{
    "componentChunkName": "component---src-pages-blog-markdown-remark-fields-slug-js",
    "path": "/blog/scim-provisioning-explained",
    "result": {"data":{"markdownRemark":{"html":"<div\n              class=\"gatsby-code-button-container\"\n              data-toaster-id=\"73440783265992660000\"\n              data-toaster-class=\"gatsby-code-button-toaster\"\n              data-toaster-text-class=\"gatsby-code-button-toaster-text\"\n              data-toaster-text=\"Copied!\"\n              data-toaster-duration=\"3500\"\n              onClick=\"copyToClipboard(`tight: true\ntoHeading: 3`, `73440783265992660000`)\"\n            >\n              <div\n                class=\"gatsby-code-button\"\n                data-tooltip=\"\"\n              >\n                <svg class=\"gatsby-code-button-icon\" xmlns=\"http://www.w3.org/2000/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\"><path fill=\"none\" d=\"M0 0h24v24H0V0z\"/><path d=\"M16 1H2v16h2V3h12V1zm-1 4l6 6v12H6V5h9zm-1 7h5.5L14 6.5V12z\"/></svg>\n              </div>\n            </div>\n<div class=\"table-of-contents\">\n<ul>\n<li><a href=\"#what-is-scim-provisioning\">What is SCIM Provisioning?</a></li>\n<li><a href=\"#scim-architecture\">SCIM Architecture</a></li>\n<li><a href=\"#why-scim-provisioning-matters\">Why SCIM Provisioning Matters</a>\n<ul>\n<li><a href=\"#1-eliminates-manual-user-management\">1. Eliminates Manual User Management</a></li>\n<li><a href=\"#2-improves-security-critical-for-saas\">2. Improves Security (Critical for SaaS)</a></li>\n<li><a href=\"#3-required-for-enterprise-sales\">3. Required for Enterprise Sales</a></li>\n</ul>\n</li>\n<li><a href=\"#how-scim-provisioning-works\">How SCIM Provisioning Works</a>\n<ul>\n<li><a href=\"#typical-flow\">Typical Flow</a></li>\n<li><a href=\"#the-flow\">The Flow</a></li>\n<li><a href=\"#core-scim-operations\">Core SCIM Operations</a></li>\n</ul>\n</li>\n<li><a href=\"#scim-schema-overview\">SCIM Schema Overview</a></li>\n<li><a href=\"#scim-vs-sso-whats-the-difference\">SCIM vs SSO: What’s the Difference?</a></li>\n<li><a href=\"#implementing-scim-provisioning-in-your-app\">Implementing SCIM Provisioning in Your App</a>\n<ul>\n<li><a href=\"#step-1-expose-scim-endpoints\">Step 1: Expose SCIM Endpoints</a></li>\n<li><a href=\"#step-2-add-authentication\">Step 2: Add Authentication</a></li>\n<li><a href=\"#step-3-map-scim--internal-user-model\">Step 3: Map SCIM → Internal User Model</a></li>\n<li><a href=\"#step-4-handle-idempotency\">Step 4: Handle Idempotency</a></li>\n<li><a href=\"#step-5-support-filtering\">Step 5: Support Filtering</a></li>\n</ul>\n</li>\n<li><a href=\"#scim-provisioning-with-supertokens\">SCIM Provisioning with SuperTokens</a>\n<ul>\n<li><a href=\"#where-supertokens-fits\">Where SuperTokens Fits</a></li>\n<li><a href=\"#how-youd-build-scim-on-top-of-supertokens\">How You’d Build SCIM on Top of SuperTokens</a></li>\n<li><a href=\"#why-this-approach-works\">Why This Approach Works</a></li>\n</ul>\n</li>\n<li><a href=\"#when-should-you-add-scim\">When Should You Add SCIM?</a></li>\n<li><a href=\"#final-thoughts\">Final Thoughts</a></li>\n<li><a href=\"#faq\">FAQ</a>\n<ul>\n<li><a href=\"#what-is-scim-provisioning-1\">What is SCIM provisioning?</a></li>\n<li><a href=\"#is-scim-required-for-sso\">Is SCIM required for SSO?</a></li>\n<li><a href=\"#which-providers-support-scim\">Which providers support SCIM?</a></li>\n<li><a href=\"#does-supertokens-support-scim\">Does SuperTokens support SCIM?</a></li>\n</ul>\n</li>\n</ul>\n</div>\n<h2 id=\"what-is-scim-provisioning\" style=\"position:relative;\"><a href=\"#what-is-scim-provisioning\" aria-label=\"what is scim provisioning permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>What is SCIM Provisioning?