Skip to content

SCIM Configuration

SCIM Configuration

Scimify exposes a SCIM 2.0 endpoint for each integration instance. Any SCIM-capable identity provider (IdP) or identity governance platform (IGA) can connect to provision users and groups, or ingest accounts and entitlements for access reviews.

When to use which platform

Scimify is not limited to Okta or Lumos. Any IdP or IGA that supports SCIM 2.0 can connect using the same Base URL and API key from your Scimify integration instance. See Generic SCIM Configuration for setup on Microsoft Entra ID, SailPoint, OneLogin, and other platforms.

Okta

Use Okta when your IdP is the source of truth for identity. Okta is the most common setup for Scimify customers and supports traditional IdP-driven provisioning, group push, and user import.

See Okta SCIM Configuration for step-by-step setup.

Lumos

Use Lumos when you run identity governance workflows in Lumos rather than (or in addition to) your IdP. Lumos supports generic SCIM integrations for:

  • Ingestion (read-only sync) — discover users, groups, and entitlements from applications to run user access reviews
  • Provisioning (write sync) — create, update, and deactivate users and group memberships in downstream apps
  • Access request automation — connect approved access requests to Scimify connectors for automated provisioning across SaaS apps

Lumos’ native integration catalogue is limited. Scimify extends that catalogue by giving Lumos access to Scimify’s pre-built connectors. Some customers also use Lumos as their source of truth for identity instead of an IdP like Okta.

See Lumos SCIM Configuration for step-by-step setup.

Other IdPs and IGA platforms

Use Generic SCIM Configuration when your platform does not have a dedicated Scimify guide. This covers Microsoft Entra ID, SailPoint, OneLogin, Ping Identity, JumpCloud, and other SCIM 2.0-capable systems.

Before you connect

  1. Create the Scimify integration instance for your target application (for example, Buildkite or GitHub).
  2. Enable the integration instance in the Scimify admin console.
  3. Copy the SCIM Base URL and generate a SCIM API key from that instance.

Each SCIM connection in your IdP or IGA maps to one Scimify integration instance. If you connect multiple apps, create a separate SCIM connection for each Scimify instance.

Platform guides

Authentication

Your IdP or IGA should use HTTP header authentication with:

Authorization: Bearer <SCIM_API_KEY>

Use the SCIM API key generated from the matching Scimify integration instance.

Supported SCIM features

The following features are supported at the SCIM layer, but availability depends on the Scimify connector type (user only, group only, user and group) and limitations within the target SaaS application:

  • Create users
  • Update user attributes
  • Deactivate users
  • Import users
  • Import groups
  • Group sync / group push

The following standard profile attributes are supported:

  • Username
  • Given name
  • Family name
  • Email
  • Title
  • Display name

Note: Some Scimify integrations support custom attributes to manage roles and permissions. These custom attributes are documented under the integration-specific guides.

Need Help?

If you encounter any issues during configuration, please contact [email protected] for assistance.