SCIM Provisioning

Automate user lifecycle management from your Identity Provider (IdP) with user and group provisioning through SCIM 2.0.

Overview

Veza's SCIM API provides a powerful automation tool to manage user access throughout the identity lifecycle. When an employee joins, changes roles, or leaves your organization, these changes can automatically propagate to Veza, maintaining access control while reducing administrative overhead.

The SCIM (System for Cross-domain Identity Management) protocol is an open standard for automating user provisioning between identity providers and applications. Veza exposes a standards-compliant SCIM 2.0 API at https://{tenant}.vezacloud.com/scim/v2.

Supported identity providers

Veza supports SCIM 2.0 integration with:

Okta
Microsoft Entra ID (formerly Azure AD)

Enabling SCIM provisioning

Before implementing SCIM provisioning, ensure you understand the prerequisites and process flow. This integration requires administrator access to both Veza and your identity provider, as well as a dedicated service account for secure API communication.

The implementation follows these key steps:

Create a dedicated admin user in Veza with SCIM Provisioner privileges
Generate and securely store an API key for your identity provider to authenticate
Enable SCIM provisioning in Veza's administration settings
Configure your identity provider with Veza's SCIM endpoint and authentication details
Enable push groups to align identity provider groups with Veza teams and roles
Validate the integration by testing the full provisioning lifecycle

For identity provider-specific instructions, follow our detailed guide for Okta.

Important notes for SCIM Provisioning

When enabling SCIM, there are some critical behaviors to be aware of:

SAML and SCIM interaction: When you enable SCIM provisioning, Veza automatically disables SAML Just-in-Time (JIT) provisioning to prevent potential conflicts. User profile updates now come exclusively from your identity provider through SCIM.
Group-to-role mapping: Veza maps each identity provider group to one or more team/role assignments in Veza. When a user's group membership changes in your IdP, Veza automatically updates their team/role assignments.
Permission persistence: If a user has the same permission from multiple groups, that permission remains until you remove the user from all groups granting that access. For example, if a user belongs to two groups that both assign Admin roles, removing them from only one group will not revoke their Admin permissions.

SCIM User Lifecycle Automation Flow

Additional resources

SCIM API Reference - SCIM API endpoints and schema documentation
API Authentication - Create and manage API keys
Single Sign-On Configuration - Configure SAML SSO
Team Management - More information about Veza teams and role assignments

PreviousTeam API Keys NextSCIM API Reference

Last updated 1 month ago

Was this helpful?