</h2>\n<p>SCIM (System for Cross-domain Identity Management) is an open standard (defined in RFC 7643 and RFC 7644) that enables automated user provisioning and deprovisioning between identity providers and applications. Developed primarily to make identity management in cloud applications and services easier, scim builds apon existing schemas and deployments placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models</p>\n<blockquote>\n<p>In simple terms: <strong>SCIM provisioning ensures that user accounts are automatically created, updated, and deleted across systems—without manual intervention.</strong></p>\n</blockquote>\n<p>For example:</p>\n<ul>\n<li>When a user is added in Okta → SCIM creates the user in your app</li>\n<li>When a user’s role changes → SCIM updates permissions</li>\n<li>When a user leaves the company → SCIM deactivates their account</li>\n</ul>\n<p>The driving force behind SCIM is over traditional provisioning mechanisms is automation and standardization. Traditional provisioning is a slow, manual and error-prone process. SCIM, on the other hand, provides a standardized protocol for real-time provisioning and de-provisioning, ensuring that when an employee joins, changes roles, or leaves the organization, their access rights are updated consistently across all connected systems. This reduces security risks like orphaned accounts while improving operational efficiency.</p>\n<p>Take a large organization with hundreds if not thousands of employees. Manually creating accounts, assigning permissions is fraught with errors and is time-consuming.</p>\n<h2 id=\"scim-architecture\" style=\"position:relative;\"><a href=\"#scim-architecture\" aria-label=\"scim architecture permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>SCIM Architecture</h2>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 630px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3789a7fc1cf5b78adab304cbbcabf7af/0a013/SCIM-flowchart.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 26.58227848101266%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/klEQVQY04WMMU/DMBhEv9hxHNuJ3aRNXdqkSagQC///17BXYoSBiTvUigkJMTzp3Q1P9LiFnDrqeWC57KHPO5hxC3vq4HNE23ukaBGdYnIF+1Ci8xqpLhBrhbbWtFqgRagKuYo0NeeXZ1S7BGkt05jphg3FGxZ1SW01lRJeHheMDxmFCLvU4HjISG2giOCQhxs3v4oYjeXpApciVO1wnCf0+wGqsggxorIOSleYpgk5Z4hoxHaDeT4jxnTf67p+Lcv8EyyEpjJU2tBUjjFGhqZhaSxT6mmtZ1nWDCHQe0+lzP2LsaUxFbW2dC7QWnsLvomIvP/i4w//j08Ref0G3E1tUEmuczcAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <img\n        class=\"gatsby-resp-image-image\"\n        alt=\"SCIM flowchart\"\n        title=\"SCIM flowchart\"\n        src=\"/static/3789a7fc1cf5b78adab304cbbcabf7af/f058b/SCIM-flowchart.png\"\n        srcset=\"/static/3789a7fc1cf5b78adab304cbbcabf7af/c26ae/SCIM-flowchart.png 158w,\n/static/3789a7fc1cf5b78adab304cbbcabf7af/6bdcf/SCIM-flowchart.png 315w,\n/static/3789a7fc1cf5b78adab304cbbcabf7af/f058b/SCIM-flowchart.png 630w,\n/static/3789a7fc1cf5b78adab304cbbcabf7af/40601/SCIM-flowchart.png 945w,\n/static/3789a7fc1cf5b78adab304cbbcabf7af/78612/SCIM-flowchart.png 1260w,\n/static/3789a7fc1cf5b78adab304cbbcabf7af/0a013/SCIM-flowchart.png 1703w\"\n        sizes=\"(max-width: 630px) 100vw, 630px\"\n        style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n        loading=\"lazy\"\n        decoding=\"async\"\n      />\n  </a>\n    </span></p>\n<p>SCIM is an open RESTful specification. This enables it to use common HTTP methods such as POST, GET, PUT, PATCH, and DELETE to perform CRUD operations to provision and synchronize identity resources across multiple independent systems and domains.</p>\n<p>SCIM also speicifies an interoperable JSON-based schema that any SCIM-compliant Client (identity providers) and cloud-based Service Provider (SaaS applications) can use to provision and de-provision user/employee accounts and attributes, ensuring identity data remains consistent and up-to-date across both systems.</p>\n<h2 id=\"why-scim-provisioning-matters\" style=\"position:relative;\"><a href=\"#why-scim-provisioning-matters\" aria-label=\"why scim provisioning matters permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Why SCIM Provisioning Matters</h2>\n<p>SCIM solves one of the most painful problems in SaaS: <strong>identity lifecycle management at scale</strong>.