REST Resource: locations.workforcePools.providers.scimTenants

Resource: WorkforcePoolProviderScimTenant

Gemini Enterprise only. Represents a SCIM tenant. Used for provisioning and managing identity data (such as Users and Groups) in cross-domain environments.

JSON representation
{"name":string,"baseUri":string,"state":enum (State),"description":string,"displayName":string,"claimMapping":{string:string,...},"purgeTime":string,"serviceAgent":string}
Fields
name

string

Identifier. Gemini Enterprise only. The resource name of the SCIM Tenant.

Format:locations/{location}/workforcePools/{workforcePool}/providers/ {workforcePoolProvider}/scimTenants/{scim_tenant}

baseUri

string

Output only. Gemini Enterprise only. Represents the base URI as defined inRFC 7644, Section 1.3. Clients must use this as the root address for managing resources under the tenant.

Format:https://iamscim.googleapis.com/{version}/{tenantId}/

state

enum (State)

Output only. Gemini Enterprise only. The state of the tenant.

description

string

Optional. Gemini Enterprise only. The description of the SCIM tenant.

Cannot exceed 256 characters.

displayName

string

Optional. Gemini Enterprise only. The display name of the SCIM tenant.

Cannot exceed 32 characters.

claimMapping

map (key: string, value: string)

Required. Immutable. Gemini Enterprise only. Maps SCIM attributes to Google attributes.

This mapping is used to associate the attributes synced via SCIM with the Google Cloud attributes used in IAM policies for Workforce Identity Federation. SCIM-managed user and group attributes are mapped togoogle.subject andgoogle.group respectively.

Each key must be a string specifying the Google Cloud IAM attribute to map to. The supported keys are as follows:

  • google.subject: The principal IAM is authenticating. You can reference this value in IAM bindings. This is also the subject that appears in Cloud Logging logs. This is a required field and the mapped subject cannot exceed 127 bytes.

  • google.group: Group the authenticating user belongs to. You can grant group access to resources using an IAMprincipalSet binding; access applies to all members of the group.

Each value must be aCommon Expression Language expression that maps SCIM user or group attribute to the normalized attribute specified by the corresponding map key.

Example: To map the SCIM user'sexternalId togoogle.subject and the SCIM group'sexternalId togoogle.group:

{  "google.subject": "user.externalId",  "google.group": "group.externalId"}

An object containing a list of"key": value pairs. Example:{ "name": "wrench", "mass": "1.3kg", "count": "3" }.

purgeTime

string (Timestamp format)

Output only. Gemini Enterprise only. The timestamp that represents the time when the SCIM tenant is purged.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples:"2014-10-02T15:01:23Z","2014-10-02T15:01:23.045123456Z" or"2014-10-02T15:01:23+05:30".

serviceAgent

string

Output only. Service Agent created by SCIM Tenant API. SCIM tokens created under this tenant will be attached to this service agent.

State

Gemini Enterprise only. The current state of the SCIM tenant.

Enums
STATE_UNSPECIFIEDGemini Enterprise only. State unspecified.
ACTIVEGemini Enterprise only. The tenant is active and may be used to provision users and groups.
DELETEDGemini Enterprise only. The tenant is soft-deleted. Soft-deleted tenants are permanently deleted after approximately 30 days.

Methods

create

 Gemini Enterprise only.

delete

 Gemini Enterprise only.

get

 Gemini Enterprise only.

list

 Gemini Enterprise only.

patch

 Gemini Enterprise only.

undelete

 Gemini Enterprise only.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-11-18 UTC.