# SCIM integration ### Overview Many applications support the System for Cross-domain Identity Management (SCIM) [protocol](https://www.rfc-editor.org/rfc/rfc7644) for provisioning and managing users and groups by API. Veza can often use SCIM APIs to populate the Access Graph with user and group information. This document explains how add an SCIM integration to collect user and group entities from compatible applications. ### Supported Applications The following applications supported with Veza's SCIM integration: **Egnyte** * SCIM Endpoint: `https://.egnyte.com/pubapi/scim/v2` * Supported Endpoints: `/Users`, `/Groups` **Ironclad** * SCIM Endpoint: `https://ironcladapp.com/scim/v2` * Supported Endpoints: `/Users`, `/Groups` **Fivetran** * SCIM Endpoint: `https://api.fivetran.com/scim/v2` * Supported Endpoints: `/Users`, `/Groups` **Celonis** * SCIM Endpoint: `https://..celonis.cloud/scim/v2` * Supported Endpoints: `/Users`, `/Groups` * Staging/Live Support: Yes **Sigma Computing** * SCIM Endpoint: `https://aws-api.sigmacomputing.com/scim/v2` * Supported Endpoints: `/Users`, `/Groups` * Staging/Live Support: Yes **Zapier** * SCIM Endpoint: `https://zapier.com/scim/v2` * Supported Endpoints: `/Users`, `/Groups` **Envoy** * SCIM Endpoint: `https://app.envoy.com/scim/v2` * Supported Endpoints: `/Users`, `/Groups` **Twingate** * SCIM Endpoint: `https://.twingate.com/api/scim/v2` * Supported Endpoints: `/Users`, `/Groups` **Harness** * SCIM Endpoint: `https://app.harness.io/gateway/ng/api/scim/account/` * Supported Endpoints: `/Users`, `/Groups` **ThousandEyes** * SCIM Endpoint: `https://api.thousandeyes.com/scim` * Supported Endpoints: `/Users` ### Application Setup #### Requirements * The source application's SCIM API must support listing from at least the `Users` endpoint to identify supported resources and list Users. * To discover User Groups, the SCIM API must support the `/Groups` endpoint and the response must include the `members` section. To ingest data, you will need to ensure that the SCIM API in your target system is enabled, and generate appropriate authentication credentials. Refer to the individual application's documentation to: 1. Configure and activate the application's SCIM API, if it is not already enabled. 2. Obtain authentication credentials (API token, OAuth2 credentials, or username/password) with permission to list users and groups. 3. Take note of the base SCIM URL (such as `https://api.fivetran.com/scim/v2`). 4. Take note of the Users and Groups endpoints (typically `/Users` and `/Groups`). ### Veza setup To enable Veza to gather data from a SCIM-compatible application, go to **Integrations** > **Add New** and pick **SCIM** or **SCIM OAuth2** for the integration type. Fill out the required fields: | Field | Description | Required | Auth Method | | ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ------------ | | *Name* | A unique display name of the Veza Provider to create. | ✅ | All | | *App Name* | The name of the application that will be created. If you are discovering multiple instances of the same application, this name should be unique per instance. | ✅ | All | | *App Type* | The type for the app, users and groups that are created. Typically the application or vendor name. | ✅ | All | | *App Description* | Optional description for the application. | ⚪ | All | | *SCIM URL* | The full URL to the SCIM API endpoint, excluding the resource type (such as `https://app.example.com/scim/v2`). | ✅ | All | | *Authentication Method* | Choose between `Bearer Token`, `OAuth2 Client Credentials`, or `Basic Auth`. | ✅ | All | | *SCIM Token* | Bearer token string, used to call the API. | ✅ | Bearer Token | | *Username* | Username for basic authentication. | ✅ | Basic Auth | | *Password* | Password for basic authentication. | ✅ | Basic Auth | | *Auth URL* | OAuth2 token endpoint URL. If not provided, defaults to `{SCIM_URL}/oauth2/token`. | ⚪ | OAuth2 | | *Client ID* | OAuth2 client identifier. | ✅ | OAuth2 | | *Client Secret* | OAuth2 client secret. | ✅ | OAuth2 | | *Users Endpoint* | Optional override for the User's listing endpoint, default `/Users`. | ⚪ | All | | *Groups Endpoint* | Optional override for the Group's listing endpoint, default `/Groups`. | ⚪ | All | | *CA Certificate* | Optional custom CA certificate for SSL verification (PEM format). | ⚪ | All | | *Provider Icon* | Optional application icon file to use on Veza. Icons must be PNG or SVG and smaller than 64KB. | ⚪ | All | | *SCIM Extension Schemas* | When enabled, Veza calls the SCIM `/Schemas` endpoint to discover and extract extension attributes (Enterprise Extension and custom vendor extensions). | ⚪ | All | | Enable Usage for Lifecycle Management | Toggle to enable [Lifecycle Management](/4yItIzMvkpAvMVFAamTf/integrations/integrations/scim/provisioning.md) capabilities | ⚪ | All | Click **Create Integration** to save the configuration and queue an extraction. #### SCIM Extension Schemas The **SCIM Extension Schemas** option controls whether Veza automatically discovers custom and enterprise extension attributes from your SCIM application. Enable SCIM Extension Schemas when: * Your SCIM application supports the `/Schemas` endpoint (SCIM 2.0 standard) * You need to extract Enterprise Extension attributes like `department`, `division`, `employeeNumber`, `costCenter`, `organization`, or `manager` * Your application has custom vendor-specific attributes you want to appear in the Veza Access Graph * You're using Lifecycle Management and need to synchronize Enterprise Extension attributes You can safely disable this option if the SCIM application does not support the `/Schemas` endpoint, if you only need core SCIM user