</p>\n<h3 id=\"1-eliminates-manual-user-management\" style=\"position:relative;\"><a href=\"#1-eliminates-manual-user-management\" aria-label=\"1 eliminates manual user management permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>1. Eliminates Manual User Management</h3>\n<p>Without SCIM:</p>\n<ul>\n<li>Admins manually create accounts</li>\n<li>Permissions drift over time</li>\n<li>Offboarding is inconsistent</li>\n</ul>\n<p>With SCIM:</p>\n<ul>\n<li>Everything is automated and consistent</li>\n</ul>\n<h3 id=\"2-improves-security-critical-for-saas\" style=\"position:relative;\"><a href=\"#2-improves-security-critical-for-saas\" aria-label=\"2 improves security critical for saas permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>2. Improves Security (Critical for SaaS)</h3>\n<p>The biggest benefit is <strong>automatic deprovisioning</strong>.</p>\n<p>Without SCIM:</p>\n<ul>\n<li>Ex-employees may retain access for days or weeks</li>\n</ul>\n<p>With SCIM:</p>\n<ul>\n<li>Access is revoked instantly</li>\n</ul>\n<h3 id=\"3-required-for-enterprise-sales\" style=\"position:relative;\"><a href=\"#3-required-for-enterprise-sales\" aria-label=\"3 required for enterprise sales permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>3. Required for Enterprise Sales</h3>\n<p>If you’re building a B2B SaaS product:</p>\n<blockquote>\n<p><strong>SCIM provisioning is often a deal-breaker requirement for enterprise customers.</strong></p>\n</blockquote>\n<p>Most companies using:</p>\n<ul>\n<li>Okta</li>\n<li>Azure AD</li>\n<li>Google Workspace</li>\n</ul>\n<p>…expect SCIM support out of the box.</p>\n<hr>\n<h2 id=\"how-scim-provisioning-works\" style=\"position:relative;\"><a href=\"#how-scim-provisioning-works\" aria-label=\"how scim provisioning works permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>How SCIM Provisioning Works</h2>\n<p>At a high level, SCIM follows a <strong>push-based model</strong>:</p>\n<ol>\n<li>Identity Provider (IdP) acts as the source of truth</li>\n<li>Your application exposes a SCIM API</li>\n<li>The IdP sends HTTP requests to your SCIM endpoints</li>\n</ol>\n<h3 id=\"typical-flow\" style=\"position:relative;\"><a href=\"#typical-flow\" aria-label=\"typical flow permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Typical Flow</h3>\n<p>SCIM operates with two main actors:</p>\n<table>\n<thead>\n<tr>\n<th>Role</th>\n<th>Description</th>\n</tr>\n</thead>\n<tbody>\n<tr>\n<td><strong>SCIM Client (IdP)</strong></td>\n<td>Source of truth (Okta, Azure AD)</td>\n</tr>\n<tr>\n<td><strong>SCIM Server (Your App)</strong></td>\n<td>Receives and applies identity updates</td>\n</tr>\n</tbody>\n</table>\n<h3 id=\"the-flow\" style=\"position:relative;\"><a href=\"#the-flow\" aria-label=\"the flow permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>The Flow</h3>\n<ol>\n<li>Admin creates/updates user in IdP</li>\n<li>IdP sends a SCIM API request</li>\n<li>Your app updates user state</li>\n<li>Changes propagate across all systems</li>\n</ol>\n<p>This includes:</p>\n<ul>\n<li><code class=\"language-text\">POST /Users</code> → Create user</li>\n<li><code class=\"language-text\">PATCH /Users/{id}</code> → Update attributes</li>\n<li><code class=\"language-text\">DELETE /Users/{id}</code> → Deprovision</li>\n</ul>\n<p>SCIM uses <strong>REST + JSON + standardized schemas</strong> to make this interoperable across vendors.</p>\n<hr>\n<h3 id=\"core-scim-operations\" style=\"position:relative;\"><a href=\"#core-scim-operations\" aria-label=\"core scim operations permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Core SCIM Operations</h3>\n<h4 id=\"1-create-user\" style=\"position:relative;\"><a href=\"#1-create-user\" aria-label=\"1 create user permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>1. Create User</h4>\n<p>POST <code class=\"language-text\">/Users</code></p>\n<p>Payload:</p>\n<div\n              class=\"gatsby-code-button-container\"\n              data-toaster-id=\"20732714151713630000\"\n              data-toaster-class=\"gatsby-code-button-toaster\"\n              data-toaster-text-class=\"gatsby-code-button-toaster-text\"\n              data-toaster-text=\"Copied!