SCIM 2.0 User Provisioning

Automatically synchronize users from your identity provider (Azure AD, Okta, Google Workspace) to Exepron using the SCIM 2.0 standard. Streamline onboarding, reduce manual work, and improve security compliance.

Configure SCIM Clients
URL Note: This documentation uses proid.exepron.com as the Identity Server URL. If you have a self-hosted or custom deployment, replace this with your own Identity Server URL.

Table of Contents

What is SCIM?

SCIM (System for Cross-domain Identity Management) is an open standard protocol (RFC 7643 and RFC 7644) that enables automatic user provisioning and deprovisioning between identity providers and cloud applications.

┌─────────────────────┐                     ┌─────────────────────┐
│  Identity Provider  │                     │      Exepron        │
│  (Azure AD, Okta)   │                     │   (SCIM Server)     │
│                     │                     │                     │
│  1. User Assigned   │────────────────────>│  2. SCIM Request    │
│     to App          │   POST /Users       │     Received        │
│                     │                     │                     │
│                     │<────────────────────│  3. User Created    │
│                     │   201 Created       │     in Exepron      │
│                     │                     │                     │
│  4. User Updated    │────────────────────>│  5. SCIM Request    │
│     in IdP          │   PUT /Users/{id}   │     Processed       │
│                     │                     │                     │
│  6. User Removed    │────────────────────>│  7. User Deactivated│
│     from App        │   DELETE /Users/{id}│    in Exepron       │
└─────────────────────┘                     └─────────────────────┘

SCIM vs Manual User Management

Aspect Manual Management SCIM Provisioning
User Creation Admin creates user manually Automatic when assigned in IdP
User Updates Admin updates profile manually Automatic sync from IdP
User Deactivation Admin must remember to deactivate Automatic when unassigned
Time Required 5-10 minutes per user Seconds (automated)
Error Rate Higher (manual entry) Lower (automated)
Audit Trail Limited Complete audit log

Key Benefits

Automated Workflow

Users are automatically created, updated, and deactivated based on your identity provider assignments.

Time Savings

Eliminate manual user creation and updates. IT administrators spend less time on user management tasks.

Improved Security

Deactivated users are immediately removed from access. Enforces centralized authentication policies.

Compliance Ready

Complete audit trail of all provisioning activities. Meet compliance requirements for user lifecycle management.

Data Consistency

User data stays synchronized with your identity provider. Single source of truth for user information.

Scalability

Easily manage hundreds or thousands of users. Bulk provisioning supported through your IdP.

Supported Identity Providers

Exepron SCIM 2.0 works with any SCIM 2.0 compliant identity provider. We provide detailed integration guides for:

Custom Integration: If your identity provider supports SCIM 2.0 but isn't listed above, you can still integrate using our generic SCIM 2.0 endpoint configuration.

Prerequisites

Account Requirements

  • SCIM Feature Enabled - Contact Exepron sales or support to enable SCIM for your account
  • Account Administrator Access - You need admin rights in Exepron
  • Payment Plan - SCIM is a premium feature (check your plan or contact sales)

Identity Provider Requirements

  • SCIM 2.0 Support - Your IdP must support SCIM 2.0 protocol (RFC 7643/7644)
  • OAuth 2.0 Support - Client Credentials grant type required
  • Admin Access - You can configure applications in your IdP
  • Premium License - Some IdPs require premium licenses for provisioning (e.g., Azure AD P1)

Network Requirements

  • Outbound HTTPS - Your IdP must reach Exepron's SCIM endpoint
  • TLS 1.2+ - Modern encryption protocols required
  • Port 443 - Standard HTTPS port
Check SCIM Availability: Navigate to Profile Settings in Exepron Identity Server. If you see "User Provisioning" in the menu, SCIM is enabled. If not, contact customersupport@exepron.com to activate it.

