Reference

Checkers

SCIM server compliance checkers.

This module contains all the individual checkers for validating SCIM server implementations. Each checker is decorated with tags that allow selective test execution.

Available checker categories:

  • discovery: ServiceProviderConfig, ResourceTypes, Schemas endpoints

  • crud: Create, Read, Update, Delete operations

  • misc: Random URL access tests

scim2_tester.checkers.access_invalid_resource_type(context: CheckContext) list[CheckResult][source]

Validate error handling for non-existent resource type IDs.

Tests that accessing /ResourceTypes/{invalid_id} with a non-existent resource type ID returns appropriate Error object with 404 status.

Status:

  • SUCCESS: Server returns Error object with 404 status

  • ERROR: Server returns non-Error object or incorrect status

RFC 7644 Section 3.12 - Error Response Handling

“When returning HTTP error status codes, the server SHOULD return a SCIM error response.”

scim2_tester.checkers.access_invalid_schema(context: CheckContext) list[CheckResult][source]

Validate error handling for non-existent schema IDs.

Tests that accessing /Schemas/{invalid_id} with a non-existent schema ID returns appropriate Error object with 404 status.

Status:

  • SUCCESS: Server returns Error object with 404 status

  • ERROR: Server returns non-Error object or incorrect status

RFC 7644 Section 3.12 - Error Response Handling

“When returning HTTP error status codes, the server SHOULD return a SCIM error response.”

scim2_tester.checkers.access_schema_by_id(context: CheckContext) list[CheckResult][source]

Validate individual schema retrieval by ID.

Tests that all schemas can be retrieved using GET requests to /Schemas/{id} with their complete attribute definitions and metadata.

Status:

  • SUCCESS: All schemas retrieved successfully with valid data

  • ERROR: One or more schemas failed to retrieve

RFC 7644 Section 7 - Schema Definition

“Each schema specifies the name of the resource, the resource’s base URI, and any attributes (including sub-attributes) of the resource.”

scim2_tester.checkers.check_add_attribute(context: CheckContext, model: type[Resource]) list[CheckResult][source]

Test PATCH add operation on all attributes (simple, complex, and extensions).

Creates a minimal resource, then iterates over ALL possible URNs (base model, extensions, and sub-attributes) to test PATCH add operations systematically. Uses a unified approach that handles all attribute types consistently.

Tested Behavior: - Adding new attribute values (simple, complex, and extension attributes) - Server accepts the PATCH request with correct URN paths for extensions - Response contains the added attribute with correct values

Status: - SUCCESS: Attribute successfully added - ERROR: Failed to add attribute - SKIPPED: No addable attributes found or PATCH not supported

RFC 7644 Section 3.5.2.1 - Add Operation

“The ‘add’ operation is used to add a new attribute and/or values to an existing resource.”

scim2_tester.checkers.check_remove_attribute(context: CheckContext, model: type[Resource]) list[CheckResult][source]

Test PATCH remove operation on all attributes (simple, complex, and extensions).

Creates a resource with initial values, then iterates over ALL possible URNs (base model, extensions, and sub-attributes) to test PATCH remove operations systematically. Uses a unified approach that handles all attribute types consistently.

Tested Behavior: - Removing attribute values (simple, complex, and extension attributes) - Server accepts the PATCH request with correct URN paths for extensions - Response contains the resource with removed attributes (null/missing)

Status: - SUCCESS: Attribute successfully removed - ERROR: Failed to remove attribute or attribute still exists - SKIPPED: No removable attributes found or PATCH not supported

RFC 7644 Section 3.5.2.2 - Remove Operation

“The ‘remove’ operation removes the value at the target location specified by the required attribute ‘path’. The operation performs the following functions, depending on the target location specified by ‘path’.”

scim2_tester.checkers.check_replace_attribute(context: CheckContext, model: type[Resource]) list[CheckResult][source]

Test PATCH replace operation on all attributes (simple, complex, and extensions).

Creates a resource with initial values, then iterates over ALL possible URNs (base model, extensions, and sub-attributes) to test PATCH replace operations systematically. Uses a unified approach that handles all attribute types consistently.