\"\n              data-toaster-duration=\"3500\"\n              onClick=\"copyToClipboard(`{\n  &quot;userName&quot;: &quot;john@example.com&quot;,\n  &quot;name&quot;: {\n    &quot;givenName&quot;: &quot;John&quot;,\n    &quot;familyName&quot;: &quot;Doe&quot;\n  },\n  &quot;active&quot;: true\n}`, `20732714151713630000`)\"\n            >\n              <div\n                class=\"gatsby-code-button\"\n                data-tooltip=\"\"\n              >\n                <svg class=\"gatsby-code-button-icon\" xmlns=\"http://www.w3.org/2000/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\"><path fill=\"none\" d=\"M0 0h24v24H0V0z\"/><path d=\"M16 1H2v16h2V3h12V1zm-1 4l6 6v12H6V5h9zm-1 7h5.5L14 6.5V12z\"/></svg>\n              </div>\n            </div>\n<div class=\"gatsby-highlight\" data-language=\"json\"><pre class=\"language-json\"><code class=\"language-json\"><span class=\"token punctuation\">{</span>\n  <span class=\"token property\">\"userName\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"john@example.com\"</span><span class=\"token punctuation\">,</span>\n  <span class=\"token property\">\"name\"</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token property\">\"givenName\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"John\"</span><span class=\"token punctuation\">,</span>\n    <span class=\"token property\">\"familyName\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"Doe\"</span>\n  <span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n  <span class=\"token property\">\"active\"</span><span class=\"token operator\">:</span> <span class=\"token boolean\">true</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<h4 id=\"2-update-user\" style=\"position:relative;\"><a href=\"#2-update-user\" aria-label=\"2 update user permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>2. Update User</h4>\n<p>PATCH <code class=\"language-text\">/Users/{id}</code></p>\n<p>Used for:</p>\n<ul>\n<li>Role updates</li>\n<li>Email changes</li>\n<li>Profile edits</li>\n</ul>\n<h4 id=\"3-deactivate-user\" style=\"position:relative;\"><a href=\"#3-deactivate-user\" aria-label=\"3 deactivate user permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>3. Deactivate User</h4>\n<p>PATCH <code class=\"language-text\">/Users/{id}</code></p>\n<div\n              class=\"gatsby-code-button-container\"\n              data-toaster-id=\"58599163548668050000\"\n              data-toaster-class=\"gatsby-code-button-toaster\"\n              data-toaster-text-class=\"gatsby-code-button-toaster-text\"\n              data-toaster-text=\"Copied!\"\n              data-toaster-duration=\"3500\"\n              onClick=\"copyToClipboard(`{\n  &quot;active&quot;: false\n}`, `58599163548668050000`)\"\n            >\n              <div\n                class=\"gatsby-code-button\"\n                data-tooltip=\"\"\n              >\n                <svg class=\"gatsby-code-button-icon\" xmlns=\"http://www.w3.org/2000/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\"><path fill=\"none\" d=\"M0 0h24v24H0V0z\"/><path d=\"M16 1H2v16h2V3h12V1zm-1 4l6 6v12H6V5h9zm-1 7h5.5L14 6.5V12z\"/></svg>\n              </div>\n            </div>\n<div class=\"gatsby-highlight\" data-language=\"json\"><pre class=\"language-json\"><code class=\"language-json\"><span class=\"token punctuation\">{</span>\n  <span class=\"token property\">\"active\"</span><span class=\"token operator\">:</span> <span class=\"token boolean\">false</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<blockquote>\n<p>Important: SCIM typically <strong>deactivates</strong>, not deletes users.