v1.9.1-1
Sign in

SCIM Provisioning FAQ

Frequently asked questions about SCIM automated user provisioning.

SCIM Provisioning FAQ

What is SCIM?

SCIM (System for Cross-domain Identity Management) is an open standard protocol for automating the exchange of user identity information between IT systems. It enables automated user provisioning, updating, and deprovisioning across multiple applications.

Why use SCIM with Cliqer?

Benefits

  • Automated User Lifecycle: Automatically create, update, and deactivate users
  • Reduced Administrative Work: No manual user management tasks
  • Improved Security: Immediate account deactivation when employees leave
  • Compliance: Supports regulatory requirements for access management

Use Cases

  • Joiners: New employees automatically get Cliqer accounts
  • Movers: Department/role changes sync automatically
  • Leavers: Accounts deactivated immediately upon termination
  • Profile Updates: Name, email, and attribute changes sync automatically

How do I set up SCIM?

Step 1: Enable SCIM

  1. Go to Admin Console > Security Configuration
  2. Find the "SCIM Provisioning" section
  3. Check "Enable SCIM"
  4. Generate or enter a Bearer Token
  5. Click "Save Configuration"

Step 2: Configure Identity Provider

Okta SCIM Setup

  1. In Okta Admin Console, go to Applications
  2. Find Cliqer application
  3. Go to Provisioning tab
  4. Enable SCIM provisioning
  5. Enter SCIM endpoint: https://your-domain.com/api/scim/v2
  6. Enter Bearer Token from step 1
  7. Configure attribute mappings

Azure AD SCIM Setup

  1. In Azure AD, go to Enterprise Applications
  2. Select Cliqer application
  3. Go to Provisioning section
  4. Set Provisioning Mode to "Automatic"
  5. Enter Tenant URL: https://your-domain.com/api/scim/v2
  6. Enter Secret Token from step 1
  7. Configure attribute mappings

Step 3: Test Configuration

  1. Create a test user in your identity provider
  2. Verify user appears in Cliqer
  3. Test user updates and deactivation
  4. Check audit logs for provisioning events

What SCIM operations are supported?

User Operations

  • CREATE: POST /api/scim/v2/Users
  • READ: GET /api/scim/v2/Users/{id}
  • UPDATE: PUT /api/scim/v2/Users/{id} (full update)
  • PATCH: PATCH /api/scim/v2/Users/{id} (partial update)
  • DELETE: DELETE /api/scim/v2/Users/{id}
  • LIST: GET /api/scim/v2/Users (with filtering)

Group Operations (Future)

  • Group creation and management
  • Group membership updates
  • Nested group support

What user attributes are supported?

Core User Schema

{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "userName": "user@company.com",
  "name": {
    "givenName": "John",
    "familyName": "Doe",
    "middleName": "William"
  },
  "emails": [{
    "primary": true,
    "value": "user@company.com",
    "type": "work"
  }],
  "active": true,
  "externalId": "employee-123"
}

Enterprise User Extension

{
  "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
    "employeeNumber": "12345",
    "department": "Engineering",
    "manager": {
      "value": "manager-id",
      "displayName": "Jane Smith"
    }
  }
}

How does user matching work?

Matching Criteria

Users are matched using the following priority:

  1. External ID: externalId field from SCIM payload
  2. Email Address: Primary email address
  3. Username: userName field

Conflict Resolution

  • If multiple matches found, operation fails
  • External ID takes precedence over email
  • Manual intervention may be required for conflicts

What happens during user deactivation?

Deactivation Process

  1. SCIM Update: active: false sent via SCIM
  2. Account Disabled: User cannot log in
  3. Data Preservation: User data remains but access revoked
  4. Audit Logging: Deactivation event logged

Reactivation

  • Set active: true to reactivate account
  • All previous data and settings restored
  • User can log in immediately

How do I handle bulk operations?

Bulk Operations Support

  • Max Operations: 100 operations per bulk request
  • Max Payload: 1MB per request
  • Transaction Safety: All-or-nothing execution
  • Error Handling: Detailed error responses

Bulk Request Format

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:BulkRequest"],
  "Operations": [
    {
      "method": "POST",
      "path": "/Users",
      "data": { /* user data */ }
    }
  ]
}

What are the security considerations?

Authentication

  • Bearer Token: Secure API key authentication
  • HTTPS Only: All SCIM endpoints require HTTPS
  • Rate Limiting: Protected against abuse
  • Audit Logging: All provisioning events logged

Data Protection

  • Encryption: Data encrypted in transit and at rest
  • Access Control: SCIM operations require admin-level permissions
  • Data Validation: Strict schema validation on all inputs

How do I monitor SCIM operations?

Audit Logs

All SCIM operations are logged in the audit system:

  • scim_user_created
  • scim_user_updated
  • scim_user_deleted
  • scim_bulk_operation

Monitoring Dashboard

  • SCIM operation success/failure rates
  • User provisioning statistics
  • Error trends and patterns
  • Integration health status

What if SCIM provisioning fails?

Common Issues

Authentication Errors

  • Check bearer token is correct
  • Verify token hasn't expired
  • Confirm HTTPS is being used

Schema Validation Errors

  • Validate SCIM payload format
  • Check required fields are present
  • Verify attribute data types

User Matching Errors

  • Check external ID consistency
  • Verify email address format
  • Confirm user exists in both systems

Troubleshooting Steps

  1. Check Audit Logs: Review detailed error messages
  2. Validate Payload: Use SCIM validation tools
  3. Test Connectivity: Verify endpoint accessibility
  4. Check Provider Config: Confirm identity provider settings

Can I customize attribute mappings?

Standard Mappings

Cliqer uses standard SCIM attribute mappings by default. Custom mappings can be configured for:

  • Custom Fields: Map provider-specific attributes
  • Department Codes: Transform department names
  • Role Assignments: Map groups to roles
  • Location Data: Handle office/location fields

Configuration

Custom mappings are configured in the Admin Console under Security > SCIM Configuration.

What are the compliance benefits?

Regulatory Compliance

  • SOX: Automated access provisioning
  • GDPR: Right to erasure through automated deprovisioning
  • HIPAA: Controlled access to protected health information
  • PCI DSS: Automated user lifecycle management

Audit Benefits

  • Complete Audit Trail: Every provisioning event logged
  • Compliance Reporting: Automated compliance reports
  • Access Reviews: Automated user access reviews

Integration with RBAC

Role Assignment

  • SCIM can assign roles based on group memberships
  • Automatic role updates when user groups change
  • Integration with enterprise role management systems

Permission Management

  • Roles control what SCIM operations are allowed
  • Granular permissions for different user types
  • Integration with existing permission systems

Performance Considerations

Rate Limiting

  • 1000 operations per hour per tenant
  • Burst allowance for peak usage
  • Automatic throttling during high load

Batch Processing

  • Efficient bulk operation processing
  • Minimal database impact
  • Asynchronous processing for large operations

Need Help?

Support Resources

  • Documentation: Complete SCIM API reference
  • Troubleshooting Guide: Common issues and solutions
  • Integration Examples: Sample configurations for popular providers
  • Support Portal: Direct access to technical support

Getting Help

  1. Check audit logs for error details
  2. Review provider documentation
  3. Contact support with specific error messages
  4. Provide SCIM payload examples for debugging

Role-Based Access Control (RBAC)

Enterprise-grade access control with roles, policies, and granular permissions

SSO FAQ

Frequently asked questions about Single Sign-On configuration and enforcement.

Copyright © 2026. All rights reserved.