Generic SCIM Configuration
Generic SCIM Configuration
Scimify exposes a standards-based SCIM 2.0 endpoint for each integration instance. You are not limited to Okta or Lumos — any identity provider (IdP) or identity governance platform (IGA) that supports SCIM 2.0 provisioning can connect to Scimify the same way it connects to any other SaaS application.
Use this guide when your platform does not have a dedicated Scimify setup doc. If you use Okta or Lumos, see the platform-specific guides for catalog apps and connector defaults:
- SCIM Configuration — overview and shared setup
- Okta SCIM Configuration — Veraproof Scimify Okta app
- Lumos SCIM Configuration — Lumos SCIM Connector
Supported platforms
Scimify works with any SCIM 2.0-capable platform, including:
| Category | Examples |
|---|---|
| Identity providers | Microsoft Entra ID (Azure AD), OneLogin, PingOne, JumpCloud, Google Workspace |
| Identity governance | SailPoint Identity Security Cloud, SailPoint IdentityIQ, Saviynt, CyberArk, Zluri |
| Access management | Okta (via dedicated guide), Auth0 |
If your platform can provision users and groups to a custom SCIM 2.0 application, it can provision to Scimify.
Prerequisites
- Access to your IdP or IGA admin console
- A Scimify account with at least one integration instance created and enabled
- The SCIM Base URL and SCIM API key from your Scimify admin console
Before you connect
- Create the Scimify integration instance for your target application (for example, Buildkite or GitHub).
- Enable the integration instance in the Scimify admin console.
- Copy the SCIM Base URL and generate a SCIM API key from that instance.
Each SCIM connection in your IdP or IGA maps to one Scimify integration instance. If you connect multiple apps, create a separate SCIM connection for each Scimify instance.
Ensure the Scimify integration instance is enabled before testing or running an initial sync. Most platforms attempt a connection test or full sync when provisioning is first turned on.
Connection values
Use these values when configuring a custom or non-catalog SCIM application in your platform. Field names vary by vendor; map them to the closest equivalent in your admin console.
| Setting | Value |
|---|---|
| SCIM version | SCIM 2.0 |
| Base URL / Tenant URL / SCIM connector URL | SCIM Base URL from your Scimify integration instance (includes protocol and path, for example https://api.example.com/scim/v2) |
| Authentication | HTTP header — Authorization: Bearer <SCIM_API_KEY> |
| Users endpoint | /Users (relative to the Base URL) |
| Groups endpoint | /Groups (relative to the Base URL) |
| User update method | PATCH |
Authentication
Your IdP or IGA should authenticate with a bearer token:
Authorization: Bearer <SCIM_API_KEY>Use the SCIM API key generated from the matching Scimify integration instance. Do not reuse keys across integration instances.
Configuration steps
Exact menus differ by platform, but the workflow is the same:
1. Create a custom SCIM application
In your IdP or IGA admin console, add a new application or connector for SCIM-based provisioning. Choose the option for a custom, non-gallery, or generic SCIM 2.0 application if no Scimify catalog entry exists.
Give the application a descriptive name, for example Scimify - GitHub, so it is easy to identify alongside other Scimify connections.
2. Enter connection details
Paste the SCIM Base URL and SCIM API key from your Scimify integration instance into the platform’s SCIM configuration fields.
Run the platform’s credential or connection test if one is available. A successful test confirms the Base URL, API key, and network path are correct.
3. Enable provisioning features
Turn on the provisioning capabilities your integration requires. Availability at the SCIM layer depends on the Scimify connector type and the target SaaS application:
- Create users
- Update user attributes
- Deactivate users
- Import users
- Import groups
- Group sync / group push
Enable create and deactivate user operations even when you only need group push. Many IdPs only push group members to an application after those users are considered provisioned there. If the underlying Scimify connector does not support user provisioning for that app, Scimify satisfies the IdP’s requests without changing membership in the target application.
4. Assign users and groups
Assign users or groups from your IdP or IGA to the new SCIM application according to your access model:
- User provisioning — assign individual users or groups whose members should be provisioned
- Group push — map IdP groups to the SCIM application so membership syncs to the downstream app
Ensure users in pushed groups are also assigned to the SCIM application if your platform requires explicit assignment before group membership syncs.
5. Run an initial sync
After saving the configuration, run an initial sync or import if your platform offers one. Confirm users and groups appear as expected in the Scimify admin console and the target application.
Platform notes
The following sections highlight common configuration paths. Refer to your vendor’s SCIM documentation for the latest UI labels and options.
Microsoft Entra ID
- In the Microsoft Entra admin center, go to Enterprise applications and add a non-gallery application (or create a custom security provisioning app).
- Under Provisioning, set Provisioning Mode to Automatic.
- Set Tenant URL to your Scimify SCIM Base URL.
- Set Secret Token to your Scimify SCIM API key.
- Test the connection, then save and turn provisioning On.
- Use Users and groups to scope which identities are provisioned to this application.
SailPoint
SailPoint products (Identity Security Cloud, IdentityIQ, and related connectors) support generic SCIM 2.0 targets. Create a SCIM application or source using your Scimify Base URL and bearer token, then map identity attributes and entitlements according to your SailPoint implementation. Consult SailPoint documentation for source aggregation vs. provisioning configuration in your deployment.
OneLogin
- Add a SCIM Provisioner with SCIM (SCIM v2 Core) custom connector, or use the equivalent custom SCIM application type in your OneLogin tenant.
- Set the SCIM Base URL and Bearer token (SCIM API key).
- Enable create, update, and delete operations as needed, then assign roles or mappings that determine which users and groups sync.
Ping Identity (PingOne / PingFederate)
Configure a custom SCIM outbound provisioning target or SaaS application with your Scimify Base URL and bearer token. Enable user and group provisioning rules that reference the new target.
JumpCloud
Add a custom SCIM application under SSO Applications, enter the Scimify Base URL and API key, and configure group assignments for provisioning scope.
Other IGA platforms
Platforms such as Saviynt, CyberArk, and Zluri typically expose a generic SCIM connector or custom application type. Use the connection values above and follow your vendor’s guide for custom SCIM targets.
Supported SCIM features
The following features are supported at the SCIM layer, but availability depends on the Scimify connector type (user only, group only, user and group) and limitations within the target SaaS application:
- Create users
- Update user attributes
- Deactivate users
- Import users
- Import groups
- Group sync / group push
The following standard profile attributes are supported:
- Username
- Given name
- Family name
- Title
- Display name
Note: Some Scimify integrations support custom attributes to manage roles and permissions. These custom attributes are documented under the integration-specific guides.
Need Help?
If your platform is not listed here or you run into configuration issues, contact [email protected]. Include your IdP or IGA product name and the Scimify integration instance you are connecting.