SCIM Provisioning
SCIM (System for Cross-domain Identity Management) 2.0 allows enterprise identity providers to automatically provision and deprovision users in Auris. When an employee is added in Okta, Azure AD, or another SCIM-compatible IdP, a user account is automatically created in Auris. When the employee is removed from the IdP, their Auris account is deactivated.
This eliminates manual user creation and ensures that access is revoked promptly when employees leave the organization — a critical requirement for SOC 2, ISO 27001, and other compliance frameworks.
Access via Console → Settings → SCIM Provisioning.
Creating a SCIM Connection
Open SCIM Provisioning
Go to Console → Settings → SCIM Provisioning and click Create Connection.
Enter connection details
| Field | Required | Description |
|---|---|---|
| Connection Name | Yes | A descriptive name for administrative reference (for example, “Okta Production”, “Azure AD Staging”) |
| Keycloak Realm | Yes | The Keycloak realm this connection provisions users into. Each connection maps to a single realm. |
Copy the SCIM endpoint and token
After saving, Auris generates:
- SCIM Endpoint URL — The base URL for SCIM operations. Format:
https://auth.yourdomain.com/api/scim/v2/{connectionId}/ - Bearer Token — The authentication token your IdP uses to authenticate SCIM requests
Copy both values. You will need them to configure the connection in your identity provider.
Configure the connection in your IdP
In your identity provider (Okta, Azure AD, OneLogin, etc.):
- Create a new SCIM provisioning integration
- Paste the SCIM Endpoint URL as the base URL / tenant URL
- Paste the Bearer Token as the API token / secret token
- Set the authentication method to Bearer Token / OAuth Bearer
- Enable provisioning features: Create Users, Update User Attributes, Deactivate Users
Test the connection
Back in the Auris Console, click Test Connection to verify that the IdP can reach the SCIM endpoint and authenticate successfully. Auris sends a test request and reports the result.
The Bearer Token is shown only once when the connection is created. Store it securely. If you lose the token, click Regenerate Token on the connection detail page — this invalidates the previous token immediately.
Connection List
The SCIM Provisioning page shows all connections in a table:
| Column | Description |
|---|---|
| Name | Connection name |
| Status | Active (green), Inactive (gray), or Error (red) |
| Realm | The Keycloak realm this connection provisions into |
| Last Sync | Timestamp of the most recent SCIM operation received |
| Users Provisioned | Total number of users created through this connection |
| Errors | Count of failed operations in the last 30 days |
Click any connection to open its detail page.
Connection Detail Page
The connection detail page has three tabs: Overview, Attribute Mappings, and Statistics.
Overview Tab
The Overview tab shows the connection configuration and status:
| Field | Description |
|---|---|
| Connection Name | Editable name |
| SCIM Endpoint URL | Read-only. Copy to clipboard with the copy icon. |
| Bearer Token | Masked. Click Regenerate Token to create a new token (invalidates the old one). |
| Status | Active or Inactive. Toggle the Enable switch to activate or deactivate the connection. |
| Created At | When the connection was created |
| Last Activity | Timestamp of the most recent successful SCIM operation |
Attribute Mappings Tab
Attribute mappings control how SCIM user attributes are translated to Auris user fields. Auris provides sensible defaults that work for most identity providers.
Default Mappings
| SCIM Attribute | Auris Field | Direction |
|---|---|---|
userName | email | Inbound |
name.givenName | firstName | Both |
name.familyName | lastName | Both |
active | enabled | Inbound |
externalId | scimExternalId | Inbound |
Custom Mappings
Click Add Mapping to create a custom attribute mapping:
| Field | Description |
|---|---|
| SCIM Attribute | The SCIM schema attribute path (for example, urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department) |
| Auris Attribute | The Auris user field or metadata key to map to |
| Direction | Inbound (IdP to Auris), Outbound (Auris to IdP), or Both |
| Active | Whether this mapping is currently applied |
To edit an existing mapping, click the row. To delete a mapping, click the trash icon. Default mappings cannot be deleted but can be deactivated.
