Trouble building a new SCIM integration

Using this template helps us debug your issues more effectively :slight_smile:

Description
I’m trying to build a new plugin for our ticketing automation system to create/delete accounts in Zoom (for employee onboarding workflow) via SCIM, and having a lot of issues along the way.

Error

  1. When I do a normal oauth flow, I get back a token with the scopes ‘scim’, but when I try to query https://api.zoom.us/scim2/Users I get 401: Invalid access token. despite the token clearly coming back with the scim scope.

  2. If I instead use the test url from my app developer page, and add in the needed state argument to pass my own checks, I get a token that works, sorta. When I query https://api.zoom.us/scim2/Users I get back 400: Account hasn't enabled Single Sign-On.

But when I go to enable SSO, I’m required to provide a bunch of SAML links that I don’t have because I don’t want to use SAML. I just want to read/create accounts fir the scim2/Users url.

Which App Type (OAuth / Chatbot / JWT / Webhook)?
Oauth/SCIM

Which Endpoint/s?
https://api.zoom.us/scim2/Users

How To Reproduce (If applicable)
Steps to reproduce the behavior:

  1. GET https://api.zoom.us/scim2/Users
  2. See error

The prerequisites in the API reference for using the SCIM2 API lists the following items:

  • Zoom Owner or Admin privileges
  • Business or Education account with approved
  • Single Sign-On Enabled

See https://marketplace.zoom.us/docs/api-reference/scim-api for Details:

And the Zoom single sign-on (SSO) is based on SAML 2.0.

What prevents you from using the following Zoom API calls?

We are using the owner account, so that’s covered.
The account is a business one we signed up specifically to build this integration.
We try to enable SSO, but like I said, we are not using SAML. (And there’s no technical requirement to use SAML for a SCIM client. They solve different problems and we’re not supporting SAML We do not have exposed endpoints for SAML. We are not providing IdP services. The requests are sent to SCIM from either a Slack request, or an open ticket in a customer’s ITSM product requesting access to a 3rd party, or part of an onboarding/offboarding flow.)

The only thing preventing us from using the non-SCIM endpoints is a desire to use the open standard which we already support instead of writing a plugin that only works with a single provider. (Exactly the situation that SCIM was authored to solve.)

So, since the RFCs for SCIM don’t require or even suggest a dependency upon SAML, I guess I’m asking how we setup SCIM with Zoom in an RFC-compliant way?

@ash You bring up a good point. I’m not sure we support SCIM2 without SAML but that would certainly be useful and I’m always an advocate for aligning with the RFC. I reached out to our engineering team to get more information on this

ZOOM-341462