Apple App Store Connect Integration
Apple App Store Connect Integration
Scimify enables SCIM provisioning for App Store Connect team members, allowing you to invite users and manage roles and access settings through your identity provider.
Overview
This integration (de)provisions users on your App Store Connect team using the App Store Connect API. Scimify accepts standard SCIM requests from your IdP and translates them into user invitation and user update API calls.
Key behaviors:
- User-only — no group provisioning
- Invite-based provisioning — new users receive a team invitation email (they are not active until they accept)
- Role management — optional
appStoreConnect_roleSCIM attribute maps to one or more App Store Connect roles - Access flags — optional
appStoreConnect_allAppsVisibleandappStoreConnect_provisioningAllowedSCIM attributes (with integration-level defaults) - Deprovisioning — removing access deletes the team member or cancels a pending invitation
Apple does not allow creating users directly via API; invitations are required.
Prerequisites
- An Apple Developer Program team with App Store Connect access
- Account Holder or Admin access to create and manage App Store Connect API keys
- API key with permission to manage users (Users and Access)
- Your IdP configured for SCIM provisioning (see Okta SCIM Configuration)
Configuration Steps
1. Create an App Store Connect API Key
- Sign in to App Store Connect
- Go to Users and Access → Integrations → App Store Connect API
- Generate a new API key with access to manage users
- Note the Issuer ID and Key ID shown on the Integrations tab
- Download the private key (
.p8file) — you can only download it once
For token details, see Generating tokens for API requests.
2. Configure the Integration in Scimify
- Navigate to the Integrations page in your Scimify admin console
- Create a new Apple App Store Connect integration instance
- Set an instance display name (for example,
Production ASC Team) - Enter Key ID, Issuer ID, and paste the private key (full
.p8contents) - Set integration defaults:
- All apps visible — default for
appStoreConnect_allAppsVisiblewhen the IdP does not send it (typically enabled) - Provisioning allowed — default for
appStoreConnect_provisioningAllowedwhen the IdP does not send it
- All apps visible — default for
- Save the configuration and use Test connection to verify API access
- Enable the integration and copy the Scimify SCIM endpoint and API key for your IdP
3. Configure Custom SCIM Attributes (Optional)
Map the following attributes in your IdP user profile and provisioning app:
| Attribute | Purpose |
|---|---|
appStoreConnect_role | One or more team roles (see below) |
appStoreConnect_allAppsVisible | Whether the user can see all apps |
appStoreConnect_provisioningAllowed | Whether provisioning-related access is allowed |
If omitted on create, Scimify uses integration defaults for the booleans and role DEVELOPER.
Precedence: Per-user SCIM attribute values override the integration checkbox defaults for appStoreConnect_allAppsVisible and appStoreConnect_provisioningAllowed.
4. Configure IdP SCIM
Follow the Okta SCIM Configuration guide to connect your IdP to your Scimify App Store Connect instance, then assign users to the SCIM app.
How It Works
User Provisioning
When a user is assigned in your IdP:
- Scimify checks whether the email already exists as a team member
- If not, Scimify checks for an existing pending invitation
- If neither exists, Scimify sends a new user invitation with the resolved roles and access flags
The invited user must accept the invitation (link expires after three days per Apple) before they appear as an active team member.
User Updates
- Active members — role and access changes are sent via the user update API
- Pending invitations — Scimify cancels the invitation and creates a new one when roles or access flags change
- Role replacement — when
appStoreConnect_roleis included in an update, Scimify sends the full new role list; Apple replaces the entirerolesarray - Partial updates — if
appStoreConnect_roleis omitted, existing App Store Connect roles are not changed
User Deprovisioning
When a user is unassigned or deactivated in your IdP:
- Active members are removed from the team
- Pending invitations are cancelled
This is a hard remove (not a soft disable in App Store Connect).
