SCIM 2.0 Provisioning
SCIM (System for Cross-domain Identity Management) enables automated user provisioning and deprovisioning from your identity provider to AxonFlow.
What is SCIM?
SCIM 2.0 is an open standard (RFC 7643/7644) for automating the exchange of user identity information between identity providers and service providers. When a user is added, modified, or removed in your IdP, those changes automatically sync to AxonFlow.
Identity Provider (Okta, Azure AD, OneLogin)
|
| SCIM 2.0 API Calls
| (Create, Update, Delete)
v
+-------------------+
| AxonFlow SCIM |
| Endpoint |
| /scim/v2/* |
+-------------------+
|
v
+-------------------+
| User Accounts |
| & Role Sync |
+-------------------+
Benefits
Automated User Lifecycle
| Action in IdP | Result in AxonFlow |
|---|---|
| Assign user to app | User created with access |
| Update user attributes | User profile updated |
| Unassign user from app | User deactivated |
| Delete user | User removed |
Security & Compliance
- Zero manual provisioning - No shared credentials or manual account creation
- Instant deprovisioning - Users lose access immediately when terminated
- Audit trail - All SCIM operations are logged for compliance
- Single source of truth - IdP remains authoritative for user identity
Supported Identity Providers
AxonFlow's SCIM 2.0 implementation is compatible with:
- Okta
- Azure Active Directory (Entra ID)
- OneLogin
- Ping Identity
- JumpCloud
- Any SCIM 2.0 compliant identity provider
Enterprise Feature
| Capability | Community | Enterprise |
|---|---|---|
| SCIM 2.0 User Provisioning | ✅ | |
| SCIM 2.0 User Deprovisioning | ✅ | |
| SCIM Group Sync | ✅ | |
| Group-to-Role Mapping | ✅ | |
| Token Management UI | ✅ | |
| SCIM Audit Logging | ✅ |
SCIM provisioning is available exclusively with AxonFlow Enterprise. Contact sales to enable automated user provisioning for your organization.
Group-to-Role Mapping
SCIM group synchronization maps your IdP groups to AxonFlow roles. When a user is assigned to a group in your IdP, they automatically receive the corresponding AxonFlow role.
| IdP Group | AxonFlow Role | Permissions |
|---|---|---|
axonflow-admins | admin | Full platform access, policy management |
axonflow-analysts | analyst | Read-only access, audit log queries |
axonflow-developers | developer | API access, SDK usage, limited policy view |
axonflow-auditors | auditor | Audit log access, compliance reports |
Example: Okta Group Push Configuration
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName": "axonflow-admins",
"members": [
{"value": "user-001", "display": "Jane Smith"},
{"value": "user-002", "display": "John Doe"}
]
}
When this group is pushed via SCIM, both users receive the admin role in AxonFlow. Removing a user from the group in Okta automatically removes the role.
Sync Troubleshooting
Common SCIM synchronization issues and their resolutions:
| Issue | Symptom | Resolution |
|---|---|---|
| 401 Unauthorized | SCIM sync fails with authentication error | Verify the SCIM bearer token in your IdP matches the token generated in AxonFlow. Regenerate if expired. |
| User not created | User assigned in IdP but not visible in AxonFlow | Check that the SCIM application in your IdP includes the required attributes: userName, emails, displayName. |
| Group sync delayed | Group membership changes take time to reflect | Most IdPs sync on a schedule (e.g., every 40 minutes for Okta). Use "Push Now" in your IdP to force immediate sync. |
| Duplicate users | Same user appears twice in AxonFlow | Ensure userName is unique across your IdP. Check for conflicting SCIM and JIT provisioning. |
| Deprovisioning not working | Removed users still have access | Verify your IdP is sending a SCIM PATCH with active: false or a DELETE request. Check AxonFlow SCIM audit logs for incoming requests. |
Verify SCIM connectivity:
# Test SCIM endpoint
curl -X GET https://your-axonflow.example.com/scim/v2/Users \
-H "Authorization: Bearer YOUR_SCIM_TOKEN" \
-H "Content-Type: application/scim+json"
Learn More
Enterprise customers can access detailed SCIM documentation including:
- Step-by-step setup guides for Okta, Azure AD, and OneLogin
- Complete API endpoint reference
- Group-to-role mapping configuration
- Troubleshooting guides
Access the Enterprise Documentation Portal for full implementation details.
Related
- Single Sign-On - SSO overview
- SAML 2.0 - SAML-based authentication
- Identity Overview - Identity & Access overview