Skip to main content

SCIM Provisioning

Enterprise

SCIM (System for Cross-domain Identity Management) enables automatic user provisioning and deprovisioning synchronized with your identity provider.

Overview

SCIM provides:

  • Automatic user creation on hire
  • Automatic deactivation on termination
  • Group/team synchronization
  • Real-time updates

How SCIM Works

Identity Provider (IdP)

    SCIM API

  Containment.AI

  User Created/Updated/Removed
  1. User added in IdP → SCIM creates user
  2. User updated in IdP → SCIM updates user
  3. User removed in IdP → SCIM deactivates user

Supported Identity Providers

Native Support

  • Okta
  • Azure AD / Entra ID
  • OneLogin
  • JumpCloud
  • Ping Identity
  • Google Workspace

Generic SCIM 2.0

Any SCIM 2.0 compliant system

Setup Guide

Prerequisites

  • Enterprise plan
  • SSO configured (recommended)
  • IdP admin access
  • Containment.AI admin access

Step 1: Enable SCIM

  1. Go to Settings > Enterprise > SCIM
  2. Click Enable SCIM
  3. Note your:
    • SCIM Base URL: https://app.containment.ai/scim/v2
    • Bearer Token: Generated on enable
warning

Copy the bearer token immediately - it's only shown once.

Step 2: Configure Your IdP

Okta

  1. Go to your SAML app > Provisioning
  2. Click Configure API Integration
  3. Enter:
    • SCIM connector base URL
    • Bearer token
  4. Click Test API Credentials
  5. Enable provisioning features:
    • Create Users
    • Update User Attributes
    • Deactivate Users

Azure AD / Entra ID

  1. Go to your Enterprise App > Provisioning
  2. Set mode to Automatic
  3. Enter Admin Credentials:
    • Tenant URL: SCIM Base URL
    • Secret Token: Bearer token
  4. Click Test Connection
  5. Configure attribute mappings
  6. Enable provisioning

OneLogin

  1. Go to your SAML app > Provisioning
  2. Enable provisioning
  3. Enter:
    • SCIM Base URL
    • SCIM Bearer Token
  4. Configure user provisioning rules
  5. Save

Step 3: Configure Attribute Mapping

Map IdP attributes to Containment.AI:

SCIM AttributeContainment.AIRequired
userNameEmailYes
emails[primary]EmailYes
name.givenNameFirst nameYes
name.familyNameLast nameYes
activeAccount statusYes
groupsTeam membershipNo

Step 4: Configure Groups (Optional)

Sync IdP groups to Containment.AI teams:

  1. Enable group push in IdP
  2. In Containment.AI, map groups to teams
  3. Users automatically inherit team membership

SCIM Operations

User Provisioning

When user is assigned in IdP:

  1. IdP sends SCIM POST request
  2. Containment.AI creates user
  3. User receives welcome email
  4. User is active immediately

User Updates

When user is modified in IdP:

  1. IdP sends SCIM PATCH/PUT request
  2. Containment.AI updates user
  3. Changes effective immediately

User Deprovisioning

When user is unassigned/terminated:

  1. IdP sends SCIM PATCH (active=false)
  2. Containment.AI deactivates user
  3. User loses access immediately
  4. Data retained per policy

Group Sync

When group membership changes:

  1. IdP sends group update
  2. Containment.AI updates team membership
  3. Policies apply per new teams

Token Management

Rotating Tokens

  1. Go to Settings > Enterprise > SCIM
  2. Click Rotate Token
  3. Copy new token
  4. Update in IdP immediately
  5. Old token invalidated

Token Security

  • Tokens are encrypted at rest
  • Transmitted only over HTTPS
  • Audit logged when used
  • Rotate periodically (recommended: quarterly)

Monitoring SCIM

SCIM Logs

View SCIM operations:

  1. Go to Activity
  2. Filter by source: SCIM
  3. See all provisioning events

Status Dashboard

SCIM status shows:

  • Last sync time
  • Users provisioned
  • Errors/failures
  • Pending operations

Alerts

Configure alerts for:

  • SCIM authentication failures
  • Provisioning errors
  • Token near expiration

Troubleshooting

User Not Provisioned

  1. Check IdP assignment

    • User assigned to app?
    • Group assigned if using groups?

  2. Check attribute mapping

    • Email attribute mapped?
    • Required attributes present?

  3. Check SCIM logs

    • Look for error messages
    • Verify request received

Authentication Failed

  1. Verify token

    • Token copied correctly?
    • No extra whitespace?
    • Token not rotated?

  2. Verify URL

    • Base URL correct?
    • No trailing slash issues?

Sync Delays

  1. Check IdP settings

    • Provisioning enabled?
    • Sync interval configured?

  2. Force sync

    • Trigger manual sync in IdP
    • Check for queued operations

Best Practices

Security

  • Rotate tokens quarterly
  • Monitor SCIM logs
  • Use IP allowlisting if available
  • Enable SSO alongside SCIM

Implementation

  • Start with small test group
  • Verify attribute mapping
  • Test deprovisioning works
  • Document configuration

Maintenance

  • Monitor sync status
  • Review logs periodically
  • Update mappings as needed
  • Test after IdP changes