Buf Schema Registry (BSR)



This information only applies to organizations on the Pro and Enterprise plans.

The BSR supports System for Cross-domain Identity Management (SCIM) 2.0 integration with several identity providers. SCIM is a protocol that maps users and groups from your Identity Provider (IdP) into the BSR, making it easy to manage BSR Organization membership. SCIM enables you to:

  • provision a user in the BSR when they're added to your IdP
  • deactivate a user when they're removed from your IdP
  • update a user's membership to a BSR Organization when they are added or removed from an IdP group

We support SCIM for the following IdPs and auth methods:

  • Azure (SAML)
  • Okta (SAML)

If your IdP isn't in this list, contact Support or your Buf representative to discuss adding support.

SCIM 2.0 defines core user and group schemas that all SCIM implementations must implement. To support the IdPs indicated above, the BSR stores the following SCIM attributes for users:

  • External ID
  • Username
  • Given name
  • Family name
  • Email (SCIM supports multiple emails, but the BSR only supports a single email of SCIM email type work)

SCIM prerequisites

If you plan to push groups from your IdP to the BSR, you must have automated organization provisioning enabled.

Create a SCIM token

To use the SCIM integration, you must obtain a SCIM token. Execute the following as BSR administrator:

$ curl \
    -H "Authorization: Bearer ${BUF_TOKEN}" \
    -H "Content-Type: application/json" \
    -d '{ "expire_time": "2023-03-03T15:56:12+00:00" }' \ # omit expire_time to create a token that never expires

The response includes the token's value in the token field. Please save this token somewhere safe, as you will need it to enable SCIM in your IdP.

You can also use Buf Studio via https://buf.example.com/studio to invoke this endpoint.

Readiness check

The BSR contains an optional readiness check that can inform you of any issues you may encounter when enabling SCIM provisioning. To assess your BSR instance's readiness, issue the following request to the BSR using your SCIM token:

$ curl \
    -H "Authorization: Bearer ${SCIM_TOKEN}" \
    -H "Content-Type: application/json" \

Inspect the request body for any warnings returned.