Tags | SCIM |

ADMIN PRIVILEGES REQUIRED

Enterprise users can access their documentation here. Find your plan.

With the Stack Overflow for Teams Business System for Cross-domain Identity Management (SCIM) 2.0 implementation, you can perform automated deletion of users from your site. This method removes users permanently, just as if a site admin had deleted them using the admin user interface.

This article details the user deletion process with an external identity provider (IdP) as well as direct API calls. To learn more about other SCIM 2.0 capabilities, such as user deactivation/reactivation and moderator access, read the Automated User Provisioning (SCIM) Overview article.

NOTE: The deletion of a user using this feature CANNOT BE REVERSED. Deletion is an irrevocable action that permanently removes the user and changes attribution of their content to a generic user (for example: User1527). Before you proceed, be aware of the differences between deactivation (which is reversible, does not remove the user, and retains their attribution to content) and deletion (which is IRREVERSIBLE and removes the user and their attribution).

THIS ARTICLE APPLIES TO STACK OVERFLOW FOR TEAMS BASIC AND BUSINESS ONLY.
Stack Overflow for Teams Enterprise users should read this article instead. Find your plan.

To help prevent unintentional user deletion with SCIM 2.0, Stack Overflow enables this functionality only for supported customers on a case-by-case basis. If you’d like to enable or disable this feature, open a support ticket.

NOTE: This guide assumes you've already enabled and configured SSO authentication on your site. For more information, read the SSO Overview article.

To configure SCIM support on your site, log into your site as an administrator. Click Admin settings in the main menu, then SCIM integration.

If this is the first time you're enabling SCIM, click Generate Token to create an authorization token. If you've already enabled SCIM support, you'll need to either obtain the SCIM token previously saved at your IdP or you can click Discard token and regenerate to remove the old token and create a new one. If you generate a new token, you'll need to copy it and save it to your IdP's SCIM configuration.

NOTE: When you generate a new token, your site will reveal that token just once. Be sure to copy the token to a safe place before you navigate away from that page.

Check Allow SCIM to manage user roles, then save the SCIM settings.

Most IdPs support user provisioning, deactivation, and deletion with SCIM 2.0. Refer to the "Configure the Identity Provider" section of the Automated User Provisioning (SCIM) Overview article for guidelines and examples of configuring an IdP application.

Depending on the IdP you use, you may need to configure the IdP to specify what action should trigger a user deletion rather than deactivation. This could be a change to a user attribute, change to user status, or deletion of the user from the IdP.

If your IdP does not support SCIM 2.0 user deletion, you can configure a separate application to issue the SCIM API calls to your site at https://stackoverflowteams.com/c/[your_team_slug]/scim/v2 (see below).

In addition to using an IdP to delete users, you can also make a direct delete call to your site's SCIM endpoint at https://stackoverflowteams.com/c/[your_team_slug]/auth/scim/v2/users/[account_ID].

The delete call must include the SCIM authorization bearer token as well as the user’s account ID (which is not the same as user ID). Site admins can retrieve a user's account ID by visiting that user’s profile page. The user's info line lists their account ID along with membership and visit statistics.

You can also retrieve a user's account ID with a get call to the base users SCIM endpoint at https://stackoverflowteams.com/c/[your_team_slug]/auth/scim/v2/users. The user's 'id' value will be in the 'Resources' section of the JSON response.

Stack Overflow created a user deletion script that we make publicly available on Github. You can download and learn more about the script at https://github.com/StackExchange/so4t_scim_user_deletion.

NOTE: Depending on your installation of Python, you may need to use python or py instead of python3 in the command above. If python3 is not a recognized command, you can check which command to use by running python --version or py --version to see which responds with the installed Python version.

If you'd like to delete specific users, create a file named users.csv in the same directory as the script. Each line of the file should contain the email address of a user you'd like to delete. You can find a template here.

In a terminal window or command prompt, navigate to the directory where you unpacked the script. Run the script with the --csv flag, replacing the URL, token, and CSV file name with the appropriate values. You'll also need to use the correct py, python, or python3 command for the version you're using. For example:

python3 so4t_scim_user_deletion.py --url "<https://stackoverflowteams.com/c/[your_team_slug]>" --token "[your_token]" --csv "[csv_file_name].csv"

You can also use the script to delete all deactivated users. To do this, run the script with the --deactivated flag instead of the --csv flag. In a terminal window or command prompt, navigate to the directory where you unpacked the script. Run the script, replacing the URL and token with the appropriate values. You'll also need to use the correct py, python, or python3 command for the version you're using. For example:

python3 so4t_scim_user_deletion.py --url "<https://stackoverflowteams.com/c/[your_team_slug]>" --token "[your_token]" --deactivated

Upon completion, the script will create a JSON file named failed_deletions_[date].json in the script directory. This file will contain notes and/or error messages for every user the script could not delete. You can share this file with Stack Overflow support to get help troubleshooting the problem.

Need help? Submit an issue or question through our support portal.