Skip to Content
Technical Articles
Author's profile photo Piotr Tesny

403 when trying to create user with the SCIM REST API

Quite recently I needed to use the REST APIs to manage users/groups programmatically with eSAC (embedded SAP Analytics Cloud)

And to my astonishment I hit a roadblock when trying to create or modify users (POST and PUT verbs). Even if I followed the documentation I would always get a 403 (forbidden) error code.

Then I realised this is also happening with other REST APIs like the story management as well.

Why 403 with x-csrf-token present ?

When using the User Management SCIM REST APIs with SAP Analytics Cloud to modify users you must provide the x-csrf-token header obtained with a previous SCIM API GET call (with the x-csrf-token header set to ‘fetch’).

That’s documented. What is not documented is that in order to be able to validate the x-csrf-token you must add a session cookie header as well.

The x-csrf-token is valid for as long as its session is valid thus if the session cookie header is missing in any POST/PUT/PATCH/DELETE REST API call the x-csrf-token validity cannot be asserted and the call will return 403 (forbidden) error code.

That’s very nicely explained in the following blog: How CSRF tokens work in SAP web services


403 Conclusion.

For instance, when using Postman version with Postman Interceptor, the cookies (there may be several of them) from the set-cookie response header will be most likely added [by Postman Interceptor itself] from the preceding GET call to the next POST/PUT/PATCH/DELETE call.

But, if you are like me and need to write your own code or prefer using a different testing framework like SAP API Business Hub, this will likely not happen automatically.

The session cookie generated in a GET call is a server side cookie (HTTP-only, secure and same site none) available in the set-cookie response header.

  • I recommend you initially grab the entire content of the GET response set-cookie header.
  • if there is more than one cookie you may just need the JSESSIONID cookie content…
  • Then manually add it as your cookie header in your POST/PUT request…as depicted in the below code snippet:
// retrieve the cookies and the x_csrf_token with any GET SCIM API call
    var x_csrf_token_ = response.headers["x-csrf-token"];
    var setcookies_ = response.headers["set-cookie"];

// Here go the headers for any POST/PUT/PATCH/DELETE SCIM API call
headers: { 
   "Authorization": 'Bearer ' + logonToken, // mandatory
    //"Accept": "application/json",
    "Content-Type": "application/json",
    "Cookie": setcookies_, // mandatory: from the preceding GET API call
    'x-sap-sac-custom-auth': 'true', // mandatory: at least with eSAC
    "X-Csrf-Token" : x_csrf_token_ // mandatory: from the preceding GET API call


Additional resources.

Issues with CSRF token and how to solve them

SAP Analytics Cloud User and Team Provisioning API 

SAP Analytics Cloud SCIM (/api/v1/scim/)

2867938 – How to use SCIM API within SAP Analytics Cloud when using Azure AD as custom SAML provider

Implement X-CSRF pattern | Microsoft Docs

CSRF Token handling in SAP API Management | SAP Blogs

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Amrit Bansal
      Amrit Bansal

      HI Piotr,


      Nice blog!! it helped to solve one of my issues.



      Author's profile photo Piotr Tesny
      Piotr Tesny
      Blog Post Author

      Thank you Amrit.

      Author's profile photo Matthew Shaw
      Matthew Shaw

      Thank you Piotr for this post.

      For best practices on session management please refer to my article (that I created since your blog here) in the wiki 

      This article is introduced by this blog post that provides an overview of best practices and also a bunch of sample scripts

      All the best, Matthew

      Author's profile photo Piotr Tesny
      Piotr Tesny
      Blog Post Author

      Cheers Matthew,

      Feel free to reference my blog post in the wiki pages you created; cheers; Piotr;



      One comment regarding the sample scripts. I am not into Postman, especially that SAC is a cloud native story telling tool;

      I am rather a keen adept of cloud native low code productivity tools that SAP BTP ecosystem readily offers, namely nodejs or python functions that come along with SAP Kyma runtime [SKR] and API Management that is part of Integration Suite. (on a side note both SKR and APIM are freely available with SAP BTP trial account)

      Again many thanks for spotting and referring to my granddesigns and quovadis blogs series....


      Author's profile photo Denys van Kempen
      Denys van Kempen

      For the interested reader, we have started to record a video tutorial series about the SAP Analytics Cloud user and team provisioning API​

      • ​