Certinia User Management API Guide

Auth method: Not documented

User object field mapping is not yet verified for this app.

Endpoint coverage is not yet verified for this app.

• Rate limits: Not documented

• Rate-limit headers: No

• Retry-After header: No

• Rate-limit notes: Not documented

• Pagination method: none

• Default page size: 0

• Max page size: 0

• Pagination pointer: Not documented

• Webhooks available: No

• Webhook notes: Certinia does not publish native user-management webhooks. Event-driven automation for user lifecycle is handled via Salesforce platform flows or outbound messaging.

• Alternative event strategy: Salesforce platform outbound messaging or Change Data Capture (CDC) on the User object.

• SCIM available: Yes

• SCIM version: 2.0

• Plan required: Enterprise

• Endpoint: https://.my.salesforce.com/services/scim/v2/

• Supported operations: GET /Users, GET /Users/{id}, POST /Users, PATCH /Users/{id}, PUT /Users/{id}, DELETE /Users/{id}, GET /Groups, POST /Groups, PATCH /Groups/{id}, DELETE /Groups/{id}, GET /ServiceProviderConfig, GET /Schemas

Limitations:

• SCIM endpoint is the underlying Salesforce Identity SCIM endpoint; Certinia does not expose a separate SCIM URL.
• Requires a Salesforce connected app configured for SCIM provisioning in the Salesforce org that hosts Certinia.
• User provisioning creates Salesforce platform users; Certinia-specific license assignment (e.g., PSA, FFA permission sets) must be handled separately via Salesforce profile/permission set assignment.
• Group mapping corresponds to Salesforce Permission Set Groups or Public Groups, not Certinia-specific roles.
• Plan requirement (Enterprise) is based on context data; official Certinia pricing page does not publicly enumerate SCIM tier gating.
• Rate limits follow Salesforce API governor limits for the org edition, not Certinia-specific limits.

Provisioning via SCIM is a two-call workflow.

A POST /services/scim/v2/Users creates the Salesforce platform user;

a separate PATCH /services/data/vXX.X/sobjects/PermissionSetAssignment/ call is then required to assign the relevant Certinia permission sets (e.g., PSA User, FFA User).

SCIM POST alone does not grant Certinia product access - the permission set assignment step is mandatory and outside the SCIM spec.

Deprovisioning sets IsActive=false on the Salesforce User record via PATCH /services/scim/v2/Users/{id}.

Hard deletion is not supported for users with associated records;

deactivation is the only supported method.

Certinia resource records (timesheets, project assignments) are not automatically reassigned on deactivation and require a separate remediation step.

Group sync maps IdP groups to Salesforce Permission Set Groups or Public Groups via POST or PATCH /services/scim/v2/Groups.

Direct mapping to Certinia-specific roles requires explicit configuration and should be validated in a sandbox org before production rollout.

Provision a new Certinia user via SCIM

1. Configure a Salesforce connected app in the target org with OAuth 2.0 and SCIM scopes (api, refresh_token, openid).
2. Obtain an OAuth 2.0 access token from https://.my.salesforce.com/services/oauth2/token.
3. POST to https://.my.salesforce.com/services/scim/v2/Users with the user payload (userName, name, emails, active=true).
4. Capture the returned Salesforce User Id from the SCIM response.
5. Use the Salesforce REST API (PATCH /services/data/vXX.X/sobjects/PermissionSetAssignment/) to assign the required Certinia permission sets to the new User Id.

Watch out for: SCIM POST alone does not grant Certinia product access; permission set assignment is a mandatory second step outside SCIM.

Deprovision a Certinia user via SCIM

1. Retrieve the Salesforce User Id by GET https://.my.salesforce.com/services/scim/v2/Users?filter=userName eq "user@example.com".
2. PATCH https://.my.salesforce.com/services/scim/v2/Users/{id} with {"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"replace","path":"active","value":false}]}.
3. Confirm IsActive=false on the Salesforce User record.

Watch out for: Salesforce does not allow hard-deletion of users with associated records; deactivation (IsActive=false) is the supported deprovisioning method.

Sync IdP groups to Certinia permission sets

1. Map IdP groups to Salesforce Permission Set Groups in the connected app SCIM configuration.
2. POST or PATCH /services/scim/v2/Groups to create or update group membership.
3. Verify that Salesforce Permission Set Group assignments reflect on the User record in Certinia.

Watch out for: Salesforce SCIM Groups map to Permission Set Groups or Public Groups; direct mapping to Certinia-specific roles requires careful configuration and testing in a sandbox org first.

The core integration risk is assuming SCIM provisioning fully covers Certinia access. It does not. SCIM manages the Salesforce user record and group membership;

Certinia module access depends on permission set assignments that sit outside the SCIM protocol boundary.

Any identity graph that models Certinia access must account for both the Salesforce user object and the associated PermissionSetAssignment records as distinct nodes - treating them as a single provisioning event will produce users who exist in the org but cannot access any Certinia functionality.

A platform like Stitchflow, built as an MCP server with 60+ deep IT/identity integrations, can maintain an accurate identity graph across both layers - correlating Salesforce user state with Certinia permission set assignments - and surface gaps that SCIM-only tooling will miss.

Without that correlation, access reviews and deprovisioning audits will systematically undercount active Certinia access.