> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.
> Overview of how to configure Inbound SCIM for Enterprise connections
# Configure Inbound SCIM
Your Auth0 plan or custom agreement must include Enterprise Connections to use this feature. To learn more, read [Auth0's Pricing Page](https://auth0.com/pricing).
[Postman](https://www.postman.com/downloads/) must be installed on a local machine to test your Inbound SCIM connections.
[SCIM](/docs/authenticate/protocols/scim) is a [protocol](https://tools.ietf.org/html/rfc7644) and [schema](https://tools.ietf.org/html/rfc7643) standard used by enterprise organizations to provision, de-provision, and manage user identity-related information.
Auth0's Inbound SCIM feature supports B2B SaaS developer integrations with Enterprise identity providers. The following Auth0 connection types are currently supported: [SAML](/docs/authenticate/identity-providers/enterprise-identity-providers/saml), [OpenID Connect](/docs/authenticate/identity-providers/enterprise-identity-providers/oidc), [Okta Workforce Identity](/docs/authenticate/identity-providers/enterprise-identity-providers/okta), and [Microsoft Azure AD / Entra ID](/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/v2).
Google Workspace user provisioning is supported through Directory Sync. To sync users from Google Workspace to Auth0, read [Sync Google Workspace Users to Auth0 with Directory Sync](/docs/authenticate/identity-providers/enterprise-identity-providers/google-directory-sync).
## Enable Inbound SCIM for an Enterprise Connection
1. Launch the [Auth0 Dashboard](https://manage.auth0.com/#/), then choose the tenant you want to configure.
2. Navigate to [**Authentication > Enterprise**](https://manage.auth0.com/#/connections/enterprise/)**,** then select from **SAML, OpenID Connect, Okta Workforce,** or **Microsoft Azure AD.**
3. Choose an existing connection or create a new one using [Create Connection](/docs/authenticate/database-connections/custom-db/create-db-connection).
4. Under the **Provisioning** tab for your connection, toggle **Sync user profile attributes at each login** to **Off,** then switch **Sync users and groups using SCIM** to **On.**
5. Select the **Setup** tab under **Sync users and groups using SCIM** to get the SCIM endpoint URL and SCIM tokens needed for testing with Postman.
### Test with Postman
You can download the Postman collection below to test your SCIM configuration:
* [SCIM 2.0 Postman Collection](https://cdn.auth0.com/scim/collections/scim_postman_collection_v2.json)
1. Launch Postman, then select **File > Import…** and move the downloaded file into the import dialog box.
2. Select the **SCIM 2.0 Tests** collection, then choose the **Variables** tab.
3. Copy the **SCIM Endpoint URL** value from the Auth0 Dashboard and paste it into the **Current Value** field next to the **SCIM-ENDPOINT-URL** variable.
4. In the Auth0 Dashboard choose **Generate New Token**, then pick **Generate Token** and select **Copy and Close.**
5. Switch back to Postman, select the **Authorization** tab, and paste the token value into the **Token** field.
6. Choose **Save.**
7. Run the tests in the order shown, noting that the **Users - POST** command must be run prior to running the Groups tests to ensure a valid user exists. The result of each user and group operation can be viewed in your Auth0 Dashboard under [**User Management > Users**](https://manage.auth0.com/#/users) and [**User Management > Enterprise Groups**](https://manage.auth0.com/#/enterprise-groups). Details for each SCIM operation can be viewed in the tenant logs under [**Monitoring > Logs**](https://manage.auth0.com/#/logs).
To test with specific identity providers, read [Configure Inbound SCIM for Identity Providers using SAML or OpenID](/docs/authenticate/protocols/scim/configure-inbound-scim-for-identity-providers-using-saml-or-openid).
