Skip to Content
GuidesUser ManagementSCIM 2.0 Provisioning

SCIM 2.0 Provisioning

SCIM (System for Cross-domain Identity Management) is a standardized protocol (RFC 7643/7644) that allows an external identity provider (IdP) to push user lifecycle events — create, update, disable, delete — to Auris automatically. Instead of administrators manually managing users in two systems, the IdP becomes the source of truth and Auris reflects its state in near real-time.

Auris implements SCIM 2.0 and is compatible with any IdP that supports the standard, including Okta, Microsoft Azure AD (Entra ID), OneLogin, JumpCloud, Google Workspace (via third-party SCIM bridge), and Ping Identity.


How SCIM Works

When SCIM is configured, the IdP acts as the SCIM client and Auris acts as the SCIM server (service provider).

The typical lifecycle:

  1. A new employee is added in Okta (or another IdP).
  2. Okta sends a POST /scim/v2/Users request to Auris with the employee’s attributes.
  3. Auris creates the user in both its database and the underlying Keycloak realm.
  4. When the employee is disabled in Okta (e.g., after resignation), Okta sends a PATCH /scim/v2/Users/[id] with "active": false.
  5. Auris disables the user and invalidates all active sessions.
  6. When the employee record is deleted in Okta, Okta sends DELETE /scim/v2/Users/[id].
  7. Auris soft-deletes the user.

This keeps Auris synchronized without any manual administrator intervention.


Setting Up a SCIM Connection

Create a SCIM connection in Auris

In the Admin Console, navigate to Settings → SCIM Connections and click “New Connection”.

Each connection generates:

  • SCIM Base URL — The endpoint your IdP will call. Format: https://auth.yourapp.com/scim/v2
  • Bearer Token — A scim_ prefixed secret used to authenticate the IdP’s requests. Copy this token immediately — it is only shown once.

You can also create a connection via API:

POST/api/scim/connectionsRequires: manage:scim_connections

Creates a new SCIM connection and returns the bearer token. The token is not stored in plaintext and cannot be retrieved again after creation.

{ "name": "Okta Production", "keycloakRealm": "your-realm" }

Configure your IdP

In your identity provider’s SCIM configuration, enter:

  • SCIM Connector Base URL: https://auth.yourapp.com/scim/v2
  • Unique Identifier Field for Users: userName
  • Authentication Mode: HTTP Header
  • Authorization: Bearer scim_...

The exact steps differ by IdP. Consult your IdP’s SCIM setup documentation for provider-specific field names.

In Okta, navigate to Applications → [Your App] → Provisioning → Integration. Enable “Enable API integration” and enter the base URL and token. Under “To App”, enable Create, Update, and Deactivate.

Verify the connection

In the Auris Console, use the “Test Connection” button on the SCIM connection card. This sends a test request to verify Auris can receive authenticated SCIM requests.

You can also test connectivity from your IdP — most IdPs have a built-in “Test Connection” or “Verify” button in their SCIM configuration.


SCIM Endpoints

All SCIM endpoints are mounted under /scim/v2. They require a Bearer token that corresponds to an active SCIM connection. Standard SCIM Content-Type: application/scim+json is supported.

GET/scim/v2/Users

List users. Supports SCIM filtering, pagination (startIndex, count), and attribute selection (attributes, excludedAttributes).

POST/scim/v2/Users

Create a user. Auris maps SCIM attributes to Auris user fields and creates the record in both Auris and Keycloak.

GET/scim/v2/Users/[id]

Retrieve a single user by SCIM external ID.

PUT/scim/v2/Users/[id]

Replace all attributes of a user. Fields not included in the request body are cleared.

PATCH/scim/v2/Users/[id]

Partially update a user using SCIM patch operations. Supports add, remove, and replace operations. Used by IdPs to update individual attributes or set active: false to disable a user.

DELETE/scim/v2/Users/[id]

Deactivate and soft-delete a user. Sessions are revoked immediately.

POST/scim/v2/Bulk

Process up to 100 SCIM operations in a single request. Each operation is processed independently — a failure on one operation does not affect the others.

