SCIM

Configuring SCIM integrations for Veza Lifecycle Management.

Overview

The Veza SCIM integration enables automated user lifecycle management for any application that supports the System for Cross-domain Identity Management (SCIM) protocol. SCIM provides a standardized approach for provisioning, updating, and deprovisioning users and groups across diverse applications including Atlassian products, Egnyte, Sigma Computing, and many others.

Direct SCIM vs. OAA SCIM Integration

This guide covers direct SCIM integrations where Veza connects directly to an application's SCIM endpoints. For custom applications built with the Open Authorization API (OAA) that expose SCIM endpoints, see Custom Application with SCIM (OAA).

Use direct SCIM when connecting to standard SaaS applications with native SCIM support, and you only need user and group provisioning without complex entity modeling.

You can use OAA SCIM for integrating custom or home-grown applications via OAA, and need comprehensive visibility beyond users and groups (permissions, resources, etc.)

Action Type

Description

Supported

SYNC_IDENTITIES

Synchronizes identity attributes between systems, with options to create new identities and update existing ones

✅

MANAGE_RELATIONSHIPS

Controls entitlements such as group memberships and role assignments for identities

✅

DEPROVISION_IDENTITY

Safely removes or disables access for identities

✅

CREATE_ENTITLEMENT

Creates entitlements such as groups

✅

This document includes steps to enable SCIM integrations for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for SCIM

Prerequisites

You will need administrative access in Veza to configure the integration and appropriate permissions in the target SCIM application.
Ensure you have an existing SCIM integration in Veza or add a new one for use with Lifecycle Management.
Verify your SCIM integration has completed at least one successful extraction
The SCIM integration will need the required API permissions:
- Read permissions: scim:read or equivalent for user and group discovery
- Write permissions: scim:write or equivalent for provisioning operations
- Specific endpoints: Access to /Users and /Groups endpoints
- Schema endpoint (optional): Access to /Schemas for extension attribute discovery
For Enterprise Extension attributes: Enable SCIM Extension Schemas in your SCIM integration configuration to extract and synchronize attributes like department, division, employeeNumber, and manager.

Important: SCIM applications have varying permission models. Consult your specific application's documentation for the exact scopes or permissions required for SCIM operations.

Configuration Steps

To enable the integration:

In Veza, go to the Integrations overview
Search for or create a SCIM integration
Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your SCIM data remains current:

Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for your SCIM integration in the Active Overrides section

To verify the health of the Lifecycle Management data source:

Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

SCIM integrations can be targets for identity management actions, receiving provisioning commands from Veza based on changes in external sources of truth or as part of automated workflows.

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

Username (user_name) is required and serves as the unique identifier
Email addresses are managed through the SCIM emails array
User activation/deactivation is controlled via the active attribute
Custom attributes are mapped according to SCIM schema extensions

Veza supports comprehensive SCIM 2.0 user attributes for both read-only data extraction (Access Graph) and bidirectional synchronization (Lifecycle Management). The tables below indicate which attributes support LCM synchronization (✅) versus read-only extraction (📖).

Core User Attributes

Veza supports all standard SCIM 2.0 core user attributes, organized by functional category:

Identity & Authentication

Attribute

Required for LCM

Type

LCM Sync

Description

userName

Yes

String

✅

Primary login identifier, unique across the system

id

String

✅

SCIM system identifier (auto-generated, read-only after creation)

externalId

String

✅

External system identifier for cross-system identity mapping

active

Boolean

✅

User account status (controls activation/deactivation)