## Supported SCIM Operations
Auth0 supports the following SCIM 2.0 operations for managing users and groups:
| Resource | Command | Description |
| -------- | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| User | `POST` | Creates a user in Auth0 with attributes from the SCIM 2.0 core schema and enterprise schema extension, described in [RFC7644 Section 3.3](https://tools.ietf.org/html/rfc7644#section-3.3). |
| User | `GET` | Retrieves a user that has already been created in Auth0, using their user ID value in Auth0 and described in [RFC7644 Section 3.4.1](https://tools.ietf.org/html/rfc7644#section-3.4.1). |
| User | `PUT` | Replaces a user in Auth0 with attributes from the SCIM 2.0 core schema and enterprise schema extension, described in [RFC7644 Section 3.5.1](https://tools.ietf.org/html/rfc7644#section-3.5.1). |
| User | `PATCH` | Updates a user in Auth0 with attributes from the SCIM 2.0 core schema and enterprise schema extension, described in [RFC7644 Section 3.5.2](https://tools.ietf.org/html/rfc7644#section-3.5.2). |
| User | `PUT` (Deactivate) | Replaces a user stored in Auth0 and sets the SCIM active attribute to false, which results in the user being blocked in Auth0. |
| User | `PATCH` (Deactivate) | Updates a user stored in Auth0 and sets the SCIM active attribute to false, which results in the user being blocked in Auth0. |
| User | `SEARCH` | Searches for a user in Auth0 using a SCIM filter, described in [RFC7644 Section 3.4.2](https://tools.ietf.org/html/rfc7644#section-3.4.2). Supported operators are Equals (EQ), and (AND), and or (OR). |
| User | `DELETE` | Deletes a user in Auth0, using their user ID value in Auth0, described in [RFC7644 Section 3.6](https://tools.ietf.org/html/rfc7644#section-3.6). |
| Group | `POST` | Creates a group in Auth0 with attributes from the SCIM 2.0 core schema, described in [RFC7644 Section 3.3](https://tools.ietf.org/html/rfc7644#section-3.3). |
| Group | `GET` | Retrieves a group that has already been created in Auth0, using their group ID value in Auth0 and described in [RFC7644 Section 3.4.1](https://tools.ietf.org/html/rfc7644#section-3.4.1). |
| Group | `PUT` | Replaces a group in Auth0 with attributes from the SCIM 2.0 core schema, described in [RFC7644 Section 3.5.1](https://tools.ietf.org/html/rfc7644#section-3.5.1). |
| Group | `PATCH` | Updates a group in Auth0 with attributes from the SCIM 2.0 core schema, described in [RFC7644 Section 3.5.2](https://tools.ietf.org/html/rfc7644#section-3.5.2). |
| Group | `SEARCH` | Searches for a group in Auth0 using a SCIM filter, described in [RFC7644 Section 3.4.2](https://tools.ietf.org/html/rfc7644#section-3.4.2). Supports the Equals (EQ) operator. |
| Group | `DELETE` | Deletes a group in Auth0 using the group ID value, described in [RFC7644 Section 3.6](https://tools.ietf.org/html/rfc7644#section-3.6). |
Auth0 supports the SCIM 2.0 [core schema](https://tools.ietf.org/html/rfc7643) and [Enterprise schema](https://tools.ietf.org/html/rfc7643) for user resources.
Auth0 supports the SCIM 2.0 [core schema](https://tools.ietf.org/html/rfc7643) for group resources, however only “user” member types are supported. Group “displayName” values must be unique per connection, as required for compatibility with Enterprise identity providers such as Microsoft Entra ID.
### SCIM endpoints and tokens
Each enterprise customer gets a connection-specific SCIM endpoint and token that allows them to securely provision, de-provision, and manage their connection-specific users and groups stored in the Auth0 tenant.
The endpoints and tokens are visible and configurable in the Auth0 Dashboard at **Authentication > Enterprise > \[connecton-type] > \[your-connection] > Provisioning > Sync users and groups using SCIM > Setup**.
