Skip to Content
Admin ConsoleSCIM Provisioning

SCIM Provisioning

SCIM (System for Cross-domain Identity Management) 2.0 allows enterprise identity providers to automatically provision and deprovision users in Auris. When an employee is added in Okta, Azure AD, or another SCIM-compatible IdP, a user account is automatically created in Auris. When the employee is removed from the IdP, their Auris account is deactivated.

This eliminates manual user creation and ensures that access is revoked promptly when employees leave the organization — a critical requirement for SOC 2, ISO 27001, and other compliance frameworks.

Access via ConsoleSettingsSCIM Provisioning.


Creating a SCIM Connection

Open SCIM Provisioning

Go to ConsoleSettingsSCIM Provisioning and click Create Connection.

Enter connection details

FieldRequiredDescription
Connection NameYesA descriptive name for administrative reference (for example, “Okta Production”, “Azure AD Staging”)
Keycloak RealmYesThe Keycloak realm this connection provisions users into. Each connection maps to a single realm.

Copy the SCIM endpoint and token

After saving, Auris generates:

  • SCIM Endpoint URL — The base URL for SCIM operations. Format: https://auth.yourdomain.com/api/scim/v2/{connectionId}/
  • Bearer Token — The authentication token your IdP uses to authenticate SCIM requests

Copy both values. You will need them to configure the connection in your identity provider.

Configure the connection in your IdP

In your identity provider (Okta, Azure AD, OneLogin, etc.):

  1. Create a new SCIM provisioning integration
  2. Paste the SCIM Endpoint URL as the base URL / tenant URL
  3. Paste the Bearer Token as the API token / secret token
  4. Set the authentication method to Bearer Token / OAuth Bearer
  5. Enable provisioning features: Create Users, Update User Attributes, Deactivate Users

Test the connection

Back in the Auris Console, click Test Connection to verify that the IdP can reach the SCIM endpoint and authenticate successfully. Auris sends a test request and reports the result.

The Bearer Token is shown only once when the connection is created. Store it securely. If you lose the token, click Regenerate Token on the connection detail page — this invalidates the previous token immediately.


Connection List

The SCIM Provisioning page shows all connections in a table:

ColumnDescription
NameConnection name
StatusActive (green), Inactive (gray), or Error (red)
RealmThe Keycloak realm this connection provisions into
Last SyncTimestamp of the most recent SCIM operation received
Users ProvisionedTotal number of users created through this connection
ErrorsCount of failed operations in the last 30 days

Click any connection to open its detail page.


Connection Detail Page

The connection detail page has three tabs: Overview, Attribute Mappings, and Statistics.

Overview Tab

The Overview tab shows the connection configuration and status:

FieldDescription
Connection NameEditable name
SCIM Endpoint URLRead-only. Copy to clipboard with the copy icon.
Bearer TokenMasked. Click Regenerate Token to create a new token (invalidates the old one).
StatusActive or Inactive. Toggle the Enable switch to activate or deactivate the connection.
Created AtWhen the connection was created
Last ActivityTimestamp of the most recent successful SCIM operation

Attribute Mappings Tab

Attribute mappings control how SCIM user attributes are translated to Auris user fields. Auris provides sensible defaults that work for most identity providers.

Default Mappings

SCIM AttributeAuris FieldDirection
userNameemailInbound
name.givenNamefirstNameBoth
name.familyNamelastNameBoth
activeenabledInbound
externalIdscimExternalIdInbound

Custom Mappings

Click Add Mapping to create a custom attribute mapping:

FieldDescription
SCIM AttributeThe SCIM schema attribute path (for example, urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department)
Auris AttributeThe Auris user field or metadata key to map to
DirectionInbound (IdP to Auris), Outbound (Auris to IdP), or Both
ActiveWhether this mapping is currently applied

To edit an existing mapping, click the row. To delete a mapping, click the trash icon. Default mappings cannot be deleted but can be deactivated.

Statistics Tab

The Statistics tab shows provisioning activity broken down by time period:

PeriodUsers CreatedUsers UpdatedUsers DeactivatedErrors
Last 24 Hourscountcountcountcount
Last 7 Dayscountcountcountcount
Last 30 Dayscountcountcountcount

Supported SCIM Operations

Auris implements the following SCIM 2.0 operations per RFC 7644:

OperationHTTP MethodEndpointDescription
List UsersGET/UsersList provisioned users with optional filtering and pagination
Get UserGET/Users/:idRetrieve a specific user by SCIM ID
Create UserPOST/UsersProvision a new user account
Replace UserPUT/Users/:idFull replacement of user attributes
Patch UserPATCH/Users/:idPartial update of specific attributes
Delete UserDELETE/Users/:idDeprovision the user (sets active: false in Auris — soft delete)
Bulk OperationsPOST/BulkBatch multiple operations in a single request (max 100 operations per request)
GET/api/scim/v2/{connectionId}/Users
POST/api/scim/v2/{connectionId}/Users
POST/api/scim/v2/{connectionId}/Bulk

SCIM Filtering

Auris supports the SCIM filter syntax defined in RFC 7644 Section 3.4.2.2. This allows identity providers to query for specific users based on attribute values.

Supported Operators

OperatorExampleDescription
equserName eq "[email protected]"Equals
neactive ne falseNot equals
coname.familyName co "Smi"Contains
swuserName sw "alice"Starts with
ewuserName ew "@example.com"Ends with
gtmeta.lastModified gt "2025-01-01"Greater than
ltmeta.lastModified lt "2025-06-01"Less than
gemeta.created ge "2025-01-01"Greater than or equal
lemeta.created le "2025-12-31"Less than or equal
prname.givenName prPresent (attribute has a value)

Combinators

Filters can be combined with and / or and grouped with parentheses:

userName eq "[email protected]" and active eq true (name.givenName co "Al") or (name.familyName co "Sm")

Dot-Notation Attribute Paths

Nested attributes are accessed using dot notation: name.givenName, name.familyName, meta.lastModified.


Provisioning Direction

SCIM provisioning in Auris is inbound-only (IdP to Auris). User changes made directly in the Auris Console or via the Auris API do not sync back to the identity provider. The IdP remains the source of truth for user lifecycle management.

This means:

  • Creating a user in Okta creates the user in Auris
  • Disabling a user in Azure AD deactivates the user in Auris
  • Changing a user’s name directly in the Auris Console does not update the user in the IdP
  • If the IdP sends an update that conflicts with a manual change in Auris, the IdP update wins

Troubleshooting

Common Issues

ErrorCauseResolution
401 UnauthorizedThe Bearer Token is invalid, expired, or missingRegenerate the token in the Auris Console and update it in the IdP
404 Not FoundThe SCIM endpoint URL is incorrectVerify the connection ID in the URL matches the one shown in the Console
409 ConflictA user with this email already existsCheck if the user was manually created in Auris before SCIM provisioning started
400 Bad Request (attribute mapping)A required attribute is missing from the SCIM requestCheck the Attribute Mappings tab — ensure all required Auris fields have inbound mappings
500 Internal Server ErrorKeycloak is unreachableVerify Keycloak is running and accessible from the Auris API server

Debugging Tips

  1. Check the Statistics tab for error counts by time period
  2. Review the Audit Logs (Console → Logs) and filter by source SCIM to see detailed error messages
  3. Use the Test Connection button after any configuration change
  4. Verify the SCIM endpoint URL ends with a trailing slash — some IdPs require it

Permissions

PermissionDescription
manage:scim_connectionsCreate, edit, delete, and configure SCIM connections
view:scim_connectionsView SCIM connections, attribute mappings, and statistics
view:scim_logsView SCIM operation logs in the audit log