Skip to main content

SCIM - Advanced

One-Click Least Privilege. Zero Disruption.



© 2026 Sonrai Security. All rights reserved.

Overview

This page covers detailed SCIM 2.0 provisioning setup for Cloud Permissions Firewall (CPF) — identity provider-specific requirements, connection configuration, and attribute mappings. For an overview of what SCIM does and how it fits into your SSO configuration, see SCIM Provisioning on the Single Sign-on (SSO) page.


Before You Begin

Single Sign-on (SSO) must already be configured for your organization before you enable SCIM. The SCIM endpoint URL and bearer token are available in the SSO settings in CPF — see Setting up Self-Service SSO.

Microsoft Entra ID (Azure AD)

Entra ID requires two separate applications — one OpenID Connect app for authentication and a separate non-gallery enterprise application for SCIM provisioning. Assign the same users and groups to both.

Okta Workforce

Okta requires two separate app integrations — one OpenID Connect app for authentication and a separate Governance with SCIM 2.0 (OAuth Bearer Token) app for SCIM provisioning. Assign the same users and groups to both.


Configure SCIM Provisioning

  1. In your identity provider, add SCIM provisioning to your existing SSO application, or create a dedicated provisioning application if your IdP requires it (see the Entra ID and Okta notes above).
  2. Configure the SCIM connection:
    • Tenant/Base URL — the SCIM endpoint URL from CPF.
    • Authentication — Bearer token; paste the token generated in CPF.
    • Provisioning Mode — Automatic, if your IdP supports it.
tip

If you use Microsoft Entra ID, append the ?aadOptscim062020 query parameter to the end of the Tenant URL to avoid known Entra ID SCIM compatibility issues.

  1. Assign the users and groups you want to provision to the application.
  2. Configure the required user attribute mappings:
SCIM attributeMap toNotes
userNameUser's email addressUsed as the user's identity in CPF. Set as the primary matching attribute.
activeAccount enabled/disabled statusControls whether the user can log in to CPF.
displayNameUser's full nameShown in the CPF UI.
emails[type eq "work"].valueWork emailRequired by some IdPs (e.g. Entra ID) as a secondary matching attribute.
  1. Configure the required group attribute mapping:
SCIM attributeMap toNotes
displayNameGroup nameUsed as the group name in CPF.
  1. Enable provisioning. On the first sync, CPF creates user and group records for all assigned users and groups, and provisions group memberships automatically.
  2. After the first sync, assign a role to each newly synced group to grant its members permissions. See Groups.

Additional Notes

  • Deactivating a user through SCIM soft-deletes the user in CPF — it does not permanently delete the user or their associated resources.
  • Group membership in CPF is managed by your IdP once SCIM is enabled. You can still edit membership manually in the CPF UI, but manual changes may be overwritten on the next provisioning sync.
  • To rotate your SCIM token with zero downtime, generate a second token and configure it in your IdP, then delete the old token once the new one is active.

Reference: See Auth0's SCIM configuration documentation for IdP-specific attribute mapping details.