</p>\n</blockquote>\n<h4 id=\"4-group-management\" style=\"position:relative;\"><a href=\"#4-group-management\" aria-label=\"4 group management permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>4. Group Management</h4>\n<p>POST <code class=\"language-text\">/Groups</code>\nPATCH <code class=\"language-text\">/Groups/{id}</code></p>\n<p>Used to sync:</p>\n<ul>\n<li>Teams</li>\n<li>Roles</li>\n<li>Permissions</li>\n</ul>\n<h2 id=\"scim-schema-overview\" style=\"position:relative;\"><a href=\"#scim-schema-overview\" aria-label=\"scim schema overview permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>SCIM Schema Overview</h2>\n<p>SCIM defines a standardized user schema:</p>\n<div\n              class=\"gatsby-code-button-container\"\n              data-toaster-id=\"85767715820113700000\"\n              data-toaster-class=\"gatsby-code-button-toaster\"\n              data-toaster-text-class=\"gatsby-code-button-toaster-text\"\n              data-toaster-text=\"Copied!\"\n              data-toaster-duration=\"3500\"\n              onClick=\"copyToClipboard(`{\n  &quot;id&quot;: &quot;123&quot;,\n  &quot;userName&quot;: &quot;john@example.com&quot;,\n  &quot;emails&quot;: [\n    {\n      &quot;value&quot;: &quot;john@example.com&quot;,\n      &quot;primary&quot;: true\n    }\n  ],\n  &quot;active&quot;: true\n}`, `85767715820113700000`)\"\n            >\n              <div\n                class=\"gatsby-code-button\"\n                data-tooltip=\"\"\n              >\n                <svg class=\"gatsby-code-button-icon\" xmlns=\"http://www.w3.org/2000/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\"><path fill=\"none\" d=\"M0 0h24v24H0V0z\"/><path d=\"M16 1H2v16h2V3h12V1zm-1 4l6 6v12H6V5h9zm-1 7h5.5L14 6.5V12z\"/></svg>\n              </div>\n            </div>\n<div class=\"gatsby-highlight\" data-language=\"json\"><pre class=\"language-json\"><code class=\"language-json\"><span class=\"token punctuation\">{</span>\n  <span class=\"token property\">\"id\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"123\"</span><span class=\"token punctuation\">,</span>\n  <span class=\"token property\">\"userName\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"john@example.com\"</span><span class=\"token punctuation\">,</span>\n  <span class=\"token property\">\"emails\"</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">[</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token property\">\"value\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"john@example.com\"</span><span class=\"token punctuation\">,</span>\n      <span class=\"token property\">\"primary\"</span><span class=\"token operator\">:</span> <span class=\"token boolean\">true</span>\n    <span class=\"token punctuation\">}</span>\n  <span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n  <span class=\"token property\">\"active\"</span><span class=\"token operator\">:</span> <span class=\"token boolean\">true</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Key fields:</p>\n<ul>\n<li><code class=\"language-text\">userName</code> → unique identifier</li>\n<li><code class=\"language-text\">active</code> → provisioning state</li>\n<li><code class=\"language-text\">emails</code> → contact info</li>\n<li><code class=\"language-text\">groups</code> → authorization mapping</li>\n</ul>\n<h2 id=\"scim-vs-sso-whats-the-difference\" style=\"position:relative;\"><a href=\"#scim-vs-sso-whats-the-difference\" aria-label=\"scim vs sso whats the difference permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>SCIM vs SSO: What’s the Difference?</h2>\n<p>This is one of the most common questions</p>\n<table>\n<thead>\n<tr>\n<th>Feature</th>\n<th>SCIM</th>\n<th>SSO</th>\n</tr>\n</thead>\n<tbody>\n<tr>\n<td>Purpose</td>\n<td>User provisioning</td>\n<td>Authentication</td>\n</tr>\n<tr>\n<td>When used</td>\n<td>Before login</td>\n<td>During login</td>\n</tr>\n<tr>\n<td>Handles user lifecycle</td>\n<td>✅ Yes</td>\n<td>❌ No</td>\n</tr>\n<tr>\n<td>Example</td>\n<td>Create user in app</td>\n<td>Log user in</td>\n</tr>\n</tbody>\n</table>\n<blockquote>\n<p><strong>SSO logs users in. SCIM ensures the user exists and is correctly configured.</strong></p>\n</blockquote>\n<p>You almost always need <strong>both together</strong> for enterprise readiness.