Skip to main content

About SCIM Directory Integration

SCIM, or the System for Cross-domain Identity Management, is a protocol designed to make managing user identities across different systems simpler and more efficient. It’s particularly useful when you’re using multiple cloud-based applications, as it helps automate the process of adding and removing users.

How It Works

SCIM involves two main roles:
  • Client - This is usually an identity provider or identity access management system, like Microsoft Entra ID or Okta, that manages core identity data.
  • Service Provider - A software-as-a-service (SaaS) application, like Iru Endpoint, that uses identity data to manage user access and permissions.
SCIM supports several operations, including provisioning, synchronization, and deprovisioning. This one-way sync allows you to automatically create user accounts in Iru Endpoint, keep user attributes up-to-date between your MDM and IdP, and automatically remove or disable user accounts when they are no longer needed.

Configuring SCIM in Iru Endpoint

To configure a SCIM integration between your Identity Provider (IdP) and Iru Endpoint, you will need to:
  • Create a new SCIM Directory Integration in Iru Endpoint
  • Obtain the SCIM API URL and API token from Iru Endpoint to use with your IdP.
  • Access your IdP to create an app integration, map SCIM attributes, and push desired user groups.

Creating a New SCIM Directory Integration

1

Open Integrations

In Iru Endpoint, click your name at the bottom of the left navigation, then select Integrations.
Screenshot of the account menu with Integrations option highlighted
2

Discover Integrations

Click Discover integrations in the upper-right of the Integrations page.
3

Add SCIM Protocol

On the SCIM protocol tile, click Add and configure.
Add new integration page with SCIM protocol tile and Add and configure button
4

Start Configuration

Click Get started.
5

Name the Integration

Enter a unique name for the SCIM integration.
6

Generate Authentication Token

Click Generate token. The SCIM user directory integration uses an HTTP authorization header with a Bearer Token as the authentication method.
Configure a SCIM user integration screen with name field and Generate token button
7

Copy the Token

Click Copy token.
8

Confirm Token Copy

The token will not be visible again after you click Done. Store it securely before continuing.
9

Complete Setup

Confirm that you have copied the token by checking the box, then click Done. You will return to the Integrations page.
Copy token and configure with your identity provider dialog with Copy token button

Obtaining the SCIM API URL

Your SCIM API URL will be in the format of https://subdomain.api.kandji.io/api/v1/scim
1

Access Integration Details

Click the ellipsis on the SCIM directory integration you just created.
2

View Details

Select View Details.
Directory integrations list with SCIM integration and ellipsis menu showing View details, Rename, Rotate token, Delete
3

Copy API URL

Copy the SCIM API URL; your identity provider will require this.
4

Close Details

Click Close.
View user integration details modal with SCIM API URL and copy button

Renaming a SCIM Integration

To change the name of an existing SCIM directory integration:
1

Open the integration menu

Click the ellipsis on the SCIM directory integration you want to rename.
2

Choose Rename

Select Rename.
SCIM integration ellipsis menu with Rename option
3

Enter the new name

Enter the new name for the integration and save.
Rename SCIM integration prompt or dialog with name field

Rotating the SCIM Token

Rotate the SCIM API token when you need to invalidate the current token (for example, after a security concern or when reconfigured in your IdP). After rotating, update the new token in your identity provider.
1

Open the integration menu

Click the ellipsis on the SCIM directory integration.
2

Choose Rotate token

Select Rotate token.
SCIM integration ellipsis menu with Rotate token option
3

Confirm the rotation

Confirm the rotation in the prompt. The previous token will no longer work.
Rotate token confirmation prompt for SCIM integration
4

Copy the new token

Copy the new token and update it in your IdP.
Copy the new SCIM token after rotation

Deleting a SCIM Integration

Removing a SCIM directory integration stops synchronization from your IdP and removes the integration from Iru Endpoint. Update or remove the SCIM app in your IdP to avoid errors.
1

Open the integration menu

Click the ellipsis on the SCIM directory integration you want to remove.
2

Choose Delete integration

Select Delete integration.
SCIM integration ellipsis menu with Delete integration option
3

Confirm deletion

Confirm that you want to delete the integration in the prompt.
Delete SCIM integration confirmation prompt

SCIM Schema and Supported Attributes

Iru Endpoint supports the following SCIM attributes. Refer to these attributes when mapping your SCIM application in your IdP.
Iru Endpoint does not use any attributes that are not in the list below. To limit the attributes sent, please modify the attributes configured in the SCIM app in your IdP.
User attributes
AttributeDescriptionRequired
userNameUnique identifier for the user, used to authenticate to the service providerYes
name.formattedThe user’s full name (for example, “John Doe”). This attribute or the displayName attribute is requiredNo
displayNameThe user’s full name (for example, “John Doe”). This attribute or the name.formatted attribute is requiredYes
titleThe user’s title, such as “Vice President.”No
activeThe user’s status within the identity provider. This attribute is automatically added by the Identity Provider.Yes
emails.valueThe user’s email address as a subattribute of emails. Iru Endpoint only stores the first email in the list.Yes
departmentIdentifies the name of a department.No
Group attributes
AttributeDescriptionRequired
displayNameA human-readable name for the Group.Yes
membersA list of members in the Group.Yes
When using SCIM to sync users from a directory, the SCIM app automatically sends new information to Iru Endpoint, so there is no need for a Sync Now button that you would see when using the native Entra ID or Google Workspace directory integrations. Each cloud IdP has its own standard for syncing SCIM data. Please check with your identity provider’s documentation to understand how SCIM sync is configured. Configure SCIM in your identity provider using the article for your IdP. Iru Endpoint’s SCIM implementation follows the SCIMv2 specification.

SCIM Directory Integration with Okta

Connect Okta to Iru Endpoint for automatic user and group provisioning via SCIM

SCIM Directory Integration with Microsoft Entra ID

Connect Microsoft Entra ID (Azure AD) to Iru Endpoint for SCIM-based user and group provisioning

SCIM Directory Integration with OneLogin

Connect OneLogin to Iru Endpoint for automatic user and group provisioning via SCIM