger. The primary attribute value 'true' MUST appear no more than once.",
        "required" : false,
        "caseExact" : true,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "type",
        "type" : "string",
        "multiValued" : false,
        "description" : "A label indicating the attribute's function; e.g., 'photo' or 'thumbnail'.",
        "required" : false,
        "canonicalValues" : [ "thumbnail", "photo" ],
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "value",
        "type" : "reference",
        "multiValued" : false,
        "description" : "URI of a photo of the User.",
        "required" : false,
        "caseExact" : true,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none",
        "referenceTypes" : [ "external" ]
      } ],
      "multiValued" : true,
      "description" : "URIs of photos of the User.",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "preferredLanguage",
      "type" : "string",
      "multiValued" : false,
      "description" : "Indicates the User's preferred written or spoken language.  Generally used for selecting a localized User interface. e.g., 'en_US' specifies the language English and country US.",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "profileUrl",
      "type" : "reference",
      "multiValued" : false,
      "description" : "A fully qualified URL to a page representing the User's online profile",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none",
      "referenceTypes" : [ "external" ]
    }, {
      "name" : "roles",
      "type" : "complex",
      "subAttributes" : [ {
        "name" : "display",
        "type" : "string",
        "multiValued" : false,
        "description" : "A human readable name, primarily used for display purposes.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "primary",
        "type" : "boolean",
        "multiValued" : false,
        "description" : "A Boolean value indicating the 'primary' or preferred attribute value for this attribute. The primary attribute value 'true' MUST appear no more than once.",
        "required" : false,
        "caseExact" : true,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "type",
        "type" : "string",
        "multiValued" : false,
        "description" : "A label indicating the attribute's function.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "value",
        "type" : "string",
        "multiValued" : false,
        "description" : "The value of a role.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      } ],
      "multiValued" : true,
      "description" : "A list of roles for the User that collectively represent who the User is; e.g., 'Student', 'Faculty'.",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "timezone",
      "type" : "string",
      "multiValued" : false,
      "description" : "The User's time zone in the 'Olson' timezone database format; e.g.,'America/Los_Angeles'",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "title",
      "type" : "string",
      "multiValued" : false,
      "description" : "The user's title, such as \"Vice President\".",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "userName",
      "type" : "string",
      "multiValued" : false,
      "description" : "Unique identifier for the User typically used by the user to directly authenticate to the service provider.",
      "required" : true,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "server"
    }, {
      "name" : "userType",
      "type" : "string",
      "multiValued" : false,
      "description" : "Used to identify the organization to user relationship. Typical values used might be 'Contractor', 'Employee', 'Intern', 'Temp', 'External', and 'Unknown' but any value may be used.",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "x509Certificates",
      "type" : "complex",
      "subAttributes" : [ {
        "name" : "display",
        "type" : "string",
        "multiValued" : false,
        "description" : "A human readable name, primarily used for display purposes.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "primary",
        "type" : "boolean",
        "multiValued" : false,
        "description" : "A Boolean value indicating the 'primary' or preferred attribute value for this attribute. The primary attribute value 'true' MUST appear no more than once.",
        "required" : false,
        "caseExact" : true,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "type",
        "type" : "string",
        "multiValued" : false,
        "description" : "A label indicating the attribute's function.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      }, {
        "name" : "value",
        "type" : "binary",
        "multiValued" : false,
        "description" : "The value of a X509 certificate.",
        "required" : false,
        "caseExact" : false,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      } ],
      "multiValued" : true,
      "description" : "A list of certificates issued to the User.",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    } ],
    "meta" : {
      "resourceType" : "Schema",
      "location" : "https://api.test.eduid.ch/scim/Schemas/urn:ietf:params:scim:schemas:core:2.0:User"
    }
  }, {
    "schemas" : [ "urn:ietf:params:scim:schemas:core:2.0:Schema" ],
    "id" : "urn:mace:switch.ch:eduid:scim:1.0:user",
    "name" : "EduIDUser",
    "description" : "edu-ID user",
    "attributes" : [ {
      "name" : "description",
      "type" : "string",
      "multiValued" : false,
      "description" : "technical account purpose",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "eduPersonEntitlement",
      "type" : "string",
      "multiValued" : true,
      "description" : "URI (either URL or URN) that indicates a set of rights to specific resources",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "eduPersonOrcid",
      "type" : "string",
      "multiValued" : true,
      "description" : "ORCID iDs are persistent digital identifiers for individual researchers",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduID",
      "type" : "complex",
      "multiValued" : false,
      "description" : "The Swiss edu-ID persistent identifier for Swiss Higher Education users",
      "required" : false,
      "caseExact" : false,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduIDAffiliations",
      "type" : "complex",
      "subAttributes" : [ {
        "name" : "$ref",
        "type" : "reference",
        "multiValued" : false,
        "description" : "URI of the SCIM Affiliation resource",
        "required" : true,
        "caseExact" : true,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none",
        "referenceTypes" : [ "Affiliation" ]
      }, {
        "name" : "value",
        "type" : "complex",
        "multiValued" : false,
        "description" : "Identifier of the SCIM Affiliation resource",
        "required" : true,
        "caseExact" : true,
        "mutability" : "readWrite",
        "returned" : "default",
        "uniqueness" : "none"
      } ],
      "multiValued" : true,
      "description" : "affiliations linked to this user account",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduPersonAccountState",
      "type" : "complex",
      "multiValued" : false,
      "description" : "swissEduPersonAccountState",
      "required" : false,
      "canonicalValues" : [ "Active", "Inactive", "Deleted", "Registered" ],
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    }, {
      "name" : "swissEduPersonUniqueID",
      "type" : "complex",
      "multiValued" : false,
      "description" : "swissEduPersonUniqueID",
      "required" : false,
      "caseExact" : true,
      "mutability" : "readWrite",
      "returned" : "default",
      "uniqueness" : "none"
    } ],
    "meta" : {
      "resourceType" : "Schema",
      "location" : "https://api.test.eduid.ch/scim/Schemas/urn:mace:switch.ch:eduid:scim:1.0:user"
    }
  } ]
}

