SCIM Provisioning FAQ
SCIM Provisioning FAQ
SCIM automatically creates, updates and deactivates your team's members from your
identity provider. It is part of the Enterprise plan and is configured by your
team at Dashboard → Team → Security (/dash/team/security). You need the
Manage security team permission.
How does it work at a glance?
- Your IdP calls Cliqer's SCIM 2.0 endpoints with a bearer token.
- The token identifies your team - there is no team ID in the URL, so you use the same base URL as everyone else and the token scopes everything to your team.
- Provisioned users become members of your team. Deactivating a user removes them from the team.
How do I set it up?
- Go to Team → Security → SCIM provisioning and click Mint token.
- Copy the token immediately - it is shown only once. Only the last 4 characters are ever visible afterwards.
- In your IdP's provisioning settings, enter:
- Base URL / Tenant URL:
https://<your-cliqer-host>/api/scim/v2 - Bearer token: the token you just minted.
- Base URL / Tenant URL:
- Enable provisioning and (optionally) map attributes.
Rotate or revoke
- Rotate = mint a new token, update your IdP, then revoke the old one.
- Revoke disables a token immediately. Revoked tokens can never be used again.
Which operations are supported?
| Operation | Endpoint |
|---|---|
| Create | POST /api/scim/v2/Users |
| List / filter | GET /api/scim/v2/Users?filter=userName eq "user@co" |
| Read | GET /api/scim/v2/Users/{id} |
| Replace | PUT /api/scim/v2/Users/{id} |
| Patch | PATCH /api/scim/v2/Users/{id} |
| Deactivate / delete | DELETE /api/scim/v2/Users/{id} |
| Capabilities | GET /api/scim/v2/ServiceProviderConfig |
Filtering supports userName eq "..." (used by Okta and Entra ID for de-dup).
Bulk operations and Group provisioning are not supported.
What user attributes are used?
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "user@company.com",
"name": { "givenName": "John", "familyName": "Doe" },
"emails": [{ "primary": true, "value": "user@company.com" }],
"active": true,
"externalId": "employee-123"
}
userName (email), name.givenName, name.familyName, active and
externalId are mapped. Other attributes are accepted and ignored.
What happens on deactivation?
Sending active: false (via PATCH) or a DELETE performs a soft
deprovision:
- The user is removed from your team (
team_membersset to removed). - If the account belongs to no other active team, it is suspended so the person can no longer sign in.
- Account data is preserved. Re-sending
active: true(or re-creating) restores membership.
This means deprovisioning a user in one team never locks them out of a different team they belong to.
How do I monitor provisioning?
The Provisioning activity panel on the Security page is a live feed - every create, update, deactivate and delete appears in real time (create, deactivate/delete and errors are colour-coded). This is the SCIM monitoring dashboard; there is nothing extra to enable.
Security
- Tokens are stored only as a SHA-256 hash - Cliqer cannot show you a token again.
- All SCIM endpoints require HTTPS and the bearer token.
- Every operation is scoped to the token's team; a token can never read or change another team's users.
Troubleshooting
- 401 Unauthorized - the token is missing, wrong, or revoked. Mint a new one.
- 404 on a user - that user is not a member of the token's team. SCIM only sees your own team's users.
- User not created - check that
userNameis a valid email.