Contact Information

Attribute

Required for LCM

Type

LCM Sync

Description

emails

Array

✅

Email addresses (can include multiple with type indicators)

phoneNumbers

Array

✅

Phone numbers (supports multiple with type indicators)

addresses

Array

✅

Physical addresses (supports multiple with type indicators)

ims

Array

✅

Instant messaging addresses

photos

Array

✅

Photo URLs

Personal Information

Attribute

Required for LCM

Type

LCM Sync

Description

displayName

String

✅

User's display name (full name for UI presentation)

name.givenName

String

✅

First name

name.familyName

String

✅

Last name

name.middleName

String

✅

Middle name

name.formatted

String

✅

Formatted full name

nickName

String

✅

User's nickname or informal name

Professional Information

Attribute

Required for LCM

Type

LCM Sync

Description

title

String

✅

Job title or professional role

userType

String

✅

User classification (e.g., Employee, Contractor)

locale

String

✅

User's locale preference (e.g., en-US)

timezone

String

✅

User's timezone (e.g., America/New_York)

preferredLanguage

String

✅

Preferred language code (e.g., en, es)

profileUrl

String

✅

URL to user's profile

System Metadata

Attribute

Required for LCM

Type

LCM Sync

Description

meta.created

DateTime

📖

Account creation timestamp (read-only)

meta.lastModified

DateTime

📖

Last modification timestamp (read-only)

Multi-valued Attributes: Attributes like emails, phoneNumbers, and addresses support multiple values with type indicators (e.g., work, home, other). Veza supports full create, update, and delete operations for these multi-valued fields.

Enterprise Extension Attributes

Veza supports the SCIM Enterprise User Extension schema (urn:ietf:params:scim:schemas:extension:enterprise:2.0:User) for both extraction and LCM synchronization:

Attribute

Type

LCM Sync

Description

employeeNumber

String

✅

Organization's employee identifier

costCenter

String

✅

Cost center assignment

organization

String

✅

Organization name

division

String

✅

Division within the organization

department

String

✅

Department assignment

manager

Complex

✅

Manager reference (contains value, $ref, displayName)

To extract and synchronize Enterprise Extension attributes, you must enable SCIM Extension Schemas in your SCIM integration configuration. This option enables Veza to call the /Schemas endpoint and discover extension attributes.

Custom Extension Attributes

Veza automatically discovers and extracts all custom vendor-specific SCIM extension attributes for read-only purposes:

Extraction Capabilities:

Veza calls the SCIM /Schemas endpoint to discover all available schemas (requires SCIM Extension Schemas enabled in integration configuration)
Custom extension schemas are automatically identified and extracted
Extension attributes appear in the Veza Access Graph for search and analysis
All data types are supported (string, boolean, number, dateTime, complex)

LCM Synchronization:

Custom vendor extensions can be synchronized through LCM workflows when SCIM Extension Schemas is enabled by referencing the normalized attribute name (visible as a custom property in Access Graph).
Veza automatically maps the normalized name back to the proper SCIM extension structure using the reverse index
For example, targeting scim_extension_vendor_customfield in an attribute transformer will transmit the corresponding SCIM extension via the API.

Example Custom Extensions:

Vendor-specific user attributes (e.g., Atlassian organization roles)
Custom application properties
Industry-specific fields (e.g., healthcare credentials, financial certifications)

Custom extension synchronization requires SCIM Extension Schemas to be enabled. This builds an index that maps normalized attribute names to their original SCIM schema structure.

Using Extension Attributes in LCM Workflows

Extension attributes must be referenced by their normalized names in LCM attribute transformers.

Core SCIM attributes use simplified names:

user_name, display_name, email, title, department, division, etc.

Extension attributes require full normalized names:

Example: Enterprise Extension Attributes

{
  "attribute_name": "urn_ietf_params_scim_schemas_extension_enterprise_2_0_user_department",
  "source": "identity_attribute",
  "value": "department"
}

Example: Custom Vendor Extensions

{
  "attribute_name": "urn_scim_schemas_extension_myvendor_1_0_customfield",
  "source": "static_value",
  "value": "Engineering"
}

Manage Relationships

Group membership management with full add/remove capabilities:

Add users to groups for role-based access control
Remove users from groups during role changes or de-provisioning
Support for nested group structures where the SCIM provider allows
Relationship changes are immediate and reflected in target application

Deprovision Identity

When a user is deprovisioned:

User account is deactivated (sets active: false)
Group memberships are automatically removed
Account can be reactivated if needed
User data is preserved for audit purposes

Note: Some SCIM implementations support hard deletion while others only support deactivation. The SCIM integration uses deactivation by default for data preservation.

