SCIM Provisioning

Note

The SCIM feature is available since version 1.71 for On-premise installations only. If you're interested in using this feature in the SaaS version at www.theidentityhub.com, please contact us.

Introduction

The Identity Hub supports System for Cross-domain Identity Management (SCIM) (https://datatracker.ietf.org/doc/html/rfc7643) for automatic account management within an account provider. This implies account providers, that support SCIM, can have their accounts automatically provisioned and updated without the need of a logon by the user. Once SCIM is enabled on your account provider, the identity provider can additionally use the SCIM protocol to synchronize its users and groups.

Glossary

  • SCIM: System for Cross-domain Identity Management is an open standard protocol (RFC7643 - https://datatracker.ietf.org/doc/html/rfc7643) for automating user management.
  • Service Provider: In regards to the RFC the service provider refers to The Identity Hub. It receives information from a provisioning client and pushes this information to the users stored in The Identity Hub. A Service Provider is scoped to the account provider for which SCIM is enabled, only allowing the management of users within the account provider.
  • Provisioning Client: The Provisioning Client is the client application that communicates with the Service Provider to keep the user information synchronized. This will typically be a client that is linked to the identity provider that is configured in the account provider. Examples of such provisioning client: Microsoft Entra ID (Azure AD), Okta, Google Workspace, AWS IAM Identity Center (AWS Single Sign-On).

Requirements

In order to enable SCIM provisioning on an account provider, the following is required:

  • The Identity Hub v1.71 or later.
  • Licensed SCIM module.
  • Enable SCIM on The Identity Hub (On-premise only), SCIM is not enabled in the cloud version yet.
  • A TIH account provider that supports SCIM provisioning (Office365, SAML-P, WsFed).
  • A provisioning client that supports SCIM v2.

Getting started

In order to configure SCIM on an account provider that supports it. Navigate to the account provider configuration page and in the navigation you will find a link to the SCIM configuration. If the SCIM configuration has not been activated before, it will ask whether you would like to activate it. Once activated, the SCIM Service Provider for this account provider can be further configured.

Note

If SCIM is missing from the menu, this might be caused by one of the requirements not being met.

Once the SCIM configuration is activated you can further configure it to allow a provisioning client to connect.

Supported APIs

The Identity Hub supports the following SCIM APIs: