SCIM 2.0 Provisioning
SCIM 2.0 (System for Cross-domain Identity Management) is an IETF standard for provisioning users and groups over HTTP + JSON. It is defined by RFC 7643 — SCIM Core Schema (which defines the User and Group JSON resources) and RFC 7644 — SCIM Protocol (which defines the GET/POST/PUT/PATCH/DELETE /Users and /Groups HTTP API, plus filter, sort, and pagination). LumoAuth accepts inbound SCIM calls so an upstream IdP (Okta, Azure AD, OneLogin, HR systems) can keep users and groups in sync automatically.
What is SCIM?
SCIM enables automatic user lifecycle management:
- Provisioning - Automatically create users when they're added in your IdP (Okta, Azure AD, etc.)
- Deprovisioning - Automatically disable or delete users when they're removed
- Sync - Keep user attributes in sync between your IdP and LumoAuth
- Group sync - Synchronize group memberships
SCIM Endpoints
LumoAuth exposes SCIM 2.0 endpoints per organization:
| Endpoint | Method | Purpose |
|---|---|---|
/orgs/{orgId}/api/v1/scim/v2/Users | GET | List users |
/orgs/{orgId}/api/v1/scim/v2/Users | POST | Create a user |
/orgs/{orgId}/api/v1/scim/v2/Users/{id} | GET | Get a user |
/orgs/{orgId}/api/v1/scim/v2/Users/{id} | PUT | Replace a user |
/orgs/{orgId}/api/v1/scim/v2/Users/{id} | PATCH | Update a user |
/orgs/{orgId}/api/v1/scim/v2/Users/{id} | DELETE | Delete a user |
/orgs/{orgId}/api/v1/scim/v2/Groups | GET | List groups |
/orgs/{orgId}/api/v1/scim/v2/Groups | POST | Create a group |
/orgs/{orgId}/api/v1/scim/v2/Groups/{id} | GET | Get a group |
/orgs/{orgId}/api/v1/scim/v2/Groups/{id} | PATCH | Update group membership |
/orgs/{orgId}/api/v1/scim/v2/Groups/{id} | DELETE | Delete a group |
/orgs/{orgId}/api/v1/scim/v2/ServiceProviderConfig | GET | SCIM capabilities |
/orgs/{orgId}/api/v1/scim/v2/Schemas | GET | Supported schemas |
Setting Up SCIM
1. Generate a SCIM Token
- Go to
/orgs/{orgId}/portal/applications - Create a machine-to-machine application for SCIM
- Generate a bearer token for SCIM authentication
2. Configure Your IdP
Provide your IdP with:
| Setting | Value |
|---|---|
| SCIM Base URL | https://your-domain.com/orgs/{orgId}/api/v1/scim/v2 |
| Authentication | Bearer {scim_token} |
| Unique Identifier | userName (email) |
Okta SCIM Setup
- In Okta, open your LumoAuth application → Provisioning
- Click Configure API Integration
- Enter the SCIM Base URL and token
- Enable: Create Users, Update User Attributes, Deactivate Users
Azure AD SCIM Setup
- In Azure AD → Enterprise Applications → Your App → Provisioning
- Set Provisioning Mode to Automatic
- Enter the Organization URL (SCIM base URL) and Secret Token
- Test connection and start provisioning
User Schema
SCIM user resources map to LumoAuth users:
| SCIM Attribute | LumoAuth Field |
|---|---|
userName | |
name.givenName | First name |
name.familyName | Last name |
emails[0].value | |
phoneNumbers[0].value | Phone |
active | Account active status |
externalId | External IdP identifier |
Create User Request
POST /orgs/{orgId}/api/v1/scim/v2/Users
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "alice@acme.com",
"name": {
"givenName": "Alice",
"familyName": "Smith"
},
"emails": [
{
"value": "alice@acme.com",
"primary": true
}
],
"active": true,
"externalId": "okta-user-id-123"
}
Group Provisioning
SCIM groups map to LumoAuth groups:
POST /orgs/{orgId}/api/v1/scim/v2/Groups
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName": "Engineering",
"members": [
{"value": "user-uuid-1"},
{"value": "user-uuid-2"}
]
}
Supported RFCs
| RFC | Description |
|---|---|
| RFC 7643 | SCIM Core Schema — defines the User and Group JSON resources |
| RFC 7644 | SCIM Protocol — defines the HTTP API, filters, and pagination |
| RFC 7642 | SCIM Definitions, Overview, and Concepts |
Related Guides
- User Management - Manual user management
- Groups - Group-based access control
- Enterprise SSO - SAML/OIDC federation