SCIM endpoints authenticate via the connection bearer token, not via a user JWT. The manage:scim_connections permission controls access to the Auris management API for SCIM connections — the SCIM protocol endpoints themselves authenticate only via the bearer token.


Attribute Mapping

By default, Auris applies standard SCIM-to-Auris attribute mappings. You can customize these mappings per connection in the Console Mappings tab.

Default Mappings

SCIM AttributeAuris FieldNotes
userNameusernameAlso stored as scimUserName for deduplication
emails[0].value (primary)email
name.givenNamefirstName
name.familyNamelastName
activeenabledfalse triggers immediate session revocation
externalIdscimExternalIdStored for stable cross-system linking

Custom Mappings

Custom attribute mappings allow you to map non-standard SCIM attributes to Auris user fields. For example, if your IdP sends urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department and you want to store it in metadata.department.

GET/api/scim/connections/[id]/mappingsRequires: manage:scim_connections

List all attribute mappings for a connection.

POST/api/scim/connections/[id]/mappingsRequires: manage:scim_connections

Create a custom attribute mapping.

{ "scimAttribute": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department", "aurisAttribute": "metadata.department", "direction": "INBOUND", "isActive": true }

Mapping directions:

DirectionMeaning
INBOUNDSCIM attribute → Auris field (used during provisioning)
OUTBOUNDAuris field → SCIM attribute (used when Auris is queried by IdP)
BIDIRECTIONALBoth directions

Filter Support

Auris implements RFC 7644 §3.4.2.2 SCIM filtering. Most IdPs use filters to look up users before creating or updating them.

Supported operators:

OperatorMeaning
eqEqual
neNot equal
coContains
swStarts with
ewEnds with
gtGreater than
ltLess than
geGreater than or equal
leLess than or equal
prAttribute is present (not null)

Example filters:

# Find user by email /scim/v2/Users?filter=emails eq "[email protected]" # Find by userName /scim/v2/Users?filter=userName eq "alice" # Find active users in a department (with enterprise schema extension) /scim/v2/Users?filter=active eq true and urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department eq "engineering"

Filters support and/or combinators and parentheses for grouping. Dot-notation attribute paths (e.g., name.givenName) are resolved correctly.


Sync Statistics

The Console provides a breakdown of SCIM sync activity per connection, viewable in the Stats tab of each connection detail page.

GET/api/scim/connections/[id]/statsRequires: manage:scim_connections

Returns sync counts broken down by period (24h, 7d, 30d) and operation type (creates, updates, deletes, errors).

Response:

{ "periods": { "24h": { "created": 12, "updated": 8, "deleted": 1, "errors": 0 }, "7d": { "created": 45, "updated": 33, "deleted": 4, "errors": 2 }, "30d": { "created": 180, "updated": 112, "deleted": 9, "errors": 5 } } }

Bulk Operations

The SCIM Bulk endpoint allows an IdP to send up to 100 operations in a single HTTP request. This reduces network overhead during large provisioning events (e.g., an organization-wide directory sync).

{ "schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"], "Operations": [ { "method": "POST", "path": "/Users", "bulkId": "bulk-1", "data": { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], "userName": "[email protected]", "name": { "givenName": "New", "familyName": "User" }, "emails": [{ "value": "[email protected]", "primary": true }] } }, { "method": "PATCH", "path": "/Users/scim-ext-id-123", "data": { "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], "Operations": [{ "op": "replace", "path": "active", "value": false }] } } ] }

Bulk response:

{ "schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkResponse"], "Operations": [ { "method": "POST", "bulkId": "bulk-1", "status": { "code": 201 } }, { "method": "PATCH", "location": "/scim/v2/Users/scim-ext-id-123", "status": { "code": 200 } } ] }

Required Permissions

OperationPermission
Create/update/delete SCIM connectionsmanage:scim_connections
View SCIM connections and statsview:scim_connections
View SCIM activity logsview:scim_logs
SCIM protocol endpointsBearer token (no Auris permission required)