</p>\n<h2 id=\"implementing-scim-provisioning-in-your-app\" style=\"position:relative;\"><a href=\"#implementing-scim-provisioning-in-your-app\" aria-label=\"implementing scim provisioning in your app permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Implementing SCIM Provisioning in Your App</h2>\n<h3 id=\"step-1-expose-scim-endpoints\" style=\"position:relative;\"><a href=\"#step-1-expose-scim-endpoints\" aria-label=\"step 1 expose scim endpoints permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Step 1: Expose SCIM Endpoints</h3>\n<p>You’ll need to implement:</p>\n<ul>\n<li><code class=\"language-text\">POST /Users</code></li>\n<li><code class=\"language-text\">GET /Users</code></li>\n<li><code class=\"language-text\">PATCH /Users/{id}</code></li>\n<li><code class=\"language-text\">DELETE /Users/{id}</code> (optional)</li>\n<li><code class=\"language-text\">POST /Groups</code></li>\n</ul>\n<h3 id=\"step-2-add-authentication\" style=\"position:relative;\"><a href=\"#step-2-add-authentication\" aria-label=\"step 2 add authentication permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Step 2: Add Authentication</h3>\n<p>SCIM APIs are typically secured using:</p>\n<ul>\n<li>Bearer tokens</li>\n<li>OAuth tokens</li>\n<li>API keys</li>\n</ul>\n<h3 id=\"step-3-map-scim--internal-user-model\" style=\"position:relative;\"><a href=\"#step-3-map-scim--internal-user-model\" aria-label=\"step 3 map scim  internal user model permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Step 3: Map SCIM → Internal User Model</h3>\n<p>Example (Node.js + TypeScript):</p>\n<div\n              class=\"gatsby-code-button-container\"\n              data-toaster-id=\"45543303760554640000\"\n              data-toaster-class=\"gatsby-code-button-toaster\"\n              data-toaster-text-class=\"gatsby-code-button-toaster-text\"\n              data-toaster-text=\"Copied!\"\n              data-toaster-duration=\"3500\"\n              onClick=\"copyToClipboard(`interface SCIMUser {\n  userName: string;\n  active: boolean;\n  name?: {\n    givenName?: string;\n    familyName?: string;\n  };\\\n}\n\nfunction mapToInternalUser(scimUser: SCIMUser) {\n  return {\n    email: scimUser.userName,\n    isActive: scimUser.active,\n    firstName: scimUser.name?.givenName,\n    lastName: scimUser.name?.familyName,\n  };\n}`, `45543303760554640000`)\"\n            >\n              <div\n                class=\"gatsby-code-button\"\n                data-tooltip=\"\"\n              >\n                <svg class=\"gatsby-code-button-icon\" xmlns=\"http://www.w3.org/2000/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\"><path fill=\"none\" d=\"M0 0h24v24H0V0z\"/><path d=\"M16 1H2v16h2V3h12V1zm-1 4l6 6v12H6V5h9zm-1 7h5.5L14 6.5V12z\"/></svg>\n              </div>\n            </div>\n<div class=\"gatsby-highlight\" data-language=\"ts\"><pre class=\"language-ts\"><code class=\"language-ts\"><span class=\"token keyword\">interface</span> <span class=\"token class-name\">SCIMUser</span> <span class=\"token punctuation\">{</span>\n  userName<span class=\"token operator\">:</span> <span class=\"token builtin\">string</span><span class=\"token punctuation\">;</span>\n  active<span class=\"token operator\">:</span> <span class=\"token builtin\">boolean</span><span class=\"token punctuation\">;</span>\n  name<span class=\"token operator\">?</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">{</span>\n    givenName<span class=\"token operator\">?</span><span class=\"token operator\">:</span> <span class=\"token builtin\">string</span><span class=\"token punctuation\">;</span>\n    familyName<span class=\"token operator\">?</span><span class=\"token operator\">:</span> <span class=\"token builtin\">string</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\\\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">function</span> <span class=\"token function\">mapToInternalUser</span><span class=\"token punctuation\">(</span>scimUser<span class=\"token operator\">:</span> SCIMUser<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">return</span> <span class=\"token punctuation\">{</span>\n    email<span class=\"token operator\">:</span> scimUser<span class=\"token punctuation\">.