Tested Behavior: - Replacing existing attribute values (simple, complex, and extension attributes) - Server accepts the PATCH request with correct URN paths for extensions - Response contains the replaced attribute with correct new values

Status: - SUCCESS: Attribute successfully replaced - ERROR: Failed to replace attribute - SKIPPED: No replaceable attributes found or PATCH not supported

RFC 7644 Section 3.5.2.3 - Replace Operation

“The ‘replace’ operation replaces the value at the target location specified by the ‘path’.”

scim2_tester.checkers.core_schemas_validation(context: CheckContext) list[CheckResult][source]

Validate that mandatory core schemas are provided.

Tests that the /Schemas endpoint provides the three mandatory core schemas: ResourceType, ServiceProviderConfig, and Schema schemas themselves.

Status:

  • SUCCESS: All mandatory core schemas are present

  • ERROR: One or more mandatory schemas are missing

RFC 7644 Section 4 - Discovery

“Service providers MUST provide this endpoint.”

The core schemas for ResourceType, ServiceProviderConfig, and Schema objects are fundamental to SCIM operation and should always be available.

scim2_tester.checkers.object_creation(context: CheckContext, model: type[Resource]) list[CheckResult][source]

Validate SCIM resource creation via POST requests.

Tests that resources can be successfully created using POST method on the appropriate resource endpoint, with automatic cleanup after validation. Creates a test object with all required fields populated with valid data.

Status:

  • SUCCESS: Resource created successfully with valid response

  • ERROR: Creation failed due to client/server error

RFC 7644 Section 3.3 - Creating Resources

“To create new resources, clients send HTTP POST requests to the resource endpoint, such as /Users or /Groups.”

“If the resource is successfully created, the server SHALL return a 201 ‘Created’ response code with the newly created resource.”

scim2_tester.checkers.object_deletion(context: CheckContext, model: type[Resource]) list[CheckResult][source]

Validate SCIM resource deletion via DELETE requests.

Tests that resources can be successfully deleted using DELETE method and verifies that the server returns HTTP 404 when attempting to retrieve the deleted resource.

Status:

  • SUCCESS: Resource deleted successfully and server returns 404 on retrieval

  • ERROR: Deletion failed, resource still exists, or server does not return 404

RFC 7644 Section 3.6 - Deleting Resources

“Clients request resource removal via HTTP DELETE requests to the resource endpoint (e.g., /Users/{id} or /Groups/{id}).”

“In response to a successful DELETE, the server SHALL return HTTP status code 204 (No Content).”

“If a client sends a retrieval request and the consumer has been deleted, the server responds with HTTP status code 404.”

scim2_tester.checkers.object_list_with_attributes(context: CheckContext, model: type[Resource]) list[CheckResult][source]

Validate that GET on the collection endpoint honours attributes and excludedAttributes.

Creates a resource with all writable fields populated, then lists the collection twice: once with attributes and once with excludedAttributes. Verifies that the created resource appears in the list and that its serialized form respects the filtering parameters.

Status:

  • SUCCESS: Server correctly filters list response attributes

  • ERROR: Server ignores attribute filtering on list endpoint

  • SKIPPED: Model has no suitable attributes to test

RFC 7644 Section 3.4.2

“Clients MAY use the attributes query parameter to request particular attributes be included in a query response.”

scim2_tester.checkers.object_query(context: CheckContext, model: type[Resource]) list[CheckResult][source]

Validate SCIM resource retrieval by ID via GET requests.

Tests that individual resources can be successfully retrieved using GET method on the resource endpoint with specific resource ID, with automatic cleanup.

Status:

  • SUCCESS: Resource retrieved successfully with valid data

  • ERROR: Failed to retrieve or received invalid response

RFC 7644 Section 3.4.1 - Retrieving a Known Resource

“Clients retrieve a known resource using an HTTP GET request to the resource endpoint, such as /Users/{id} or /Groups/{id}.”

“If successful, the server responds with HTTP status code 200 (OK) and includes the target resource within the response body.”

scim2_tester.checkers.object_query_with_attributes(context: CheckContext, model: type[Resource]) list[CheckResult][source]

Validate that GET on a single resource honours attributes and excludedAttributes.

Creates a resource with all writable fields populated, then retrieves it twice: once with attributes restricting the response to a single attribute, and once with excludedAttributes hiding another attribute.

