# SCIM Provisioning Automate user provisioning and deprovisioning from your identity provider using the SCIM 2.0 protocol. *** ## Overview Adaptive implements the **SCIM 2.0 standard (RFC 7644)** for automated user lifecycle management. Connect your identity provider's SCIM client to Adaptive and user accounts are automatically created, updated, suspended, and removed as changes happen in your directory. SCIM provisioning is available on the **Enterprise plan** and works alongside [SSO & SAML](/platform/sso-saml.md) for a complete enterprise identity solution. *** ## How SCIM Works 1. **Configure** — Set the SCIM endpoint URL and bearer token in your identity provider 2. **Provision** — When users are assigned in your IdP, accounts are automatically created in Adaptive 3. **Sync** — Profile updates (name, email) propagate automatically 4. **Deprovision** — When users are removed in your IdP, their Adaptive accounts are suspended or deleted *** ## Configuration ### SCIM Endpoint ``` Base URL: https://your-domain.adaptive.app/scim/v2 ``` ### Authentication SCIM uses a static **Bearer token** for authentication. Configure the same token in both Adaptive and your identity provider: * **Adaptive**: Set the `SCIM_API_TOKEN` environment variable * **IdP**: Enter the token in the SCIM provisioning settings ### Required Environment Variables | Variable | Description | | ----------------- | ------------------------------------------- | | `SCIM_API_TOKEN` | Shared bearer token for SCIM authentication | | `SCIM_ORG_ID` | Organization UUID to provision users into | | `SUPABASE_URL` | Supabase instance URL | | `SUPABASE_SECRET` | Supabase admin API key | *** ## User Lifecycle ### Provisioning (Create) When a user is assigned in your IdP, SCIM creates their Adaptive account: * Account is created with email confirmation pre-approved * User is added to the organization with the **Member** role * The `externalId` from your IdP is stored for future reference ### Updates Profile changes in your IdP propagate to Adaptive: * Email address * Display name (given name, family name) * External ID ### Suspension When a user is deactivated in your IdP, SCIM suspends their Adaptive account: * The user cannot log in while suspended * All existing sessions and data are preserved * Reactivation in the IdP restores access immediately ### Deprovisioning (Delete) When a user is fully removed via SCIM: * The user's organization membership is removed * Organization owners cannot be deprovisioned via SCIM *** ## Supported Operations ### User Endpoints | Method | Path | Description | | ------ | --------------------- | ------------------------- | | GET | `/scim/v2/Users` | List or filter users | | GET | `/scim/v2/Users/{id}` | Get a single user | | POST | `/scim/v2/Users` | Create a new user | | PUT | `/scim/v2/Users/{id}` | Full user replacement | | PATCH | `/scim/v2/Users/{id}` | Partial update (RFC 6902) | | DELETE | `/scim/v2/Users/{id}` | Remove a user | ### Discovery Endpoints | Method | Path | Description | | ------ | -------------------------------- | ------------------------------ | | GET | `/scim/v2/ServiceProviderConfig` | SCIM capabilities and features | | GET | `/scim/v2/ResourceTypes` | Available resource types | | GET | `/scim/v2/Schemas` | SCIM schema definitions | ### Filtering The Users endpoint supports SCIM filtering: ``` GET /scim/v2/Users?filter=userName eq "user@example.com" ``` Pagination parameters: `startIndex` (default: 1), `count` (default: 100, max: 500). *** ## User Schema SCIM user resources include the following attributes: | Attribute | Type | Required | Description | | ----------------- | ------- | -------- | ------------------------------------- | | `userName` | String | Yes | Email address (unique identifier) | | `name.givenName` | String | No | First name | | `name.familyName` | String | No | Last name | | `name.formatted` | String | No | Full display name | | `emails[].value` | String | No | Email (alternative to userName) | | `active` | Boolean | No | Account active status (default: true) | | `displayName` | String | No | Display name | | `externalId` | String | No | IdP-assigned identifier | *** ## SCIM Capabilities | Feature | Supported | | ---------------- | --------------------- | | Patch operations | Yes | | Bulk operations | No | | Filtering | Yes (max 500 results) | | Password changes | No | | Sorting | No | | ETags | No | *** ## Audit Trail All SCIM operations are recorded in the audit log: | Action | Trigger | | ------------------------- | ---------------------------------- | | `SCIM_USER_PROVISIONED` | New user created via SCIM | | `SCIM_USER_UPDATED` | User profile updated via SCIM | | `SCIM_USER_DEPROVISIONED` | User suspended or removed via SCIM | *** ## Supported Identity Providers Any SCIM 2.0-compliant identity provider works with Adaptive: * **Okta** — Provisioning > To App > Enable SCIM * **Azure AD (Entra ID)** — Enterprise App > Provisioning > Automatic * **Google Workspace** — Admin Console > Apps > Auto-provisioning * **OneLogin** — Provisioning > Enable SCIM * **JumpCloud** — Identity Management > SCIM *** ## See Also * [SSO & SAML](/platform/sso-saml.md) — Corporate single sign-on configuration * [Security & Data Handling](/technical-how-it-works/security.md) — RBAC and organization isolation --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.adaptiveap.com/platform/scim-provisioning.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.