Tags | SCIM |

ADMIN PRIVILEGES REQUIRED

This documentation is for Stack Overflow for Teams Enterprise. Free, Basic, and Business users can access their documentation here. Find your plan.

With the Stack Overflow for Teams Enterprise (SOE) System for Cross-domain Identity Management (SCIM) 2.0 implementation, you can perform automated deletion of users from your site. This method removes users permanently, just as if a site admin had deleted them using the Admin settings "Users and permissions" page.

This article details the user deletion process with an external identity provider (IdP) as well as direct API calls. To learn more about other SCIM 2.0 capabilities, such as user deactivation/reactivation and moderator access, read the System for Cross-domain Identity Management (SCIM) 2.0 Support article.

NOTE: The deletion of a user using this feature CANNOT BE REVERSED. Deletion is an irrevocable action that permanently removes the user and changes attribution of their content to a generic user (for example: User1527). Before you proceed, be aware of the differences between deactivation (which is reversible, does not remove the user, and retains their attribution to content) and deletion (which is IRREVERSIBLE and removes the user and their attribution).

THIS ARTICLE APPLIES TO STACK OVERFLOW FOR TEAMS ENTERPRISE ONLY.
Other Stack Overflow for Teams users should read this article instead. Find your plan.

To help prevent unintentional user deletion with SCIM 2.0, Stack Overflow enables this functionality only for supported customers on a case-by-case basis. If you’d like to enable or disable this feature, open a support ticket.

NOTE: This guide assumes you've already enabled and configured SSO authentication on your site. For more information, read the SSO Overview article.

To configure SCIM support on your site, log into your site as an administrator. Click Admin settings in the main menu, then SCIM. If this is your first time configuring SCIM, create a token (password) and save it. The token should be something secure and unique, such as a randomly generated string. A password generator, such as the NordPass Password Generator, can help.

If you've already configured SCIM, click Show Password to reveal the token. Copy the token and save it to a safe place for later use. Check both the Allow Moderator Promotion via a userType property and Allow Admin Promotion via a userType property boxes. Click Save settings.

Method 1: delete users via an IdP Most IdPs support user provisioning, deactivation, and deletion with SCIM 2.0. Refer to the "Configure the Identity Provider" section of the System for Cross-domain Identity Management (SCIM) 2.0 Support article for guidelines and examples for configuring an IdP application.

Depending on the IdP you use, you may need to configure the IdP to specify what action should trigger a user deletion rather than deactivation. This could be a change to a user attribute, change to user status, or deletion of the user from the IdP.

If your IdP does not support SCIM 2.0 user deletion, you can configure a separate application to issue the SCIM API calls to your site at https://[your_site].stackenterprise.co/api/scim/v2 (see below).

In addition to using an IdP to delete users, you can also make a direct delete call to your site's SCIM endpoint at https://[your_site].stackenterprise.co/api/scim/v2/users/[account_ID].

The delete call must include the SCIM authorization bearer token as well as the user’s account ID (which is not the same as user ID). Site admins can retrieve this value by clicking Account Info on the user profile page of the user to be deleted.

You can also retrieve a user's account ID with a get call to the base users SCIM endpoint at https://[your_site].stackenterprise.co/api/scim/v2/users. The user's ‘id’ value will be in the ‘Resources’ section in the JSON response.

Stack Overflow created a user deletion script that we make publicly available on Github. You can download and learn more about the script at https://github.com/StackExchange/so4t_scim_user_deletion.

NOTE: Depending on your installation of Python, you may need to use python or py instead of python3 in the command above. If python3 is not a recognized command, you can check which command to use by running python --version or py --version to see which responds with the installed Python version.

If you'd like to delete specific users, create a file named users.csv in the same directory as the script. Each line of the file should contain the email address of a user you'd like to delete. You can find a template here.

In a terminal window or command prompt, navigate to the directory where you unpacked the script. Run the script with the --csv flag, replacing the URL, token, and CSV file name with the appropriate values. You'll also need to use the correct py, python, or python3 command for the version you're using. For example:

python3 so4t_scim_user_deletion.py --url "<https://[your_site].stackenterprise.co>" --token "[your_token]" --csv "[csv_file_name].csv"

You can also use the script to delete all deactivated users. To do this, run the script with the --deactivated flag instead of the --csv flag. In a terminal window or command prompt, navigate to the directory where you unpacked the script. Run the script, replacing the URL and token with the appropriate values. You'll also need to use the correct py, python, or python3 command for the version you're using. For example:

python3 so4t_scim_user_deletion.py --url "<https://[your_site].stackenterprise.co>" --token "[your_token]" --deactivated

Upon completion, the script will create a JSON file named failed_deletions_[date].json in the script directory. This file will contain notes and/or error messages for every user the script could not delete. You can share this file with Stack Overflow support to get help troubleshooting the problem.