Quick Start Guide

Follow these steps to set up SCIM provisioning in approximately 40-60 minutes:

1 Create SCIM Client in Exepron

  1. Log into Exepron as an Account Administrator
  2. Navigate to Profile Settings → User Provisioning → SCIM Clients in the Exepron Identity Server
  3. Click "Create New Client"
  4. Enter a display name (e.g., "Azure AD Production")
  5. Click "Create Client"
  6. ⚠️ IMPORTANT: Copy the Client ID and Client Secret immediately (shown only once!)
Save Your Credentials: The client secret is shown only once. Store it securely in a password manager. If lost, you'll need to regenerate it.

2 Configure Provisioning Settings

  1. Go to User Provisioning → Provisioning Settings
  2. Configure default settings for newly provisioned users:
    • Default Role: User (recommended)
    • Auto-activate provisioned users: Enabled
    • Allow external login (SSO): Enabled
    • Allow internal login: Disabled (enforces SSO)
    • Use external username: Enabled
    • Turn off project permissions by default: Enabled (more secure)
  3. Click Save

3 Configure Your Identity Provider

Choose your identity provider and follow the detailed integration guide:

4 Test Provisioning

  1. Assign a test user to the Exepron application in your IdP
  2. Wait for the sync cycle (Azure AD: ~40 min, Okta: seconds, Google: ~10-30 min)
  3. Check Exepron User Management for the new user
  4. Review the Audit Log for the provisioning event
  5. Have the user test logging in via SSO

5 Enable for All Users

  1. Once testing is successful, assign all users in your IdP
  2. Monitor the Audit Log for provisioning events
  3. Assign users to projects in Exepron as needed
Setup Complete! Your users will now be automatically provisioned, updated, and deactivated based on your identity provider assignments.

Self-Service SCIM Client Management

Account administrators can now manage SCIM clients directly through the Identity Server admin interface. This self-service feature allows you to create, edit, and manage SCIM clients without contacting support.

Accessing SCIM Client Management

  1. Log into Exepron as an Account Administrator
  2. Navigate to Profile Settings in the Identity Server
  3. Select "User Provisioning" → "SCIM Clients" from the menu

Creating a SCIM Client

To create a new SCIM client:

  1. Click "Create New Client"
  2. Enter a Display Name (e.g., "Azure AD Production", "Okta Sync")
  3. Optionally select a Linked SSO Provider (more on this below)
  4. Click "Create"
  5. ⚠️ IMPORTANT: Copy the Client ID and Client Secret immediately - the secret is shown only once!
Field Required Description
Display Name Yes A descriptive name for the SCIM client (e.g., "Azure AD Production")
Linked SSO Provider No Optional link to an SSO provider for user authentication

Editing a SCIM Client

You can edit the following properties of an existing SCIM client:

  • Display Name: Update the descriptive name to better identify the client
  • Linked SSO Provider: Link or unlink an SSO provider

To edit a client:

  1. Find the client in the SCIM Clients list
  2. Click the Edit button (pencil icon)
  3. Modify the Display Name and/or SSO Provider link
  4. Click "Save Changes"

Linking SSO Providers

Linking a SCIM client to an SSO provider enables seamless authentication for users provisioned via SCIM:

Benefits of Linking:

  • Seamless Authentication: Users provisioned via SCIM can immediately log in using SSO
  • Consistent Identity: Same identity provider handles both provisioning and authentication
  • Automated Lifecycle: User deactivation in IdP automatically affects Exepron access

How It Works:

Scenario User Login Method
SSO Provider Linked Users authenticate using the linked SSO provider (SAML/OIDC). No password required.
No SSO Provider Linked Users have "SCIM" as their login provider. Must set up password-based authentication.
Tip: Create your SSO Provider first (via SSO Providers management), then link it when creating or editing the SCIM client.

