Skip to Content
Technical Articles

403 when trying to create user with the SCIM REST API


Quite recently I needed to use the REST APIs to manage users/groups programmatically with eSAC (embedded SAP Analytics Cloud)

And to my astonishment I hit a roadblock when trying to create or modify users (POST and PUT verbs). Even if I followed the documentation I would always get a 403 (forbidden) error code.

Then I realised this is happening with other REST APIs like the story management as well.

Why 403 with x-csrf-token present ?

When using the User Management SCIM REST APIs with SAP Analytics Cloud to modify users you must provide the x-csrf-token header obtained with a previous SCIM API GET call (with the x-csrf-token header set to ‘fetch’).

That’s documented. What is not documented is that in order to be able to validate the x-csrf-token you must add a session cookie header as well.

The x-csrf-token is valid for as long as its session is valid thus if the session cookie header is missing in any POST/PUT/PATCH/DELETE REST API call the x-csrf-token validity cannot be asserted and the call will return 403 error code.

That’s very nicely explained in the following blog: How CSRF tokens work in SAP web services


403 Conclusion.


For instance, when using Postman version with Postman Interceptor, the cookies (there may be several of them) from the set-cookie response header will be most likely added [by Postman Interceptor itself] from the preceding GET call to the next POST/PUT/PATCH/DELETE call.

But, if you are like me and need to write your own code or prefer using a different

testing framework like SAP API Business Hub, this will likely not happen automatically.

The session cookie generated in a GET call is a server side cookie

(HTTP-only, secure and same site none) available in the set-cookie response header.

I recommend you grab the entire content of the GET response set-cookie header

and manually add it as your cookie header in your POST/PUT request…

as depicted in the below code snippet:

// retrieve the cookies and the x_csrf_token with any GET SCIM API call
    var x_csrf_token_ = response.headers["x-csrf-token"];
    var setcookies_ = response.headers["set-cookie"];

// Here go the headers for any POST/PUT/PATCH/DELETE SCIM API call
headers: { 
   "Authorization": 'Bearer ' + logonToken, // mandatory
    //"Accept": "application/json",
    "Content-Type": "application/json",
    "Cookie": setcookies_, // mandatory: from the preceding GET API call
    'x-sap-sac-custom-auth': 'true', // mandatory: at least with eSAC
    "X-Csrf-Token" : x_csrf_token_ // mandatory: from the preceding GET API call



Happy reading

Piotr Tesny


Additional resources.

Issues with CSRF token and how to solve them

SAP Analytics Cloud User and Team Provisioning API 

SAP Analytics Cloud SCIM (/api/v1/scim/)

2867938 – How to use SCIM API within SAP Analytics Cloud when using Azure AD as custom SAML provider


Be the first to leave a comment
You must be Logged on to comment or reply to a post.