Status:

  • SUCCESS: Server correctly filters response attributes

  • ERROR: Server ignores attribute filtering parameters

  • SKIPPED: Model has no suitable attributes to test

RFC 7644 Section 3.4.1

“Clients MAY request a partial resource representation on any operation that returns a resource within the response by specifying either of the mutually exclusive URL query parameters attributes or excludedAttributes.”

scim2_tester.checkers.object_query_without_id(context: CheckContext, model: type[Resource]) list[CheckResult][source]

Validate SCIM resource listing via GET requests without ID.

Tests that resources can be successfully listed using GET method on the collection endpoint, validating bulk retrieval with automatic cleanup.

Status:

  • SUCCESS: Resources listed successfully, created resource found

  • ERROR: Failed to list resources or created resource not found

RFC 7644 Section 3.4.2 - List/Query Resources

“To query resources, clients send GET requests to the resource endpoint (e.g., /Users or /Groups). The response to a successful query operation SHALL be a JSON structure that matches the ListResponse schema.”

scim2_tester.checkers.object_replacement(context: CheckContext, model: type[Resource]) list[CheckResult][source]

Validate SCIM resource replacement via PUT requests.

Tests that resources can be successfully replaced using PUT method, modifying mutable fields and validating the complete resource replacement operation.

Status:

  • SUCCESS: Resource replaced successfully with valid response

  • ERROR: Replacement failed due to client/server error

RFC 7644 Section 3.5.1 - Replacing Resources

“To replace a resource’s attributes, clients issue an HTTP PUT request to the resource endpoint (e.g., /Users/{id} or /Groups/{id}).”

“If successful, the server responds with HTTP status code 200 (OK) and includes the updated resource within the response body.”

scim2_tester.checkers.query_all_resource_types(context: CheckContext) list[CheckResult][source]

Validate retrieval of all available resource types.

Tests that the /ResourceTypes endpoint returns a list of all supported resource types with their metadata, schemas, and endpoint information.

Status:

  • SUCCESS: Endpoint returns valid list of ResourceType objects

  • ERROR: Endpoint is inaccessible or returns invalid response

RFC 7644 Section 4 - Discovery

“An HTTP GET to this endpoint is used to discover the types of resources available on a SCIM service provider (e.g., Users and Groups).”

scim2_tester.checkers.query_all_schemas(context: CheckContext) list[CheckResult][source]

Validate retrieval of all available schemas.

Tests that the /Schemas endpoint returns a complete list of all supported schemas including core schemas, extensions, and custom schemas.

Status:

  • SUCCESS: Endpoint returns valid list of Schema objects

  • ERROR: Endpoint is inaccessible or returns invalid response

RFC 7644 Section 4 - Discovery

“An HTTP GET to this endpoint is used to retrieve information about resource schemas supported by a SCIM service provider.”

scim2_tester.checkers.query_resource_type_by_id(context: CheckContext, resource_type: ResourceType) list[CheckResult][source]

Validate individual ResourceType retrieval by ID.

Tests that specific resource types can be retrieved using GET requests to /ResourceTypes/{id} with their complete metadata and configuration.

Status:

RFC 7644 Section 4 - Discovery

“Each resource type defines the endpoint, the core schema URI that defines the resource, and any supported schema extensions.”

scim2_tester.checkers.random_url(context: CheckContext) list[CheckResult][source]

Validate server error handling for non-existent endpoints.

Tests that the server properly returns a Error object with HTTP 404 status when accessing invalid or non-existent URLs, ensuring compliance with SCIM error handling requirements.

Status:

  • SUCCESS: Server returns valid Error object with 404 status

  • ERROR: Server returns non-Error object or incorrect status code

RFC 7644 Section 3.12 - Error Response Handling

“When returning HTTP error status codes other than a ‘401’ ‘Unauthorized’, ‘403’ ‘Forbidden’, or ‘404’ ‘Not Found’, the server SHOULD return a SCIM error response.”

For 404 responses specifically, servers SHOULD return proper Error objects to maintain consistent error handling across all endpoints.

scim2_tester.checkers.resource_type_tests(context: CheckContext, resource_type: ResourceType) list[CheckResult][source]

Orchestrate comprehensive CRUD testing for a specific resource type.

Runs the complete suite of CRUD operations (Create, Read, Update, Delete) on a given resource type to validate full lifecycle management compliance.