and group attributes, or to troubleshoot performance issues or errors. **How It Works:** When enabled, Veza calls the SCIM `/Schemas` endpoint during extraction to: 1. Discover all available SCIM schemas (core and extensions) 2. Identify Enterprise Extension attributes for organizational data 3. Extract custom vendor-specific extension attributes 4. Map discovered attributes to the Veza Access Graph All discovered extension attributes appear as custom properties on user and group entities in Veza. This enables you to search and filter in Graph, Query Builder, and Access Reviews, trigger Lifecycle Management workflows, and synchronize discovered extension attributes (Enterprise Extension and custom vendor extensions) for identities. {% hint style="info" %} Extension schema discovery is automatic once enabled. Veza normalizes extension attribute names for Access Graph compatibility. **Normalization rules:** 1. The schema ID and attribute name are combined with a colon (`:`) separator 2. The entire string is converted to lowercase 3. All non-alphanumeric characters are replaced with underscores (`_`) 4. Leading and trailing underscores are removed 5. If the result starts with a number, it's prefixed with `scim_` **Examples:** {% endhint %} | Original Schema + Attribute | Normalized Name | | ------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | | `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User` + `department` | `urn_ietf_params_scim_schemas_extension_enterprise_2_0_user_department` | | `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User` + `employeeNumber` | `urn_ietf_params_scim_schemas_extension_enterprise_2_0_user_employeenumber` | | `urn:scim:schemas:extension:MyVendor:1.0` + `customField` | `urn_scim_schemas_extension_myvendor_1_0_customfield` | {% hint style="info" %} These normalized names are used as custom property names in the Access Graph and when referencing attributes in Lifecycle Management transformers. {% endhint %} ### Enable Lifecycle Management SCIM integrations can be used as targets for Veza [Lifecycle Management](/4yItIzMvkpAvMVFAamTf/features/lifecycle-management.md), enabling automated user provisioning, de-provisioning, and group management across SCIM-compatible applications. This is particularly valuable for applications like Atlassian products, Egnyte, Sigma Computing, and other systems that support the SCIM protocol. When enabled for Lifecycle Management, SCIM integrations support: * **User provisioning** with attribute synchronization (create, update, deactivate) * **Group management** including creation and membership assignment * **Relationship management** for adding and removing users from groups * **Deprovisioning** through account deactivation and group removal The SCIM integration requires both read and write permissions to the target application's SCIM API. Specific permission requirements vary by application, but typically include: * `scim:read` or equivalent for user and group discovery * `scim:write` or equivalent for provisioning operations * Access to `/Users` and `/Groups` endpoints To enable Lifecycle Management for your SCIM integration, check the **Enable usage for Lifecycle Management** box in the Veza integration configuration. For detailed information about supported capabilities, workflow examples, and application-specific guidance, see the [SCIM Lifecycle Management guide](/4yItIzMvkpAvMVFAamTf/integrations/integrations/scim/provisioning.md). ### Supported Entities #### Users These attributes represent how SCIM user data appears in the Veza Access Graph: | Veza Attribute | Description | Source Field(s) | | ------------------ | ------------------------------------------- | ---------------------------------------------------------------------------------- | | `name` | Display name of the user | Derived from first available: `displayName`, `name.formatted`, `userName`, or `id` | | `id` | Unique identifier in Veza | SCIM `id` field (converted to string) | | `is_active` | Boolean indicating if the account is active | SCIM `active` field | | `external_id` | External system identifier | SCIM `externalId` field | | `email` | Primary email address | First email from SCIM `emails` array | | `emails` | All email addresses | Complete SCIM `emails` array | | `username` | Login username | SCIM `userName` field | | `display_name` | User's display name | SCIM `displayName` field | | `last_modified_at` | Last modification timestamp | SCIM `meta.lastModified` field | | `given_name` | First name | SCIM `name.givenName` field | | `family_name` | Last name | SCIM `name.familyName` field | | `title` | Job title | SCIM `title` field | | `department` | Department name | SCIM enterprise extension `department` field | | `division` | Division name | SCIM enterprise extension `division` field | #### Groups These attributes represent how SCIM group data appears in the Veza Access Graph: | Veza Attribute | Description | Source Field(s) | | ------------------ | --------------------------- | -------------------------------------- | | `name` | Display name of the group | SCIM `displayName` field | | `id` | Unique identifier in Veza | SCIM `id` field (converted to string) | | `external_id` | External system identifier | SCIM `externalId` field | | `description` | Group description | SCIM `description` or extension fields | | `group_type` | Classification of the group | SCIM `groupType` field | | `last_modified_at` | Last modification timestamp | SCIM `meta.lastModified` field | | `members` | List of group members | SCIM `members` array (user IDs) | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/scim.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.