Custom SCIM Attribute Configuration
Attribute: appStoreConnect_role
| Setting | Value |
|---|---|
| Type | String (multi-valued recommended) |
| External namespace | urn:ietf:params:scim:schemas:extension:custom:2.0:User |
| Attribute name | appStoreConnect_role |
| Description | App Store Connect team role(s) for the invited or provisioned user |
| Default on create | DEVELOPER (if not sent in SCIM) |
Common role values:
| Value | Description |
|---|---|
ADMIN | Team administrator |
APP_MANAGER | Manage apps, metadata, and delivery |
DEVELOPER | Development and TestFlight access |
MARKETING | Marketing materials and App Store promotion |
FINANCE | Financial reports and tax forms |
SALES | Sales and trends analytics |
CUSTOMER_SUPPORT | Customer review responses |
Apple supports multiple roles per user. Scimify accepts:
- Multi-valued SCIM array:
["DEVELOPER", "MARKETING"] - Single string:
DEVELOPER - Comma-separated string:
DEVELOPER,MARKETING
Not supported via SCIM:
| Value | Notes |
|---|---|
ACCOUNT_HOLDER | Assign the Account Holder only in App Store Connect |
Scimify accepts appStoreConnect_role in these common SCIM shapes:
- Top-level field:
appStoreConnect_role - Extension key:
urn:ietf:params:scim:schemas:extension:custom:2.0:User:appStoreConnect_role - Nested extension object under
urn:ietf:params:scim:schemas:extension:custom:2.0:User
Attribute: appStoreConnect_allAppsVisible
| Setting | Value |
|---|---|
| Type | Boolean |
| External namespace | urn:ietf:params:scim:schemas:extension:custom:2.0:User |
| External name | appStoreConnect_allAppsVisible |
| Integration default | All apps visible checkbox in Scimify |
When true, the user can see all apps. When false, app visibility may need to be configured manually in App Store Connect (per-app visibleApps is not mapped via SCIM in this integration).
Scimify accepts this attribute as a top-level field, extension URN key, or nested under the custom extension object (same shapes as appStoreConnect_role).
Attribute: appStoreConnect_provisioningAllowed
| Setting | Value |
|---|---|
| Type | Boolean |
| External namespace | urn:ietf:params:scim:schemas:extension:custom:2.0:User |
| External name | appStoreConnect_provisioningAllowed |
| Integration default | Provisioning allowed checkbox in Scimify |
Controls whether the user has provisioning-related team access (for example, Xcode Cloud / certificate workflows per Apple’s user model).
Suggested Okta mapping
- Add profile attributes on your App Store Connect SCIM app with external namespace
urn:ietf:params:scim:schemas:extension:custom:2.0:User - Map
appStoreConnect_roleas a string or multi-valued string (group rules can set role lists) - Map boolean attributes for app visibility and provisioning where needed
- Include attributes on create and update operations
Limitations and Behavior Notes
- Invite-only create — SCIM “create user” sends a team invitation
- Invitation expiry — Apple invitations expire after three days; users may need to be re-invited
- No group SCIM — App Store Connect has no team “groups” analogous to other integrations
- No per-app SCIM — only the
appStoreConnect_allAppsVisibleboolean is supported, not individual app IDs - Name fields — invitations require first and last name; Scimify derives these from SCIM
nameordisplayName, or uses the email local-part as first name - Full role set on update — sending
appStoreConnect_rolereplaces all roles on the Apple side
Troubleshooting
- Authentication failed (401/403)
- Verify Key ID, Issuer ID, and private key match the same API key in App Store Connect
- Confirm the key has Users and Access permissions
- Invalid appStoreConnect_role
- Use uppercase Apple role enums (
DEVELOPER,ADMIN, etc.) - Do not send
ACCOUNT_HOLDERvia SCIM
- Use uppercase Apple role enums (
- User already exists
- Scimify returns the existing member or pending invite ID (idempotent behavior)
- User not removed after deprovision
- Confirm the user was unassigned from the IdP SCIM app and provisioning completed
- Check Scimify audit logs for delete vs invite-delete operations
Additional Resources
Need Help?
If you encounter issues configuring API keys or SCIM attribute mappings, contact [email protected] for assistance.