# SCIM Provisioning ### Overview Veza's SCIM API provides a powerful automation tool to manage user access throughout the identity lifecycle. When an employee joins, changes roles, or leaves your organization, these changes can automatically propagate to Veza, maintaining access control while reducing administrative overhead. The SCIM (System for Cross-domain Identity Management) protocol is an open standard for automating user provisioning between identity providers and applications. Veza exposes a standards-compliant SCIM 2.0 API at `https://{tenant}.vezacloud.com/scim/v2`. ### Supported identity providers Veza supports SCIM 2.0 integration with: * [Okta](/4yItIzMvkpAvMVFAamTf/developers/api/scim/okta.md) * [Microsoft Entra ID](/4yItIzMvkpAvMVFAamTf/developers/api/scim/entra-id.md) (formerly Azure AD) ### Enabling SCIM provisioning Before implementing SCIM provisioning, ensure you understand the prerequisites and process flow. This integration requires administrator access to both Veza and your identity provider, as well as a dedicated service account for secure API communication. The implementation follows these key steps: 1. Create a dedicated admin user in Veza with SCIM Provisioner privileges 2. Generate and securely store an API key for your identity provider to authenticate 3. Enable SCIM provisioning in Veza's administration settings 4. Configure your identity provider with Veza's SCIM endpoint and authentication details 5. Enable push groups to align identity provider groups with Veza teams and roles 6. Validate the integration by testing the full provisioning lifecycle For identity provider-specific instructions, follow our detailed guide for [Okta](/4yItIzMvkpAvMVFAamTf/developers/api/scim/okta.md). ### Important notes for SCIM Provisioning When enabling SCIM, there are some critical behaviors to be aware of: * **SAML and SCIM interaction**: When you enable SCIM provisioning, Veza automatically disables SAML Just-in-Time (JIT) provisioning to prevent potential conflicts. User profile updates now come exclusively from your identity provider through SCIM. * **Group-to-role mapping**: Veza maps each identity provider group to one or more team/role assignments in Veza. When a user's group membership changes in your IdP, Veza automatically updates their team/role assignments. * **Permission persistence**: If a user has the same permission from multiple groups, that permission remains until you remove the user from all groups granting that access. For example, if a user belongs to two groups that both assign Admin roles, removing them from only one group will not revoke their Admin permissions. ### SCIM User Lifecycle Automation Flow ```mermaid %%{init: {'theme': 'neutral' } }%% sequenceDiagram participant IdP as Identity Provider participant SCIM as Veza SCIM API participant Users as Veza Users participant Teams as Veza Teams rect rgb(230, 240, 255) Note over IdP,Teams: User Provisioning IdP->>SCIM: Create User Request SCIM->>Users: Create User Account end rect rgb(230, 240, 255) Note over IdP,Teams: Group Assignment IdP->>SCIM: Push Group Membership SCIM->>Teams: Create/Update Teams Teams->>Users: Apply Team/Role Permissions end rect rgb(230, 240, 255) Note over IdP,Teams: Profile Updates IdP->>SCIM: Update User Attributes SCIM->>Users: Update User Profile end rect rgb(230, 240, 255) Note over IdP,Teams: Deprovisioning IdP->>SCIM: Remove User from Groups SCIM->>Teams: Update Team Membership Teams->>Users: Remove Role Assignments IdP->>SCIM: Deactivate User SCIM->>Users: Deactivate User Account end ``` ### Additional resources * [SCIM API Reference](/4yItIzMvkpAvMVFAamTf/developers/api/scim/scim-api.md) - SCIM API endpoints and schema documentation * [API Authentication](/4yItIzMvkpAvMVFAamTf/developers/api/authentication.md) - Create and manage API keys * [Single Sign-On Configuration](/4yItIzMvkpAvMVFAamTf/administration/administration/sign-in-settings.md) - Configure SAML SSO * [Team Management](/4yItIzMvkpAvMVFAamTf/administration/administration/users/teams.md) - More information about Veza teams and role assignments --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/developers/api/scim.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.