Regenerating Client Secret

If your SCIM client secret is compromised or needs rotation:

  1. Find the client in the SCIM Clients list
  2. Click the "Regenerate Secret" button
  3. Copy the new secret immediately - it's only shown once
  4. Update your identity provider's SCIM configuration with the new secret
  5. The old secret is immediately invalidated
Important: After regenerating a secret, update your identity provider configuration immediately. The old secret stops working right away.

Deactivating a SCIM Client

Deactivating a SCIM client:

  • Prevents any further SCIM operations using that client
  • Does not affect users already provisioned
  • The client can be identified but cannot authenticate
  • The client can be reactivated later if needed

Reactivating a SCIM Client

To reactivate a deactivated SCIM client:

  1. Find the inactive client in your SCIM Clients list (shown with "Inactive" badge)
  2. Click the Reactivate button (green checkmark icon)
  3. Confirm the reactivation
Note: The client will use its existing credentials. Make sure your identity provider is still configured with the correct Client ID and Secret.

Deleting a SCIM Client Permanently

To permanently delete a SCIM client:

  1. Deactivate the client first (required before deletion)
  2. Click the Delete button (red trash icon) on the inactive client
  3. Confirm the permanent deletion
Warning: Deletion is permanent and cannot be undone. The SCIM client will be removed from the database. Users provisioned by this client are not affected.

SCIM Client Limits

Setting Up SSO with SCIM Provisioning

For the best user experience, configure both SSO (for authentication) and SCIM (for user provisioning) together. This ensures users are automatically created AND can log in seamlessly using your identity provider.

1 Create the SSO Provider First

  1. Navigate to Profile Settings → SSO Providers in the Identity Server
  2. Click "Add SSO Provider"
  3. Configure your identity provider (Azure AD, Okta, Google, etc.):
    • Display Name: e.g., "Azure AD SSO"
    • Authentication Scheme: Unique identifier (e.g., "AzureAD")
    • Authority URL: Your IdP's OIDC discovery URL
    • Client ID: From your IdP app registration
    • Client Secret: From your IdP app registration
  4. Click "Create"
  5. Copy the Callback URL shown and configure it in your identity provider
See Also: Full SSO Configuration Guide

2 Create the SCIM Client

  1. Navigate to Profile Settings → User Provisioning → SCIM Clients
  2. Click "Create New Client"
  3. Enter a Display Name (e.g., "Azure AD SCIM")
  4. Select the SSO Provider you just created from the dropdown
  5. Click "Create"
  6. Copy the Client ID and Client Secret

3 Configure Provisioning in Your Identity Provider

  1. In your IdP (Azure AD, Okta, etc.), configure SCIM provisioning:
    • SCIM Endpoint: https://proid.exepron.com/scim/v2
    • Client ID: Your SCIM Client ID
    • Client Secret: Your SCIM Client Secret
  2. Configure attribute mappings (see Minimal Required Mappings)
  3. Enable provisioning and assign users/groups

4 Test the Complete Flow

  1. Assign a test user to your application in the IdP
  2. Wait for the SCIM sync to complete (timing varies by IdP)
  3. Verify the user appears in Exepron User Management
  4. Have the user log in using the SSO button on the Exepron login page
  5. The user should be authenticated without needing to set a password
Complete Setup! With SSO linked to SCIM:
  • New users are automatically created when assigned in your IdP
  • Users can immediately log in using SSO (no password setup required)
  • User updates sync automatically from your IdP
  • Removing users from your IdP deactivates them in Exepron
Important: If you create a SCIM client without linking an SSO provider, provisioned users will have "SCIM" as their login provider and must set up password-based authentication. You can link an SSO provider later by editing the SCIM client.