5.2. Get All Resource Types

GET /ResourceTypes

5.2.1. Path parameters

No parameters.

5.2.2. Query parameters

No parameters.

5.2.3. Required request fields

No request body.

5.2.4. Optional request fields

No request body.

5.2.5. Response fields

Path Type Optional Description

schemas

Array[String]

true

id

String

true

externalId

String

true

meta

Object

true

meta.resourceType

String

true

meta.created

String

true

meta.lastModified

String

true

meta.location

String

true

meta.version

String

true

totalResults

Integer

true

The total number of results returned by the list or query operation.

Resources

Array[Object]

true

startIndex

Integer

true

The 1-based index of the first result in the current set of list results.

itemsPerPage

Integer

true

The number of resources returned in a list response page.

5.2.6. Example request

$ curl 'https://api.test.eduid.ch/scim/ResourceTypes' -i -X GET \
    -H 'Accept: application/scim+json'
Note
This command runs on Linux. If running on Windows and using the -d parameter for sending data, store the JSON data to a file (e.g. data.json) and use -d @data.json instead of -d '…​'.

5.2.7. Example response

HTTP/1.1 200 OK
Content-Type: application/scim+json
Content-Length: 1019

{
  "schemas" : [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ],
  "totalResults" : 2,
  "Resources" : [ {
    "schemas" : [ "urn:ietf:params:scim:schemas:core:2.0:ResourceType" ],
    "id" : "Affiliation",
    "name" : "Affiliation",
    "description" : "Affiliation",
    "endpoint" : "/Affiliations",
    "schema" : "urn:mace:switch.ch:eduid:scim:1.0:affiliation",
    "meta" : {
      "resourceType" : "ResourceType",
      "location" : "https://api.test.eduid.ch/scim/ResourceTypes/Affiliation"
    }
  }, {
    "schemas" : [ "urn:ietf:params:scim:schemas:core:2.0:ResourceType" ],
    "id" : "User",
    "name" : "User",
    "description" : "User Account",
    "endpoint" : "/Users",
    "schema" : "urn:ietf:params:scim:schemas:core:2.0:User",
    "schemaExtensions" : [ {
      "schema" : "urn:mace:switch.ch:eduid:scim:1.0:user",
      "required" : true
    } ],
    "meta" : {
      "resourceType" : "ResourceType",
      "location" : "https://api.test.eduid.ch/scim/ResourceTypes/User"
    }
  } ]
}

5.3. Get Service Provider Config

GET /ServiceProviderConfig

5.3.1. Path parameters

No parameters.

5.3.2. Query parameters

No parameters.

5.3.3. Required request fields

No request body.

5.3.4. Optional request fields

No request body.

