Skip to content

Generic SCIM Configuration

Generic SCIM Configuration

Scimify exposes a standards-based SCIM 2.0 endpoint for each integration instance. You are not limited to Okta or Lumos — any identity provider (IdP) or identity governance platform (IGA) that supports SCIM 2.0 provisioning can connect to Scimify the same way it connects to any other SaaS application.

Use this guide when your platform does not have a dedicated Scimify setup doc. If you use Okta or Lumos, see the platform-specific guides for catalog apps and connector defaults:

Supported platforms

Scimify works with any SCIM 2.0-capable platform, including:

CategoryExamples
Identity providersMicrosoft Entra ID (Azure AD), OneLogin, PingOne, JumpCloud, Google Workspace
Identity governanceSailPoint Identity Security Cloud, SailPoint IdentityIQ, Saviynt, CyberArk, Zluri
Access managementOkta (via dedicated guide), Auth0

If your platform can provision users and groups to a custom SCIM 2.0 application, it can provision to Scimify.

Prerequisites

  • Access to your IdP or IGA admin console
  • A Scimify account with at least one integration instance created and enabled
  • The SCIM Base URL and SCIM API key from your Scimify admin console

Before you connect

  1. Create the Scimify integration instance for your target application (for example, Buildkite or GitHub).
  2. Enable the integration instance in the Scimify admin console.
  3. Copy the SCIM Base URL and generate a SCIM API key from that instance.

Each SCIM connection in your IdP or IGA maps to one Scimify integration instance. If you connect multiple apps, create a separate SCIM connection for each Scimify instance.

Ensure the Scimify integration instance is enabled before testing or running an initial sync. Most platforms attempt a connection test or full sync when provisioning is first turned on.

Connection values

Use these values when configuring a custom or non-catalog SCIM application in your platform. Field names vary by vendor; map them to the closest equivalent in your admin console.

SettingValue
SCIM versionSCIM 2.0
Base URL / Tenant URL / SCIM connector URLSCIM Base URL from your Scimify integration instance (includes protocol and path, for example https://api.example.com/scim/v2)
AuthenticationHTTP header — Authorization: Bearer <SCIM_API_KEY>
Users endpoint/Users (relative to the Base URL)
Groups endpoint/Groups (relative to the Base URL)
User update methodPATCH

Authentication

Your IdP or IGA should authenticate with a bearer token:

Authorization: Bearer <SCIM_API_KEY>

Use the SCIM API key generated from the matching Scimify integration instance. Do not reuse keys across integration instances.

Configuration steps

Exact menus differ by platform, but the workflow is the same:

1. Create a custom SCIM application

In your IdP or IGA admin console, add a new application or connector for SCIM-based provisioning. Choose the option for a custom, non-gallery, or generic SCIM 2.0 application if no Scimify catalog entry exists.

Give the application a descriptive name, for example Scimify - GitHub, so it is easy to identify alongside other Scimify connections.

2. Enter connection details

Paste the SCIM Base URL and SCIM API key from your Scimify integration instance into the platform’s SCIM configuration fields.

Run the platform’s credential or connection test if one is available. A successful test confirms the Base URL, API key, and network path are correct.

3. Enable provisioning features

Turn on the provisioning capabilities your integration requires. Availability at the SCIM layer depends on the Scimify connector type and the target SaaS application:

  • Create users
  • Update user attributes
  • Deactivate users
  • Import users
  • Import groups
  • Group sync / group push

Enable create and deactivate user operations even when you only need group push. Many IdPs only push group members to an application after those users are considered provisioned there. If the underlying Scimify connector does not support user provisioning for that app, Scimify satisfies the IdP’s requests without changing membership in the target application.

4. Assign users and groups

Assign users or groups from your IdP or IGA to the new SCIM application according to your access model:

  • User provisioning — assign individual users or groups whose members should be provisioned
  • Group push — map IdP groups to the SCIM application so membership syncs to the downstream app

Ensure users in pushed groups are also assigned to the SCIM application if your platform requires explicit assignment before group membership syncs.

5. Run an initial sync

After saving the configuration, run an initial sync or import if your platform offers one. Confirm users and groups appear as expected in the Scimify admin console and the target application.

Platform notes

The following sections highlight common configuration paths. Refer to your vendor’s SCIM documentation for the latest UI labels and options.

Microsoft Entra ID

  1. In the Microsoft Entra admin center, go to Enterprise applications and add a non-gallery application (or create a custom security provisioning app).
  2. Under Provisioning, set Provisioning Mode to Automatic.
  3. Set Tenant URL to your Scimify SCIM Base URL.
  4. Set Secret Token to your Scimify SCIM API key.
  5. Test the connection, then save and turn provisioning On.
  6. Use Users and groups to scope which identities are provisioned to this application.

SailPoint

SailPoint products (Identity Security Cloud, IdentityIQ, and related connectors) support generic SCIM 2.0 targets. Create a SCIM application or source using your Scimify Base URL and bearer token, then map identity attributes and entitlements according to your SailPoint implementation. Consult SailPoint documentation for source aggregation vs. provisioning configuration in your deployment.

OneLogin

  1. Add a SCIM Provisioner with SCIM (SCIM v2 Core) custom connector, or use the equivalent custom SCIM application type in your OneLogin tenant.
  2. Set the SCIM Base URL and Bearer token (SCIM API key).
  3. Enable create, update, and delete operations as needed, then assign roles or mappings that determine which users and groups sync.

Ping Identity (PingOne / PingFederate)

Configure a custom SCIM outbound provisioning target or SaaS application with your Scimify Base URL and bearer token. Enable user and group provisioning rules that reference the new target.

JumpCloud

Add a custom SCIM application under SSO Applications, enter the Scimify Base URL and API key, and configure group assignments for provisioning scope.

Other IGA platforms

Platforms such as Saviynt, CyberArk, and Zluri typically expose a generic SCIM connector or custom application type. Use the connection values above and follow your vendor’s guide for custom SCIM targets.

Supported SCIM features

The following features are supported at the SCIM layer, but availability depends on the Scimify connector type (user only, group only, user and group) and limitations within the target SaaS application:

  • Create users
  • Update user attributes
  • Deactivate users
  • Import users
  • Import groups
  • Group sync / group push

The following standard profile attributes are supported:

  • Username
  • Given name
  • Family name
  • Email
  • Title
  • Display name

Note: Some Scimify integrations support custom attributes to manage roles and permissions. These custom attributes are documented under the integration-specific guides.

Need Help?

If your platform is not listed here or you run into configuration issues, contact [email protected]. Include your IdP or IGA product name and the Scimify integration instance you are connecting.