Integration Guides

! Minimal Required Attribute Mappings

To successfully provision users from your identity provider, you only need to configure 6 essential attribute mappings:

Source Attribute (IdP) Target Attribute (SCIM) Required Description
userPrincipalName or mail userName Required User's login identifier (typically email)
objectId externalId Required Must be objectId - SSO uses this to match users
mail emails[type eq "work"].value Required User's email address
Switch([IsSoftDeleted],...) or accountEnabled active Required Whether the user is active (true/false)
givenName name.givenName Optional User's first name
surname name.familyName Optional User's last name
Critical - objectId Mapping: The externalId attribute must be mapped to objectId (Azure AD) or the equivalent unique identifier from your identity provider. This is the value that SSO uses to match authenticated users to their Exepron accounts. If you use a different attribute (like userPrincipalName), SSO login will fail because the identifiers won't match.
Simplify Your Mappings: You can delete or disable all other default mappings in Azure AD. Only the 4 required mappings (userName, externalId, emails, active) are essential for provisioning to work. The name fields are optional but recommended for better user identification.
Azure AD Specific: In Azure AD, you can remove the mappings for displayName, Switch([IsSoftDeleted],...) → active (if using accountEnabled instead), and any other attributes that show errors. Exepron only requires the minimal set above.

Microsoft Azure AD / Entra ID

Prerequisites: Azure AD Premium P1 or P2 license, Global Administrator or Application Administrator role

Configuration Steps:

  1. Create Enterprise Application
    • Sign in to Azure Portal
    • Navigate to Azure Active Directory → Enterprise Applications
    • Click "+ New application" → "+ Create your own application"
    • Name: "Exepron"
    • Select: "Integrate any other application you don't find in the gallery"
    • Click "Create"
  2. Configure Provisioning
    • Go to Provisioning tab
    • Click "Get started"
    • Provisioning Mode: Automatic
    • Tenant URL: https://proid.exepron.com/scim/v2
    • Secret Token: [Your SCIM Client Secret]
    • Click "Test Connection" (should succeed)
    • Click "Save"
  3. Configure Attribute Mappings
    userPrincipalName → userName objectId → externalId mail → emails[type eq "work"].value givenName → name.givenName surname → name.familyName accountEnabled → active
  4. Enable Provisioning
    • Provisioning Status: On
    • Scope: Sync only assigned users and groups (recommended)
    • Click "Save"
  5. Assign Users
    • Go to Users and groups tab
    • Click "+ Add user/group"
    • Select users or groups to provision
Sync Timing: Azure AD performs an initial sync in 20-40 minutes, then incremental syncs every 40 minutes. Use "Provision on demand" for immediate testing.

Okta

Prerequisites: Okta account with admin access, SCIM provisioning feature enabled

Configuration Steps:

  1. Create Application
    • Sign in to Okta Admin Console
    • Applications → Applications → "Create App Integration"
    • Sign-in method: SAML 2.0 or OIDC
    • App name: "Exepron"
  2. Enable API Integration
    • Go to Provisioning tab
    • Click "Configure API Integration"
    • Check "Enable API integration"
    • Base URL: https://proid.exepron.com/scim/v2
    • API Token: [Your SCIM Client Secret]
    • Click "Test API Credentials"
    • Click "Save"
  3. Enable Provisioning Features
    • To App tab → Edit
    • Enable: Create Users, Update User Attributes, Deactivate Users
    • Click "Save"
  4. Assign Users
    • Assignments tab → "Assign" → "Assign to People"
    • Select users to provision
Fast Provisioning: Okta provisions users within seconds to minutes, much faster than Azure AD.

Generic SCIM 2.0 Configuration

For any SCIM 2.0 compliant identity provider, use these settings:

# SCIM Configuration SCIM Version: 2.0 Endpoint URL: https://proid.exepron.com/scim/v2 # Authentication Authentication Method: OAuth 2.0 Password Flow Grant Type: password Token URL: https://proid.exepron.com/connect/token Username: [Your Email] Password: [Your Password] Client ID: [Your SCIM Client ID] Client Secret: [Your SCIM Client Secret] Scope: exepron.scim # Required Attributes userName → User's email/login emails → At least one email address externalId → Unique ID from IdP active → User's active status # Optional Attributes name.givenName → First name name.familyName → Last name

