SCIM 2.0 Provisioning
Nauthera implements SCIM 2.0 (RFC 7643/7644), allowing enterprise identity providers and directories to push user and group lifecycle events automatically — no manual user management required.
Available on: Business and Enterprise tiers.
Supported identity providers:
- Okta
- Microsoft Entra ID (Azure AD)
- OneLogin
- Any SCIM 2.0-compatible directory
Supported Operations
| Resource | Create | Read | Update | Delete | List | Filter |
|---|---|---|---|---|---|---|
| Users | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Groups | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Supported SCIM operations: GET, POST, PUT, PATCH, DELETE.
Base URL
All SCIM endpoints are available under /scim/v2/:
https://auth.example.com/scim/v2/Users
https://auth.example.com/scim/v2/Groups
https://auth.example.com/scim/v2/ServiceProviderConfig
https://auth.example.com/scim/v2/ResourceTypes
https://auth.example.com/scim/v2/Schemas
Authentication
SCIM endpoints authenticate via a Bearer JWT. The token must:
- Have the
adminscope. - Belong to a user who is a member of the
adminsgroup.
Obtain a long-lived admin token for your provisioning service account using the standard OAuth2 client_credentials grant, then configure it as the Bearer token in your directory's SCIM settings.
# Issue an admin token for the SCIM provisioning service account
curl -X POST https://auth.example.com/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=scim-provisioner&client_secret=$SECRET&scope=admin"Important: The service account user must be in the
adminsgroup in Nauthera. Tokens without theadminscope or from users not inadminswill receive403 Forbidden.
Configuring Okta
- In Okta Admin, navigate to Applications → Your App → Provisioning.
- Enable SCIM provisioning.
- Set:
- SCIM connector base URL:
https://auth.example.com/scim/v2 - Unique identifier field:
userName - Supported provisioning actions: Push New Users, Push Profile Updates, Push Groups, Deactivate Users
- Authentication mode: HTTP Header
- Authorization:
Bearer <your-service-account-token>
- SCIM connector base URL:
- Click Test Connector Configuration to verify.
Configuring Microsoft Entra ID
- In Entra ID, navigate to Enterprise Applications → Your App → Provisioning.
- Set Provisioning Mode to Automatic.
- Under Admin Credentials:
- Tenant URL:
https://auth.example.com/scim/v2 - Secret Token:
<your-service-account-token>
- Tenant URL:
- Click Test Connection, then Save.
- Under Mappings, verify the attribute mappings match your user schema.
User Attributes
Nauthera maps SCIM user attributes to internal user fields:
| SCIM Attribute | Nauthera Field |
|---|---|
userName | username |
emails[primary].value | email |
name.formatted | name |
name.givenName | given_name |
name.familyName | family_name |
nickName | nickname |
phoneNumbers[primary].value | phone_number |
photos[0].value | picture |
locale | locale |
active | disabled (inverted) |
Group Sync
Groups created via SCIM are automatically available for use in AuthPolicy claim mappings and RBAC rules. Group membership is kept in sync — when a user is removed from a group in your directory, they are removed from the corresponding Nauthera group within the next provisioning cycle.
Discovery Endpoints
The standard SCIM discovery endpoints are available without authentication:
# Service provider capabilities
curl https://auth.example.com/scim/v2/ServiceProviderConfig
# Supported resource types
curl https://auth.example.com/scim/v2/ResourceTypes
# Schema definitions
curl https://auth.example.com/scim/v2/SchemasRelated
- User Management — manual user management via the admin API
- AuthPolicy reference — use groups in claim mappings and access policies
- Groups & RBAC — manage group membership