</span>userName<span class=\"token punctuation\">,</span>\n    isActive<span class=\"token operator\">:</span> scimUser<span class=\"token punctuation\">.</span>active<span class=\"token punctuation\">,</span>\n    firstName<span class=\"token operator\">:</span> scimUser<span class=\"token punctuation\">.</span>name<span class=\"token operator\">?.</span>givenName<span class=\"token punctuation\">,</span>\n    lastName<span class=\"token operator\">:</span> scimUser<span class=\"token punctuation\">.</span>name<span class=\"token operator\">?.</span>familyName<span class=\"token punctuation\">,</span>\n  <span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<h3 id=\"step-4-handle-idempotency\" style=\"position:relative;\"><a href=\"#step-4-handle-idempotency\" aria-label=\"step 4 handle idempotency permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Step 4: Handle Idempotency</h3>\n<p>SCIM providers may retry requests.</p>\n<p>You must:</p>\n<ul>\n<li>Avoid duplicate users</li>\n<li>Handle updates safely</li>\n</ul>\n<hr>\n<h3 id=\"step-5-support-filtering\" style=\"position:relative;\"><a href=\"#step-5-support-filtering\" aria-label=\"step 5 support filtering permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Step 5: Support Filtering</h3>\n<p>Example:</p>\n<p>GET <code class=\"language-text\">/Users?filter=userName</code> eq ”<a href=\"mailto:john@example.com\" target=\"_blank\" rel=\"nofollow\">john@example.com</a>”</p>\n<p>This is critical for:</p>\n<ul>\n<li>User lookup</li>\n<li>Sync validation</li>\n</ul>\n<h2 id=\"scim-provisioning-with-supertokens\" style=\"position:relative;\"><a href=\"#scim-provisioning-with-supertokens\" aria-label=\"scim provisioning with supertokens permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>SCIM Provisioning with SuperTokens</h2>\n<p>SuperTokens is primarily an <strong>authentication solution</strong>, but SCIM fits into the broader identity architecture.</p>\n<h3 id=\"where-supertokens-fits\" style=\"position:relative;\"><a href=\"#where-supertokens-fits\" aria-label=\"where supertokens fits permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Where SuperTokens Fits</h3>\n<p>SuperTokens handles:</p>\n<ul>\n<li>Authentication (login, sessions)</li>\n<li>User management</li>\n<li>Multi-tenancy</li>\n</ul>\n<p>SCIM complements this by:</p>\n<ul>\n<li>Syncing users from external IdPs</li>\n<li>Managing lifecycle events</li>\n</ul>\n<h3 id=\"how-youd-build-scim-on-top-of-supertokens\" style=\"position:relative;\"><a href=\"#how-youd-build-scim-on-top-of-supertokens\" aria-label=\"how youd build scim on top of supertokens permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>How You’d Build SCIM on Top of SuperTokens</h3>\n<ol>\n<li>Use SuperTokens for:\n<ul>\n<li>Session management</li>\n<li>User storage</li>\n</ul>\n</li>\n<li>Build a SCIM service layer:\n<ul>\n<li>REST endpoints</li>\n<li>Mapping logic</li>\n</ul>\n</li>\n<li>Sync SCIM users into SuperTokens:</li>\n</ol>\n<div\n              class=\"gatsby-code-button-container\"\n              data-toaster-id=\"21838862865114206000\"\n              data-toaster-class=\"gatsby-code-button-toaster\"\n              data-toaster-text-class=\"gatsby-code-button-toaster-text\"\n              data-toaster-text=\"Copied!\"\n              data-toaster-duration=\"3500\"\n              onClick=\"copyToClipboard(`await createUser({\n  email: scimUser.userName,\n  password: generateRandomPassword(),\n});`, `21838862865114206000`)\"\n            >\n              <div\n                class=\"gatsby-code-button\"\n                data-tooltip=\"\"\n              >\n                <svg class=\"gatsby-code-button-icon\" xmlns=\"http://www.w3.org/2000/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\"><path fill=\"none\" d=\"M0 0h24v24H0V0z\"/><path d=\"M16 1H2v16h2V3h12V1zm-1 4l6 6v12H6V5h9zm-1 7h5.5L14 6.5V12z\"/></svg>\n              </div>\n            </div>\n<div class=\"gatsby-highlight\" data-language=\"ts\"><pre class=\"language-ts\"><code class=\"language-ts\"><span class=\"token keyword\">await</span> <span class=\"token function\">createUser</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span>\n  email<span class=\"token operator\">:</span> scimUser<span class=\"token punctuation\">.