Status:

  • SUCCESS: All CRUD operations completed successfully

  • ERROR: One or more CRUD operations failed or no schema found

RFC 7644 Section 3 - SCIM Protocol

“SCIM is intended to reduce the cost and complexity of user management operations by providing a common user schema and extension model, as well as binding documents to provide patterns for exchanging this schema using standard protocols.”

scim2_tester.checkers.resource_types_endpoint_methods(context: CheckContext) list[CheckResult][source]

Validate that unsupported HTTP methods return 405 Method Not Allowed.

Tests that POST, PUT, PATCH, and DELETE methods on the /ResourceTypes endpoint correctly return HTTP 405 Method Not Allowed status, as only GET is supported.

Status:

  • SUCCESS: All unsupported methods return 405 status

  • ERROR: One or more methods return unexpected status

RFC 7644 Section 4 - Discovery

“An HTTP GET to this endpoint is used to discover the types of resources available on a SCIM service provider.”

Only GET method is specified, other methods should return appropriate errors.

scim2_tester.checkers.resource_types_schema_validation(context: CheckContext) list[CheckResult][source]

Validate that ResourceType schemas exist and are accessible.

Tests that all ResourceType objects returned by the /ResourceTypes endpoint reference valid schemas that can be retrieved from the /Schemas endpoint.

Status:

  • SUCCESS: All ResourceType schemas are accessible

  • ERROR: One or more ResourceType schemas are missing or inaccessible

RFC 7644 Section 4 - Discovery

“Each resource type defines the endpoint, the core schema URI that defines the resource, and any supported schema extensions.”

scim2_tester.checkers.schemas_endpoint_methods(context: CheckContext) list[CheckResult][source]

Validate that unsupported HTTP methods return 405 Method Not Allowed.

Tests that POST, PUT, PATCH, and DELETE methods on the /Schemas endpoint correctly return HTTP 405 Method Not Allowed status, as only GET is supported.

Status:

  • SUCCESS: All unsupported methods return 405 status

  • ERROR: One or more methods return unexpected status

RFC 7644 Section 4 - Discovery

“An HTTP GET to this endpoint is used to retrieve information about resource schemas supported by a SCIM service provider.”

Only GET method is specified, other methods should return appropriate errors.

scim2_tester.checkers.search_with_attributes(context: CheckContext, model: type[Resource]) list[CheckResult][source]

Validate that POST /.search honours attributes and excludedAttributes.

Creates a resource with all writable fields populated, then issues /.search requests with attribute filtering. Verifies that the created resource appears in the results and respects the filtering.

Status:

  • SUCCESS: Server correctly filters search response attributes

  • ERROR: Server ignores attribute filtering on search endpoint

  • SKIPPED: Model has no suitable attributes to test

RFC 7644 Section 3.4.3

“Clients MAY execute queries without passing parameters on the URL by using the HTTP POST verb combined with the /.search path extension.”

scim2_tester.checkers.service_provider_config_endpoint(context: CheckContext) list[CheckResult][source]

Validate the mandatory ServiceProviderConfig discovery endpoint.

Tests that the /ServiceProviderConfig endpoint is accessible via GET request and returns a valid ServiceProviderConfig object containing server capabilities and supported features.

Status:

RFC 7644 Section 4 - Discovery

“An HTTP GET to this endpoint will return a JSON structure that describes the SCIM specification features available on a service provider.”

“Service providers MUST provide this endpoint.”

scim2_tester.checkers.service_provider_config_endpoint_methods(context: CheckContext) list[CheckResult][source]

Validate that unsupported HTTP methods return 405 Method Not Allowed.

Tests that POST, PUT, PATCH, and DELETE methods on the /ServiceProviderConfig endpoint correctly return HTTP 405 Method Not Allowed status, as only GET is supported.

Status:

  • SUCCESS: All unsupported methods return 405 status

  • ERROR: One or more methods return unexpected status

RFC 7644 Section 4 - Discovery

“An HTTP GET to this endpoint will return a JSON structure that describes the SCIM specification features available on a service provider.”

Only GET method is specified, other methods should return appropriate errors.

