Django SCIM 2.0 Service Provider

0.19.1 · active · verified Sat Apr 11

A partial implementation of the SCIM 2.0 provider specification for use with Django. It enables automatic provisioning and deprovisioning of user accounts and groups, facilitating identity synchronization across various identity providers and applications. The current stable version, as listed on PyPI, is 0.19.1, with development being stable and new releases occurring periodically, often focusing on Fridays.

Warnings

breaking Version 0.20.0 (released April 2025) removed the `USE_L10N` setting, which impacts projects using Django 5+ as this setting is deprecated/removed in newer Django versions. Ensure your project is compatible or handle the removal.
Fix: Review Django project settings for `USE_L10N`. If present, remove it or ensure compatibility with Django 5+. Test thoroughly after upgrading.
breaking In version 0.18.0, `SCIMAuthCheckMiddleware` transitioned from a global `MIDDLEWARE` setting to a decorator directly applied to SCIM view functions. It should no longer be listed in `MIDDLEWARE`. Customization is now done via the `AUTH_CHECK_MIDDLEWARE` key in `SCIM_SERVICE_PROVIDER`.
Fix: Remove `SCIMAuthCheckMiddleware` from your Django `MIDDLEWARE` setting. If custom authentication checks are needed, configure them via `SCIM_SERVICE_PROVIDER['AUTH_CHECK_MIDDLEWARE']`.
breaking Version 0.16.0 introduced two significant breaking changes: SCIM IDs are now required to be unique across all objects of a specific model, and compatibility with Django versions before 2.2.13 was dropped.
Fix: Ensure all SCIM IDs are unique in your data. Upgrade your Django project to version 2.2.13 or newer before upgrading `django-scim2` to 0.16.0 or later.
gotcha The library explicitly states that it does not implement authorization and authentication itself. These tasks are left for other Django apps (e.g., Django OAuth Toolkit) to provide. The `SCIMAuthCheckMiddleware` (or its decorator equivalent) simply checks `request.user.is_anonymous()` by default.
Fix: Integrate a separate authentication/authorization solution (e.g., Django REST Framework authentication, Django OAuth Toolkit) into your Django project. Ensure SCIM endpoints are protected appropriately.
gotcha The `SCIMAuthCheckMiddleware` (or the underlying decorator logic) must be processed *after* your primary Django authentication middleware. Otherwise, `request.user` might still be `AnonymousUser` when the SCIM check occurs, leading to unintended access denials.
Fix: Verify the order of your middleware. Place any authentication-related middleware (e.g., `AuthenticationMiddleware`) before `django_scim`'s authentication checks.
gotcha Currently, the only supported database for `django-scim2` is PostgreSQL. Using other database backends may lead to unexpected behavior or errors.
Fix: Ensure your Django project is configured to use PostgreSQL as its database backend for applications leveraging `django-scim2`.

Install

pip install django-scim2 Install latest stable version

Imports

SCIMAuthCheckMiddleware
```
from django_scim.middleware import SCIMAuthCheckMiddleware
```
The PyPI package name uses a hyphen, but the import path uses an underscore.

urls

from django.urls import path, include
path('scim/v2/', include('django_scim.urls'))

SCIMUser
```
from django_scim.adapters import SCIMUser
```
Used for creating an adapter for Django User objects.
SCIMGroup
```
from django_scim.adapters import SCIMGroup
```
Used for creating an adapter for Django Group objects.

Quickstart

To integrate `django-scim2`, add `django_scim` to `INSTALLED_APPS` and configure the `SCIM_SERVICE_PROVIDER` settings. Crucially, include `django_scim.urls` in your project's `urls.py` with the mandatory namespace `scim`. Note that as of version 0.18.0, the `SCIMAuthCheckMiddleware` is applied as a decorator to views, so it typically no longer needs to be added directly to the `MIDDLEWARE` setting. If you implement custom authentication, ensure it runs before SCIM processing.

import os

# settings.py example
INSTALLED_APPS = [
    # ... other Django apps
    'django_scim',
]

# Note: As of 0.18.0, SCIMAuthCheckMiddleware is applied as a decorator
# to SCIM views and typically no longer needs to be in MIDDLEWARE.
# If you need custom auth check middleware, specify it in SCIM_SERVICE_PROVIDER.
MIDDLEWARE = [
    # ... your authentication middleware (e.g., 'django.contrib.auth.middleware.AuthenticationMiddleware')
    # 'django_scim.middleware.SCIMAuthCheckMiddleware', # DEPRECATED: See warning for 0.18.0
    # Make sure your actual authentication middleware comes BEFORE this one if you add it directly.
    # The SCIMAuthCheckMiddleware checks request.user.is_anonymous() by default.
]

# Required SCIM settings
SCIM_SERVICE_PROVIDER = {
    'NETLOC': os.environ.get('SCIM_NETLOC', 'localhost:8000'), # E.g., 'your-domain.com'
    'AUTHENTICATION_SCHEMES': [
        {
            'type': 'oauth2',
            'name': 'OAuth 2',
            'description': 'OAuth 2 implemented with bearer token',
        },
    ],
    # Optional: Customize the authentication check middleware
    # 'AUTH_CHECK_MIDDLEWARE': 'your_app.middleware.CustomSCIMAuthMiddleware',
    # Optional: Expose SCIM exceptions to clients (defaults to False for security)
    # 'EXPOSE_SCIM_EXCEPTIONS': os.environ.get('SCIM_EXPOSE_EXCEPTIONS', False),
}

# urls.py example
from django.contrib import admin
from django.urls import path, include

urlpatterns = [
    path('admin/', admin.site.urls),
    path('scim/v2/', include('django_scim.urls')), # Namespace 'scim' is mandatory
]

view raw JSON →