5.3.5. Response fields

Path Type Optional Description

schemas

Array[String]

true

id

String

true

externalId

String

true

documentationUri

String

true

An HTTP addressable URI pointing to the service provider’s human consumable help documentation.

patch

Object

false

A complex type that specifies PATCH configuration options.

patch.supported

Boolean

true

bulk

Object

false

A complex type that specifies Bulk configuration options.

bulk.supported

Boolean

true

bulk.maxOperations

Integer

true

bulk.maxPayloadSize

Integer

true

filter

Object

false

A complex type that specifies FILTER options.

filter.supported

Boolean

true

filter.maxResults

Integer

true

changePassword

Object

false

A complex type that specifies Change Password configuration options.

changePassword.supported

Boolean

true

sort

Object

false

A complex type that specifies Sort configuration options.

sort.supported

Boolean

true

etag

Object

false

A complex type that specifies Etag configuration options.

etag.supported

Boolean

true

authenticationSchemes

Array[Object]

false

A complex type that specifies supported Authentication Scheme properties.

authenticationSchemes[].name

String

true

authenticationSchemes[].description

String

true

authenticationSchemes[].specUri

String

true

authenticationSchemes[].documentationUri

String

true

authenticationSchemes[].type

String

true

authenticationSchemes[].primary

Boolean

true

meta

Object

true

meta.resourceType

String

true

meta.created

String

true

meta.lastModified

String

true

meta.location

String

true

meta.version

String

true

5.3.6. Example request

$ curl 'https://api.test.eduid.ch/scim/ServiceProviderConfig' -i -X GET \
    -H 'Accept: application/scim+json'
Note
This command runs on Linux. If running on Windows and using the -d parameter for sending data, store the JSON data to a file (e.g. data.json) and use -d @data.json instead of -d '…​'.

5.3.7. Example response

HTTP/1.1 200 OK
Content-Type: application/scim+json
Content-Length: 636

{
  "schemas" : [ "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig" ],
  "documentationUri" : "https://api.test.eduid.ch/scim/docs/index.html",
  "patch" : {
    "supported" : false
  },
  "bulk" : {
    "supported" : false,
    "maxOperations" : 0,
    "maxPayloadSize" : 0
  },
  "filter" : {
    "supported" : false,
    "maxResults" : 0
  },
  "changePassword" : {
    "supported" : false
  },
  "sort" : {
    "supported" : false
  },
  "etag" : {
    "supported" : false
  },
  "authenticationSchemes" : [ {
    "name" : "Basic",
    "description" : "HTTP BASIC",
    "type" : "httpbasic",
    "primary" : true
  } ]
}

6. Health check endpoint

There is a health check endpoint at ${baseUrl}/actuator/health that you can query to check that this API is up and running. (It is accessible without authentication.)

6.1. Example request

$ curl -i -H 'Accept: application/json' 'https://api.test.eduid.ch/scim/actuator/health'

6.2. Example response

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8

{"status":"UP"}

Obviously, any HTTP status other than 200 or any content other than {"status":"UP"} indicates that this API isn’t operating properly.

7. Troubleshooting

If your client receives an HTTP 4XX error from the Affiliation API, do look at the response body for an explanation, especially for 400 Bad Request errors.

7.1. Example 404 Not Found error

GET /scim/Affiliations/unknown@example.org HTTP/1.1
Host: api.test.eduid.ch
HTTP/1.1 404 Not Found
Content-Disposition: inline;filename=f.txt
Content-Type: application/json
Content-Length: 87

{
  "schemas" : [ "urn:ietf:params:scim:api:messages:2.0:Error" ],
  "status" : "404"
}

7.2. Example 400 Bad Request error

POST /scim/Affiliations HTTP/1.1
Content-Type: application/scim+json
Accept: application/scim+json
Content-Length: 272
Host: api.test.eduid.ch

{"schemas":["urn:mace:switch.ch:eduid:scim:1.0:affiliation"],"externalId":"new1@example.org","swissEduPersonUniqueID":"new1@example.org","swissEduID":"00000000-5ffb-4d52-92ec","eduPersonAffiliation":["student"],"email":["john.doe@example@org"],"givenName":"","surname":""}
HTTP/1.1 400 Bad Request
Content-Type: application/scim+json
Content-Length: 493

{
  "schemas" : [ "urn:ietf:params:scim:api:messages:2.0:Error" ],
  "status" : "400",
  "scimType" : "invalidValue",
  "detail" : "swissEduID.uuid must match \"^[\\p{IsAlphabetic}\\p{IsDigit}]{8}-[\\p{IsAlphabetic}\\p{IsDigit}]{4}-[\\p{IsAlphabetic}\\p{IsDigit}]{4}-[\\p{IsAlphabetic}\\p{IsDigit}]{4}-[\\p{IsAlphabetic}\\p{IsDigit}]{12}$\", email[0] must be a well-formed email address, surname must not be blank, swissEduID.uuid size must be between 36 and 36, givenName must not be blank"
}