SCIM 2.0 Provisioning
SCIM (System for Cross-domain Identity Management) is a standardized protocol (RFC 7643/7644) that allows an external identity provider (IdP) to push user lifecycle events — create, update, disable, delete — to Auris automatically. Instead of administrators manually managing users in two systems, the IdP becomes the source of truth and Auris reflects its state in near real-time.
Auris implements SCIM 2.0 and is compatible with any IdP that supports the standard, including Okta, Microsoft Azure AD (Entra ID), OneLogin, JumpCloud, Google Workspace (via third-party SCIM bridge), and Ping Identity.
How SCIM Works
When SCIM is configured, the IdP acts as the SCIM client and Auris acts as the SCIM server (service provider).
The typical lifecycle:
- A new employee is added in Okta (or another IdP).
- Okta sends a
POST /scim/v2/Usersrequest to Auris with the employee’s attributes. - Auris creates the user in both its database and the underlying Keycloak realm.
- When the employee is disabled in Okta (e.g., after resignation), Okta sends a
PATCH /scim/v2/Users/[id]with"active": false. - Auris disables the user and invalidates all active sessions.
- When the employee record is deleted in Okta, Okta sends
DELETE /scim/v2/Users/[id]. - Auris soft-deletes the user.
This keeps Auris synchronized without any manual administrator intervention.
Setting Up a SCIM Connection
Create a SCIM connection in Auris
In the Admin Console, navigate to Settings → SCIM Connections and click “New Connection”.
Each connection generates:
- SCIM Base URL — The endpoint your IdP will call. Format:
https://auth.yourapp.com/scim/v2 - Bearer Token — A
scim_prefixed secret used to authenticate the IdP’s requests. Copy this token immediately — it is only shown once.
You can also create a connection via API:
/api/scim/connectionsRequires: manage:scim_connectionsCreates a new SCIM connection and returns the bearer token. The token is not stored in plaintext and cannot be retrieved again after creation.
{
"name": "Okta Production",
"keycloakRealm": "your-realm"
}Configure your IdP
In your identity provider’s SCIM configuration, enter:
- SCIM Connector Base URL:
https://auth.yourapp.com/scim/v2 - Unique Identifier Field for Users:
userName - Authentication Mode: HTTP Header
- Authorization:
Bearer scim_...
The exact steps differ by IdP. Consult your IdP’s SCIM setup documentation for provider-specific field names.
Okta
In Okta, navigate to Applications → [Your App] → Provisioning → Integration. Enable “Enable API integration” and enter the base URL and token. Under “To App”, enable Create, Update, and Deactivate.
Verify the connection
In the Auris Console, use the “Test Connection” button on the SCIM connection card. This sends a test request to verify Auris can receive authenticated SCIM requests.
You can also test connectivity from your IdP — most IdPs have a built-in “Test Connection” or “Verify” button in their SCIM configuration.
SCIM Endpoints
All SCIM endpoints are mounted under /scim/v2. They require a Bearer token that corresponds to an active SCIM connection. Standard SCIM Content-Type: application/scim+json is supported.
/scim/v2/UsersList users. Supports SCIM filtering, pagination (startIndex, count), and attribute selection (attributes, excludedAttributes).
/scim/v2/UsersCreate a user. Auris maps SCIM attributes to Auris user fields and creates the record in both Auris and Keycloak.
/scim/v2/Users/[id]Retrieve a single user by SCIM external ID.
/scim/v2/Users/[id]Replace all attributes of a user. Fields not included in the request body are cleared.
/scim/v2/Users/[id]Partially update a user using SCIM patch operations. Supports add, remove, and replace operations. Used by IdPs to update individual attributes or set active: false to disable a user.
/scim/v2/Users/[id]Deactivate and soft-delete a user. Sessions are revoked immediately.
/scim/v2/BulkProcess up to 100 SCIM operations in a single request. Each operation is processed independently — a failure on one operation does not affect the others.
SCIM endpoints authenticate via the connection bearer token, not via a user JWT. The manage:scim_connections permission controls access to the Auris management API for SCIM connections — the SCIM protocol endpoints themselves authenticate only via the bearer token.