API Reference

Base URL: https://proid.exepron.com/scim/v2

Authentication: OAuth 2.0 Password Flow (Bearer Token)

Common Endpoints

Endpoint Method Description
/ServiceProviderConfig GET Get SCIM capabilities
/ResourceTypes GET List supported resource types
/Schemas GET Get SCIM schemas
/Users GET List users (with filtering/pagination)
/Users/{id} GET Get specific user
/Users POST Create new user
/Users/{id} PUT Update user (full replace)
/Users/{id} PATCH Update user (partial)
/Users/{id} DELETE Deactivate user

Example: Create User

POST /scim/v2/Users Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9... Content-Type: application/scim+json { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], "userName": "john.doe@company.com", "externalId": "azure-ad-12345-abcde", "name": { "givenName": "John", "familyName": "Doe", "formatted": "John Doe" }, "emails": [ { "value": "john.doe@company.com", "type": "work", "primary": true } ], "active": true }

Rate Limits

  • 60 requests per minute per SCIM client
  • 1,000 requests per hour per SCIM client
  • Contact support for higher limits if needed
Full API Documentation: For complete API reference including all endpoints, request/response examples, error codes, and advanced features, see the SCIM 2.0 API Technical Specification.

Role Mapping via SCIM Extension

Exepron supports role assignment during SCIM provisioning using a custom extension schema. This allows your identity provider to specify which roles a user should receive, overriding or supplementing the default role.

Available Roles

Role ID Role Name Description
1 Administrator Full administrative access to the account
2 General User Standard user access (recommended default)

Extension Schema

To map roles, include the Exepron extension in your SCIM requests:

# Extension Schema URI urn:exepron:scim:schemas:extension:1.0:User # Extension Attributes roleId: Single role ID (integer) roleIds: Array of role IDs (for multiple roles) replaceDefaultRoles: Whether to replace (true) or add to (false) default role

Example: Create User with Role

POST /scim/v2/Users Content-Type: application/scim+json { "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:exepron:scim:schemas:extension:1.0:User" ], "userName": "admin@company.com", "externalId": "azure-ad-12345", "emails": [{"value": "admin@company.com", "primary": true}], "active": true, "urn:exepron:scim:schemas:extension:1.0:User": { "roleId": 1 } }

Example: Multiple Roles

"urn:exepron:scim:schemas:extension:1.0:User": { "roleIds": [1, 2], "replaceDefaultRoles": true }

Azure AD Configuration

To map roles from Azure AD:

  1. In your Enterprise Application, go to Provisioning → Attribute Mappings
  2. Click "Add New Mapping" or enable "Show advanced options"
  3. Create a custom attribute mapping:
    • Source attribute: Use an expression or custom attribute that contains the role ID
    • Target attribute: urn:exepron:scim:schemas:extension:1.0:User:roleId
Note: If no role is specified via the extension, the default role configured in Provisioning Settings will be used. If replaceDefaultRoles is false, the SCIM-provided roles will be added to the default role.

Viewing SCIM Audit Logs

Every SCIM provisioning operation is logged for audit and compliance purposes. You can view these logs to troubleshoot issues or verify successful provisioning.

1 Accessing the Audit Log

  1. Log into Exepron as an Account Administrator
  2. Navigate to Profile Settings in the Identity Server
  3. Select "User Provisioning" → "Audit Log" from the menu

2 Understanding Log Entries

Each log entry contains:

Field Description
Performed On UTC timestamp of the operation
Action Created, Updated, Deactivated, Linked, or Failed
External ID The user's ID from your identity provider (objectId in Azure AD)
Response Status HTTP status code (200-299 = success, 400+ = error)
IP Address IP address of the provisioning request source
Details Click to view full request payload and error messages

