SCIM: List API returns paginated results; unsupported filters rejected (Pending)¶

Attention

This behavior change is in the 2026_03 bundle.

For the current status of the bundle, refer to Bundle history.

The SCIM List API endpoints (GET /scim/v2/Users and GET /scim/v2/Groups) are changing to return a paginated list of users or groups in the account, optionally matching a provided eq or sw filter. Previously, these endpoints returned a single synthetic sample object.

Unfiltered list calls

Before the change:

GET /scim/v2/Users and GET /scim/v2/Groups without a filter parameter returned a single synthetic sample object. For example, GET /scim/v2/Users returned:

{
  "totalResults": 1,
  "startIndex": 1,
  "itemsPerPage": 1,
  "Resources": [{
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User", "..."],
    "id": "1",
    "externalId": "synthesis_user_external_id",
    "userName": "synthesis_user",
    "displayName": "synthesis_user_display_name",
    "active": false
  }]
}

Similarly, GET /scim/v2/Groups returned a single synthetic_group object.

After the change:

The same calls return a paginated list of users or groups in the account, with standard SCIM pagination (startIndex, count).

Filter expression validation

Before the change:: Filter values were parsed loosely. Unsupported filter expressions, including those with logical operators (and, or) and malformed filter values, were silently accepted and returned 200 OK with an empty Resources array.
After the change:: Filter values are now parsed as quoted JSON strings, consistent with SCIM’s JSON encoding requirements. Unsupported or malformed filter expressions are rejected with HTTP 400 Bad Request and SCIM error type invalidFilter. Supported single-attribute filters with eq or sw are not affected.

ServiceProviderConfig filter support

Before the change:: GET /scim/v2/ServiceProviderConfig reported filter.supported as an integer (0).
After the change:: filter.supported is a boolean (true), as required by RFC 7643.

Customers whose SCIM clients send filter expressions with and or or should update the client to use simple filters or handle 400 invalidFilter responses.

Note

Customers with large numbers of users or groups may see increased response times for unfiltered list calls. To reduce response sizes, use excludedAttributes=groups when listing users or excludedAttributes=members when listing groups. This prevents membership expansion, which is the primary driver of response size and latency for large accounts.

Ref: 2276