</span>userName<span class=\"token punctuation\">,</span>\n  password<span class=\"token operator\">:</span> <span class=\"token function\">generateRandomPassword</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<h3 id=\"why-this-approach-works\" style=\"position:relative;\"><a href=\"#why-this-approach-works\" aria-label=\"why this approach works permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Why This Approach Works</h3>\n<ul>\n<li>Full control over user data</li>\n<li>No vendor lock-in</li>\n<li>Enterprise-ready architecture</li>\n</ul>\n<h2 id=\"when-should-you-add-scim\" style=\"position:relative;\"><a href=\"#when-should-you-add-scim\" aria-label=\"when should you add scim permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>When Should You Add SCIM?</h2>\n<p>You should implement SCIM if:</p>\n<ul>\n<li>You’re selling to <strong>mid-market or enterprise</strong></li>\n<li>Customers ask for <strong>Okta/Azure AD integration</strong></li>\n<li>You support <strong>multi-tenant organizations</strong></li>\n</ul>\n<p>You can delay SCIM if:</p>\n<ul>\n<li>You’re early-stage</li>\n<li>Focused on B2C</li>\n</ul>\n<h2 id=\"final-thoughts\" style=\"position:relative;\"><a href=\"#final-thoughts\" aria-label=\"final thoughts permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Final Thoughts</h2>\n<p>SCIM provisioning is no longer optional for serious SaaS products.</p>\n<p>It transforms identity management from:</p>\n<ul>\n<li>Manual → Automated</li>\n<li>Risky → Secure</li>\n<li>Fragmented → Centralized</li>\n</ul>\n<blockquote>\n<p>If you’re building for enterprise, SCIM + SSO is the baseline---not a differentiator.</p>\n</blockquote>\n<h2 id=\"faq\" style=\"position:relative;\"><a href=\"#faq\" aria-label=\"faq permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>FAQ</h2>\n<h3 id=\"what-is-scim-provisioning-1\" style=\"position:relative;\"><a href=\"#what-is-scim-provisioning-1\" aria-label=\"what is scim provisioning 1 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>What is SCIM provisioning?</h3>\n<p>SCIM provisioning is a standard for automatically creating, updating, and deactivating users across systems using a REST API.</p>\n<h3 id=\"is-scim-required-for-sso\" style=\"position:relative;\"><a href=\"#is-scim-required-for-sso\" aria-label=\"is scim required for sso permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Is SCIM required for SSO?</h3>\n<p>No, but they are complementary. SSO handles login, while SCIM manages user lifecycle.</p>\n<h3 id=\"which-providers-support-scim\" style=\"position:relative;\"><a href=\"#which-providers-support-scim\" aria-label=\"which providers support scim permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Which providers support SCIM?</h3>\n<p>Common providers include:</p>\n<ul>\n<li>Okta</li>\n<li>Azure AD</li>\n<li>Google Workspace</li>\n</ul>\n<h3 id=\"does-supertokens-support-scim\" style=\"position:relative;\"><a href=\"#does-supertokens-support-scim\" aria-label=\"does supertokens support scim permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Does SuperTokens support SCIM?</h3>\n<p>SuperTokens does not provide SCIM out of the box, but you can implement SCIM endpoints on top of it for full control and flexibility.</p>","frontmatter":{"date":"March 21, 2026","title":"SCIM Provisioning Explained: The Definitive Guide for Enterprise SaaS (2026)","cover":"scim-provisioning-explained.png","author":"Joel Coutinho","description":"Learn SCIM provisioning, implementation, edge cases, pricing impact, and how to build it with SuperTokens."},"fields":{"slug":"/scim-provisioning-explained/"}},"site":{"siteMetadata":{"title":"SuperTokens Blog"}}},"pageContext":{"id":"7327cd86-6be9-5e77-b2df-6f65a681312d","fields__slug":"/scim-provisioning-explained/","__params":{"fields__slug":"scim-provisioning-explained"}}},
    "staticQueryHashes": []}