3 Filtering and Exporting

  • Filter by Action: Show only Created, Updated, Deactivated, or Linked entries
  • Filter by Date Range: Find logs within a specific time period
  • Filter by External ID: Search for a specific user's provisioning history
  • Export to CSV: Download logs for compliance auditing or external analysis
Data Retention: SCIM audit logs are retained for 90 days by default. Use the Export to CSV feature to archive logs for longer retention if required for compliance.
Empty Logs? If your audit log is empty but you've configured provisioning, ensure:
  • The SCIM endpoint URL in your IdP is correct
  • Test Connection succeeds in your IdP
  • Users are assigned to the application in your IdP
  • The initial sync cycle has completed (Azure AD: 20-40 min)

Troubleshooting

Common Issues

Connection Test Fails

Symptoms: "Test connection failed" or "Unable to reach endpoint"

Solutions:

  • Verify URL is exactly: https://proid.exepron.com/scim/v2 (no trailing slash)
  • Check client secret for copy/paste errors
  • Regenerate client secret and try again
  • Verify SCIM client is Active (not deactivated)

Users Not Syncing

Symptoms: Users assigned in IdP but not appearing in Exepron

Solutions:

  • Verify provisioning status is "On" in IdP
  • Check users are assigned to the application
  • Wait for sync cycle (Azure AD: 40 min, Okta: immediate)
  • Check provisioning logs in IdP for errors
  • Review Exepron Audit Log for failed requests

User Can't Login After Provisioning

Symptoms: User created but sees "Access denied"

Solutions:

  • Verify "Auto-activate provisioned users" is enabled in Provisioning Settings
  • Check user status is "Active" in User Management
  • Ensure "Allow External Login" is enabled for the user
  • User must use SSO button (not username/password)
  • Verify SSO is configured for your IdP

Getting Help

If you need assistance:

  • Check Audit Logs: Profile Settings → User Provisioning → Audit Log in the Exepron Identity Server
  • Email Support: customersupport@exepron.com
  • Include: Account ID, SCIM Client ID, error messages, and audit log exports

Frequently Asked Questions

General Questions

Q: Is SCIM included in my plan?

A: SCIM is a premium feature. Check your payment plan or contact support. If you see "User Provisioning" in Profile Settings, it's enabled.

Q: Can I use SCIM without SSO?

A: Yes, but not recommended. Users would be provisioned but must set passwords manually. Best practice is SCIM + SSO together.

Q: What SCIM version is supported?

A: SCIM 2.0 (RFC 7643 and RFC 7644). SCIM 1.1 is not supported.

Technical Questions

Q: Are groups supported?

A: Not yet. Currently only User resource type. Group provisioning may be added in future.

Q: Can I provision roles via SCIM?

A: Yes! You can map roles using the Exepron SCIM extension. See the Role Mapping section below for details.

Q: What's the rate limit?

A: 60 requests/minute and 1,000 requests/hour per SCIM client. Contact support for higher limits.

Provisioning Questions

Q: How long does provisioning take?

A: Okta: Seconds to minutes | Azure AD: 20-40 minutes initially, then every 40 minutes | Google: 10-30 minutes

Q: What happens if user already exists?

A: Exepron links the external identity to existing user (by email match). No duplicate created. Logged as "Linked" action.

Q: Are passwords synced?

A: No. SCIM doesn't sync passwords. Users authenticate via SSO (SAML/OIDC) using IdP credentials.

Security Questions

Q: Is SCIM secure?

A: Yes. OAuth 2.0 authentication, HTTPS encryption (TLS 1.2+), rate limiting, audit logging, and hashed secrets.

Q: What if my SCIM secret is compromised?

A: Immediately regenerate the secret in Exepron, update your IdP, and review audit logs for unauthorized access.

Complete User Manual: For the full SCIM 2.0 User Provisioning manual with detailed integration guides, security best practices, and comprehensive troubleshooting, download the SCIM User Manual PDF.