Attribute Mapping
By default, Auris applies standard SCIM-to-Auris attribute mappings. You can customize these mappings per connection in the Console Mappings tab.
Default Mappings
| SCIM Attribute | Auris Field | Notes |
|---|---|---|
userName | username | Also stored as scimUserName for deduplication |
emails[0].value (primary) | email | |
name.givenName | firstName | |
name.familyName | lastName | |
active | enabled | false triggers immediate session revocation |
externalId | scimExternalId | Stored for stable cross-system linking |
Custom Mappings
Custom attribute mappings allow you to map non-standard SCIM attributes to Auris user fields. For example, if your IdP sends urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department and you want to store it in metadata.department.
/api/scim/connections/[id]/mappingsRequires: manage:scim_connectionsList all attribute mappings for a connection.
/api/scim/connections/[id]/mappingsRequires: manage:scim_connectionsCreate a custom attribute mapping.
{
"scimAttribute": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department",
"aurisAttribute": "metadata.department",
"direction": "INBOUND",
"isActive": true
}Mapping directions:
| Direction | Meaning |
|---|---|
INBOUND | SCIM attribute → Auris field (used during provisioning) |
OUTBOUND | Auris field → SCIM attribute (used when Auris is queried by IdP) |
BIDIRECTIONAL | Both directions |
Filter Support
Auris implements RFC 7644 §3.4.2.2 SCIM filtering. Most IdPs use filters to look up users before creating or updating them.
Supported operators:
| Operator | Meaning |
|---|---|
eq | Equal |
ne | Not equal |
co | Contains |
sw | Starts with |
ew | Ends with |
gt | Greater than |
lt | Less than |
ge | Greater than or equal |
le | Less than or equal |
pr | Attribute is present (not null) |
Example filters:
# Find user by email
/scim/v2/Users?filter=emails eq "[email protected]"
# Find by userName
/scim/v2/Users?filter=userName eq "alice"
# Find active users in a department (with enterprise schema extension)
/scim/v2/Users?filter=active eq true and urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department eq "engineering"Filters support and/or combinators and parentheses for grouping. Dot-notation attribute paths (e.g., name.givenName) are resolved correctly.
Sync Statistics
The Console provides a breakdown of SCIM sync activity per connection, viewable in the Stats tab of each connection detail page.
/api/scim/connections/[id]/statsRequires: manage:scim_connectionsReturns sync counts broken down by period (24h, 7d, 30d) and operation type (creates, updates, deletes, errors).
Response:
{
"periods": {
"24h": { "created": 12, "updated": 8, "deleted": 1, "errors": 0 },
"7d": { "created": 45, "updated": 33, "deleted": 4, "errors": 2 },
"30d": { "created": 180, "updated": 112, "deleted": 9, "errors": 5 }
}
}Bulk Operations
The SCIM Bulk endpoint allows an IdP to send up to 100 operations in a single HTTP request. This reduces network overhead during large provisioning events (e.g., an organization-wide directory sync).
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],
"Operations": [
{
"method": "POST",
"path": "/Users",
"bulkId": "bulk-1",
"data": {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "[email protected]",
"name": { "givenName": "New", "familyName": "User" },
"emails": [{ "value": "[email protected]", "primary": true }]
}
},
{
"method": "PATCH",
"path": "/Users/scim-ext-id-123",
"data": {
"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations": [{ "op": "replace", "path": "active", "value": false }]
}
}
]
}Bulk response:
{
"schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkResponse"],
"Operations": [
{ "method": "POST", "bulkId": "bulk-1", "status": { "code": 201 } },
{ "method": "PATCH", "location": "/scim/v2/Users/scim-ext-id-123", "status": { "code": 200 } }
]
}Required Permissions
| Operation | Permission |
|---|---|
| Create/update/delete SCIM connections | manage:scim_connections |
| View SCIM connections and stats | view:scim_connections |
| View SCIM activity logs | view:scim_logs |
| SCIM protocol endpoints | Bearer token (no Auris permission required) |
Related Pages
- Managing Users — Manual user management via API and Console
- User Import & Export — One-time bulk import from CSV or JSON
- Organizations: Enterprise SSO — Per-organization SSO for B2B customers
- Console: SCIM Connections — Full Console walkthrough