SCIM 2.0 Provisioning
Authagonal supports SCIM 2.0 (System for Cross-domain Identity Management) for automated user provisioning from enterprise identity providers such as Microsoft Entra ID, Okta, and OneLogin.
Overview
SCIM is an inbound provisioning protocol: your identity provider pushes user and group changes to Authagonal. This is complementary to the existing TCC (Try-Confirm-Cancel) outbound provisioning that pushes users to downstream applications.
Supported operations:
- User CRUD (create, read, update, delete via soft deactivation)
- Group CRUD with member management
- Filtering (
eqandcooperators onuserName,externalId,displayName) - Pagination via
startIndexandcount - PATCH for partial updates (including
active=falsedeactivation)
Not supported: bulk operations, sorting, ETags, password management via SCIM.
Generating a SCIM Token
SCIM endpoints are authenticated with static Bearer tokens. Generate tokens via the Admin API:
POST /api/v1/scim/tokens
Authorization: Bearer {admin-token}
Content-Type: application/json
{
"clientId": "your-client-id",
"description": "Entra ID SCIM token",
"expiresInDays": 365
}
The response includes the raw token once — store it securely:
{
"tokenId": "abc123",
"clientId": "your-client-id",
"token": "base64-encoded-token",
"createdAt": "2024-01-01T00:00:00Z",
"expiresAt": "2025-01-01T00:00:00Z"
}
Listing tokens
GET /api/v1/scim/tokens?clientId=your-client-id
Authorization: Bearer {admin-token}
Revoking a token
DELETE /api/v1/scim/tokens/{tokenId}?clientId=your-client-id
Authorization: Bearer {admin-token}
Configuring Your Identity Provider
Tenant URL
https://your-authagonal-instance/scim/v2
Authentication
Use OAuth Bearer Token with the token generated above.
Microsoft Entra ID
- In Azure portal, go to Enterprise Applications > your app > Provisioning
- Set Provisioning Mode to Automatic
- Enter Tenant URL:
https://your-instance/scim/v2 - Enter Secret Token: the raw token from the generation step
- Click Test Connection to verify
- Configure attribute mappings (see below)
Okta
- In Okta admin console, go to Applications > your app > Provisioning
- Enable SCIM connector
- Set Base URL:
https://your-instance/scim/v2 - Set Authentication Mode: HTTP Header
- Enter the Bearer token
OneLogin
- In OneLogin admin, go to Applications > your app > Provisioning
- Enable provisioning
- Set SCIM Base URL:
https://your-instance/scim/v2 - Set SCIM Bearer Token
SCIM Endpoints
| Method | Path | Description |
|---|---|---|
| GET | /scim/v2/Users |
List/filter users |
| GET | /scim/v2/Users/{id} |
Get a user |
| POST | /scim/v2/Users |
Create a user |
| PUT | /scim/v2/Users/{id} |
Replace a user |
| PATCH | /scim/v2/Users/{id} |
Partial update |
| DELETE | /scim/v2/Users/{id} |
Soft deactivate |
| GET | /scim/v2/Groups |
List/filter groups |
| GET | /scim/v2/Groups/{id} |
Get a group |
| POST | /scim/v2/Groups |
Create a group |
| PUT | /scim/v2/Groups/{id} |
Replace a group |
| PATCH | /scim/v2/Groups/{id} |
Add/remove members |
| DELETE | /scim/v2/Groups/{id} |
Delete a group |
| GET | /scim/v2/ServiceProviderConfig |
Capabilities |
| GET | /scim/v2/Schemas |
Schema definitions |
| GET | /scim/v2/ResourceTypes |
Resource types |
Attribute Mapping
User attributes
| SCIM Attribute | Authagonal Field |
|---|---|
userName |
Email |
name.givenName |
FirstName |
name.familyName |
LastName |
displayName |
FirstName LastName |
emails[type eq "work"].value |
Email |
active |
IsActive |
externalId |
ExternalId |
Group attributes
| SCIM Attribute | Authagonal Field |
|---|---|
displayName |
DisplayName |
externalId |
ExternalId |
members |
MemberUserIds |
Behavior Details
User creation
- SCIM-provisioned users are created with
EmailConfirmed = true(SSO-only, no password). - The
ScimProvisionedByClientIdfield tracks which SCIM client created the user. - If the client has
ProvisioningAppsconfigured, TCC provisioning is triggered automatically.
User deactivation
DELETE /scim/v2/Users/{id}performs a soft delete by settingIsActive = false.PATCHwithactive = falsealso deactivates the user.- Deactivated users cannot log in via password, SAML, or OIDC.
- All refresh tokens are revoked upon deactivation.
- Deprovisioning is triggered for downstream apps.
Filtering
Supported filter expressions:
userName eq "user@example.com"externalId eq "12345"displayName co "John"
Only single-attribute filters are supported. Complex boolean expressions (and, or) are not supported.
Known Limitations
- No bulk operations — users and groups must be provisioned individually.
- No sorting — results are ordered by creation date.
- Filter subset — only
eqandcooperators onuserName,externalId, anddisplayName. - No password management — SCIM-provisioned users authenticate via SSO only.
- Soft delete only —
DELETEdeactivates rather than permanently removes users.