# SCIM Provisioning

SCIM (System for Cross-domain Identity Management) lets you automatically sync users and groups from your identity provider to AccessIQ. When you add, update, or remove a user in your IdP, the change is reflected in AccessIQ automatically.

## How It Works

1. Your identity provider pushes user and group changes to AccessIQ over the SCIM 2.0 protocol.
2. AccessIQ processes the changes and creates, updates, or deactivates users accordingly.
3. Group memberships sync to AccessIQ organizations and roles.

## Supported Identity Providers

| Provider         | SCIM Support         |
| ---------------- | -------------------- |
| Okta             | Supported            |
| Azure Entra ID   | Supported            |
| Google Workspace | Supported            |
| Auth0            | Supported            |
| AWS Cognito      | Manual configuration |

## Setting Up SCIM

### Step 1: Generate a SCIM Token in AccessIQ

1. Go to **Identity > Provisioning**.
2. Click **Enable SCIM Provisioning**.
3. Copy the **SCIM Base URL** and **Bearer Token**. Store the token securely -- it is shown only once.

### Step 2: Configure Your Identity Provider

Enter the SCIM Base URL and Bearer Token into your IdP's provisioning settings. Refer to your IdP's documentation for specific steps:

* **Okta**: Applications > your app > Provisioning > Integration
* **Azure Entra ID**: Enterprise applications > your app > Provisioning
* **Google Workspace**: Apps > SAML apps > User provisioning

### Step 3: Choose What to Sync

In AccessIQ, configure which attributes to sync:

| Attribute    | Description          | Required |
| ------------ | -------------------- | -------- |
| Username     | Primary identifier   | Yes      |
| Email        | User's email address | Yes      |
| First name   | Given name           | Yes      |
| Last name    | Family name          | Yes      |
| Display name | Full display name    | No       |
| Groups       | Group memberships    | No       |

### Step 4: Test the Connection

Most identity providers offer a **Test Connection** button. Use it to verify that your IdP can reach AccessIQ's SCIM endpoint.

## SCIM Operations

| Operation               | What happens in AccessIQ                                     |
| ----------------------- | ------------------------------------------------------------ |
| Create user             | New user is created and assigned to the default organization |
| Update user             | User attributes are updated                                  |
| Deactivate user         | User is deactivated (not deleted)                            |
| Create group            | Group is mapped to an AccessIQ organization                  |
| Update group membership | Organization membership is updated                           |

## Best Practices

* Always test with a small group of users before enabling full sync.
* Rotate your SCIM token periodically for security.
* Use group-based assignment to control which users are provisioned into AccessIQ.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://accessiq.gitbook.io/accessiq-docs/identity-and-single-sign-on/scim.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.