Public API

class scim2_tester.CheckConfig(raise_exceptions: bool = False, expected_status_codes: list[int] | None = None, include_tags: set[str] | None = None, exclude_tags: set[str] | None = None, resource_types: list[str] | None = None)[source]

Configuration for check behavior.

exclude_tags: set[str] | None = None

Skip checks with any of these tags.

expected_status_codes: list[int] | None = None

The expected response status codes.

include_tags: set[str] | None = None

Execute only checks with at least one of these tags.

raise_exceptions: bool = False

Whether to raise exceptions or store them in a Result object.

resource_types: list[str] | None = None

Filter by resource type names (e.g., [“User”, “Group”]).

class scim2_tester.CheckResult(status: Status, title: str | None = None, description: str | None = None, reason: str | None = None, data: Any | None = None, tags: set[str] = <factory>, resource_type: str | None = None)[source]

Store a check result.

data: Any | None = None

Any related data that can help to debug.

description: str | None = None

What the check does, and why the spec advises it to do.

reason: str | None = None

Why it failed, or how it succeed.

resource_type: str | None = None

The resource type name if this check is related to a specific resource.

tags: set[str]

Tags associated with this check for filtering.

title: str | None = None

The title of the check.

exception scim2_tester.SCIMTesterError(message: str, conf: CheckConfig)[source]

Exception raised when a check failed and the raise_exceptions config parameter is True.

class scim2_tester.Status(*values)[source]
ACCEPTABLE = 3

Server behavior is RFC-compliant but uses optional features (MAY) or applies robustness principle reasonably.

COMPLIANT = 2

Server behavior follows RFC recommendations (SHOULD/SHOULD NOT) correctly.

CRITICAL = 6

Server behavior creates security risks or fundamental protocol violations.

DEVIATION = 4

Server behavior deviates from RFC recommendations (SHOULD/SHOULD NOT) but remains within specification bounds.

ERROR = 5

Server behavior violates mandatory RFC requirements (MUST/MUST NOT).

SKIPPED = 7

Check was not executed due to filtering or prerequisites.

SUCCESS = 1

Server behavior strictly conforms to RFC requirements (MUST/MUST NOT).

scim2_tester.check_server(client: SyncSCIMClient, raise_exceptions: bool = False, include_tags: set[str] | None = None, exclude_tags: set[str] | None = None, resource_types: list[str] | None = None) list[CheckResult][source]

Perform a series of check to a SCIM server.

It starts by retrieving the standard ServiceProviderConfig, Schema and ResourceType endpoints. Those configuration resources will be registered to the client if no other have been registered yet.

Then for all available resources (whether they have been manually configured in the client, or dynamically discovered by the checker), it perform a series of creation, query, replacement and deletion.

Parameters:

  • client – A SCIM client that will perform the requests.

  • raise_exceptions – Whether exceptions should be raised or stored in a CheckResult object.

  • include_tags – Execute only checks with at least one of these tags.

  • exclude_tags – Skip checks with any of these tags.

  • resource_types – Filter by resource type names (e.g., [“User”, “Group”]).

Available tags:

  • discovery: Tests for configuration endpoints (ServiceProviderConfig, ResourceTypes, Schemas)

  • service-provider-config: Tests for ServiceProviderConfig endpoint

  • resource-types: Tests for ResourceTypes endpoint

  • schemas: Tests for Schemas endpoint

  • crud: All CRUD operation tests

  • crud:create: Resource creation tests

  • crud:read: Resource reading tests

  • crud:update: Resource update tests

  • crud:delete: Resource deletion tests

  • misc: Miscellaneous tests (e.g., random URL access)

Example usage:

# Run only discovery tests
results = check_server(client, include_tags={"discovery"})

# Run CRUD tests except delete operations
results = check_server(
    client, include_tags={"crud"}, exclude_tags={"crud:delete"}
)

# Test only User resources
results = check_server(client, resource_types=["User"])

# Test only User creation and reading
results = check_server(
    client, include_tags={"crud:create", "crud:read"}, resource_types=["User"]
)
scim2_tester.get_all_available_tags() list[str][source]

Get all available tags from the global registry.

This function returns tags that have been registered by checker decorators throughout the codebase. The registration happens automatically when modules containing @checker decorators are imported.

Returns:

Set of all unique tags found in the codebase.

scim2_tester.get_standard_resource_types() list[str][source]

Get standard SCIM resource types.

Returns:

List of standard resource type names.