Statistics Tab
The Statistics tab shows provisioning activity broken down by time period:
| Period | Users Created | Users Updated | Users Deactivated | Errors |
|---|---|---|---|---|
| Last 24 Hours | count | count | count | count |
| Last 7 Days | count | count | count | count |
| Last 30 Days | count | count | count | count |
Supported SCIM Operations
Auris implements the following SCIM 2.0 operations per RFC 7644:
| Operation | HTTP Method | Endpoint | Description |
|---|---|---|---|
| List Users | GET | /Users | List provisioned users with optional filtering and pagination |
| Get User | GET | /Users/:id | Retrieve a specific user by SCIM ID |
| Create User | POST | /Users | Provision a new user account |
| Replace User | PUT | /Users/:id | Full replacement of user attributes |
| Patch User | PATCH | /Users/:id | Partial update of specific attributes |
| Delete User | DELETE | /Users/:id | Deprovision the user (sets active: false in Auris — soft delete) |
| Bulk Operations | POST | /Bulk | Batch multiple operations in a single request (max 100 operations per request) |
/api/scim/v2/{connectionId}/Users/api/scim/v2/{connectionId}/Users/api/scim/v2/{connectionId}/BulkSCIM Filtering
Auris supports the SCIM filter syntax defined in RFC 7644 Section 3.4.2.2. This allows identity providers to query for specific users based on attribute values.
Supported Operators
| Operator | Example | Description |
|---|---|---|
eq | userName eq "[email protected]" | Equals |
ne | active ne false | Not equals |
co | name.familyName co "Smi" | Contains |
sw | userName sw "alice" | Starts with |
ew | userName ew "@example.com" | Ends with |
gt | meta.lastModified gt "2025-01-01" | Greater than |
lt | meta.lastModified lt "2025-06-01" | Less than |
ge | meta.created ge "2025-01-01" | Greater than or equal |
le | meta.created le "2025-12-31" | Less than or equal |
pr | name.givenName pr | Present (attribute has a value) |
Combinators
Filters can be combined with and / or and grouped with parentheses:
userName eq "[email protected]" and active eq true
(name.givenName co "Al") or (name.familyName co "Sm")Dot-Notation Attribute Paths
Nested attributes are accessed using dot notation: name.givenName, name.familyName, meta.lastModified.
Provisioning Direction
SCIM provisioning in Auris is inbound-only (IdP to Auris). User changes made directly in the Auris Console or via the Auris API do not sync back to the identity provider. The IdP remains the source of truth for user lifecycle management.
This means:
- Creating a user in Okta creates the user in Auris
- Disabling a user in Azure AD deactivates the user in Auris
- Changing a user’s name directly in the Auris Console does not update the user in the IdP
- If the IdP sends an update that conflicts with a manual change in Auris, the IdP update wins
Troubleshooting
Common Issues
| Error | Cause | Resolution |
|---|---|---|
401 Unauthorized | The Bearer Token is invalid, expired, or missing | Regenerate the token in the Auris Console and update it in the IdP |
404 Not Found | The SCIM endpoint URL is incorrect | Verify the connection ID in the URL matches the one shown in the Console |
409 Conflict | A user with this email already exists | Check if the user was manually created in Auris before SCIM provisioning started |
400 Bad Request (attribute mapping) | A required attribute is missing from the SCIM request | Check the Attribute Mappings tab — ensure all required Auris fields have inbound mappings |
500 Internal Server Error | Keycloak is unreachable | Verify Keycloak is running and accessible from the Auris API server |
Debugging Tips
- Check the Statistics tab for error counts by time period
- Review the Audit Logs (Console → Logs) and filter by source
SCIMto see detailed error messages - Use the Test Connection button after any configuration change
- Verify the SCIM endpoint URL ends with a trailing slash — some IdPs require it
Permissions
| Permission | Description |
|---|---|
manage:scim_connections | Create, edit, delete, and configure SCIM connections |
view:scim_connections | View SCIM connections, attribute mappings, and statistics |
view:scim_logs | View SCIM operation logs in the audit log |
Related Guides
- SCIM Provisioning Setup — Step-by-step IdP configuration guides for Okta, Azure AD, and OneLogin
- Users & Roles — Managing users and roles in the Console
- Enterprise SSO — Configure SAML/OIDC single sign-on alongside SCIM provisioning
- Logs & Compliance — Audit logs for SCIM operations