Create Entitlement

Entity Types: SCIM Groups
Assignee Types: SCIM Users
Supports Relationship Removal: Yes

Within SCIM applications, groups can be associated with:

Application-specific permissions and roles
Resource access controls
Team or organizational structures
Custom entitlements defined by the SCIM provider

SCIM Group Attributes

Veza supports all standard SCIM 2.0 group attributes for both extraction and LCM operations:

Attribute

Required for LCM

Type

LCM Sync

Description

displayName

Yes

String

✅

Group display name (unique identifier)

id

String

✅

SCIM system identifier (auto-generated, read-only after creation)

externalId

String

✅

External system identifier for cross-system group mapping

groupType

String

✅

Group classification or category

description

String

✅

Group purpose or description

members

Array

✅

Group members (contains user references with value and display properties)

Group Membership Management: Veza supports both adding and removing members from groups through the Manage Relationships action. The members attribute contains an array of user references, each with a value (user ID) and optional display (user's display name) property.

Supported SCIM Applications

The following applications are validated to work with Veza's SCIM Lifecycle Management:

Enterprise Applications

Atlassian Products (Jira Cloud, Confluence Cloud, Bitbucket Cloud)
- SCIM Endpoint: https://{domain}.atlassian.net/scim/directory/{directory-id}
- Full user and group provisioning support
Egnyte
- SCIM Endpoint: https://{domain}.egnyte.com/pubapi/scim/v2
- User provisioning and group management
Sigma Computing
- SCIM Endpoint: https://aws-api.sigmacomputing.com/scim/v2
- User lifecycle and team assignment

Development & Collaboration Tools

Fivetran
- SCIM Endpoint: https://api.fivetran.com/scim/v2
- User and group provisioning
Harness
- SCIM Endpoint: https://app.harness.io/gateway/ng/api/scim/account/{accountid}
- User management and role assignment
Zapier
- SCIM Endpoint: https://zapier.com/scim/v2
- User provisioning and team management

Security & Infrastructure

Twingate
- SCIM Endpoint: https://{domain}.twingate.com/api/scim/v2
- User provisioning and group assignment
ThousandEyes
- SCIM Endpoint: https://api.thousandeyes.com/scim
- User management (groups via custom implementation)

Workflow Examples

New Employee Onboarding

When a new employee joins (triggered by HR system changes):

Identity Sync: Create user account in SCIM application with basic attributes
Email Setup: Configure primary email and secondary contacts
Group Assignment: Add user to department and role-based groups automatically
Access Verification: Confirm user can access application and assigned resources

Role Change Management

When an employee changes roles or departments:

Attribute Update: Sync new job title, department, and manager information
Group Reassignment: Remove old role groups, add new role groups
Access Review: Verify appropriate access levels for new position
Notification: Alert managers and IT of completed changes

Employee Offboarding

When an employee leaves the organization:

Account Deactivation: Set user status to inactive in SCIM application
Group Removal: Remove all group memberships and access rights
Data Preservation: Maintain account record for audit and compliance
Manager Notification: Alert appropriate stakeholders of access removal

Bulk User Management

For large-scale provisioning operations:

Batch Processing: Create multiple users efficiently through SCIM bulk operations
Group Pre-creation: Establish organizational groups before user assignment
Validation: Verify all users are created with correct attributes and memberships
Rollback Capability: Support for reversing bulk operations if needed

PreviousSalesforce NextServiceNow

Last updated 24 days ago

Was this helpful?