SCIM 2.0 Provisioning
Automate user lifecycle management with SCIM 2.0. Sync users and groups from your identity provider to AccessIQ automatically.
What is SCIM?
System for Cross-domain Identity Management (SCIM) is a standard protocol for automating user provisioning. When configured, your IdP automatically:
Create Users
Automatically provision new employees
Update Profiles
Sync profile changes in real-time
Manage Groups
Keep group memberships synchronized
Deactivate Users
Disable access when employees leave
SCIM Endpoint Configuration
Configure these values in your identity provider:
| Field | Value |
|---|---|
| SCIM Base URL | https://api.accessiq.io/scim/v2/organizations/YOUR_ORG |
| Authentication | Bearer Token (SCIM API Key) |
| SCIM Version | 2.0 |
Generate SCIM API Key
curl -X POST https://api.accessiq.io/v1/organizations/YOUR_ORG/scim-tokens \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Okta SCIM Integration",
"expiresIn": "365d"
}'
# Response
{
"token": "scim_abc123...",
"name": "Okta SCIM Integration",
"createdAt": "2024-01-15T10:00:00Z",
"expiresAt": "2025-01-15T10:00:00Z"
}Supported Operations
Users Endpoint
| Operation | Method | Endpoint |
|---|---|---|
| List Users | GET | /Users |
| Get User | GET | /Users/:id |
| Create User | POST | /Users |
| Update User | PUT | /Users/:id |
| Patch User | PATCH | /Users/:id |
| Delete User | DELETE | /Users/:id |
Groups Endpoint
| Operation | Method | Endpoint |
|---|---|---|
| List Groups | GET | /Groups |
| Get Group | GET | /Groups/:id |
| Create Group | POST | /Groups |
| Update Group | PATCH | /Groups/:id |
| Delete Group | DELETE | /Groups/:id |
User Schema
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "john.doe@acme.com",
"name": {
"givenName": "John",
"familyName": "Doe",
"formatted": "John Doe"
},
"emails": [
{
"value": "john.doe@acme.com",
"type": "work",
"primary": true
}
],
"displayName": "John Doe",
"title": "Software Engineer",
"active": true,
"groups": [
{
"value": "group_123",
"display": "Engineering"
}
],
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
"department": "Engineering",
"manager": {
"value": "user_456",
"displayName": "Jane Smith"
}
}
}Attribute Mapping
Configure how IdP attributes map to AccessIQ user fields:
{
"scimMapping": {
"userName": "email",
"name.givenName": "firstName",
"name.familyName": "lastName",
"displayName": "displayName",
"title": "jobTitle",
"emails[primary].value": "email",
"active": "active",
"urn:...:enterprise:2.0:User:department": "department",
"urn:...:enterprise:2.0:User:manager.value": "managerId"
}
}Sync Status & Monitoring
curl https://api.accessiq.io/v1/organizations/YOUR_ORG/scim/status \
-H "Authorization: Bearer YOUR_API_KEY"
# Response
{
"status": "healthy",
"lastSync": "2024-01-15T10:30:00Z",
"stats": {
"totalUsers": 523,
"totalGroups": 24,
"last24Hours": {
"usersCreated": 3,
"usersUpdated": 12,
"usersDeactivated": 1,
"groupsModified": 2
}
},
"errors": []
}Webhook Notifications
Configure webhooks to receive real-time notifications for SCIM sync events, errors, and daily summaries.
Troubleshooting
401 Unauthorized
Verify your SCIM token is correct and hasn't expired. Generate a new token if needed.
409 Conflict
User already exists with that email. Enable "Update existing users" in your IdP's SCIM configuration.
Users Not Syncing
Ensure users are assigned to the application in your IdP. Only assigned users are provisioned via SCIM.