The **SCIM Endpoint URL** allows SCIM clients to manage users and groups stored in Auth0 for a given identity provider.
The **Generate New Token** option generates up to two active tokens for this SCIM endpoint, allowing the token used by the SCIM client to be updated without downtime. Tokens may also be revoked on this screen by choosing **Delete**.
The following token generation settings are available:
* **No expiration date:** Select whether the token expires or not.
* **Expiration date in seconds**: if the token has no expiration date, you can choose an expiration time for the token. When the token expires, the SCIM endpoint will return an error response the next time it is used. The minimum allowed expiration time is 900 seconds.
* **List of permissions (scopes):** details which SCIM operations may be performed using this token. The available permissions are:
* **get:users** - Allows users to be retrieved and searched.
* **post:users** - Allows users to be created
* **put:users** - Allows users to be updated using the PUT method.
* **patch:users** - Allows users to be updated using the PATCH method.
* **delete:users** - Allows users to be deleted.
* **get:groups** - Allows groups to be retrieved and searched.
* **post:groups** - Allows groups to be created
* **put:groups** - Allows groups to be updated using the PUT method.
* **patch:groups** - Allows groups to be updated using the PATCH method.
* **delete:groups** - Allows groups to be deleted.
### Session revocation and backchannel logout
When Auth0 receives a SCIM message to deactivate and block a user, it terminates all Auth0 sessions for the user, revokes refresh tokens, and (if configured) triggers [OpenID Connect backchannel logout](/docs/authenticate/login/logout/back-channel-logout/configure-back-channel-logout) for your applications.
### Logs
You can view the full details of all the SCIM requests that Auth0 receives in the [**Monitoring > Logs**](https://manage.auth0.com/#/logs) section of the Auth0 Dashboard. Note that any POST or PUT operation for a Group with over 1,000 members in the request body will not have the members attribute appear in the logs, due to log size limitations.
For information on how to sync SCIM-provisioned users, groups, and group memberships from Auth0 to external systems, read [Sync Users and Groups to External Systems](/docs/authenticate/protocols/scim/configure-inbound-scim#sync-users-and-groups-to-external-systems).
## User Provisioning Options
View the sections below for guidance on how to configure attribute mapping between the SCIM schema and Auth0 user profiles, and how SCIM-provisioned users can be used with other Auth0 features.
### User attribute mapping
Each new connection uses the default attribute map found in the Auth0 Dashboard at **Authentication > Enterprise > \[connecton-type] > \[your-connection] > Provisioning > Sync users and groups using SCIM > Mapping,** where the map can be edited and customized to fit your connection's needs.
Core SCIM user attributes defined in [RFC 7643 sections 3.1, 4.1, and 4.3](https://tools.ietf.org/html/rfc7643) may be used.
| Notes | |
| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| One-to-one mapping | A selected SCIM attribute (or sub-attribute) can only be mapped to one Auth0 attribute. |
| Sub-attribute mapping | Sub-attribute values within multi-value SCIM attributes such as emails and phoneNumbers can be referenced using SCIM filter syntax with the eq operator. See the default attribute maps for examples. |
| Unmappable attributes | The SCIM id and meta attributes cannot be mapped, as they are only sent by Auth0 in the SCIM protocol responses. The id value in SCIM responses is always set to the Auth0 user\_id, and the SCIM password attribute is not usable for Enterprise connections. |
| Omitting SCIM attributes | If a specific SCIM attribute is not configured to be handled in your attribute map, it will be ignored in all SCIM requests and responses. |
These SCIM attributes can be mapped to Auth0 [root](/docs/manage-users/user-accounts/user-profiles/root-attributes) and [metadata](/docs/manage-users/user-accounts/metadata/metadata-fields-data) attributes on the user profile.
| Notes | |
| -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| One-to-one mapping | A selected Auth0 attribute can only be mapped to one SCIM attribute. |
| Root attribute mapping | When mapping to [root](/docs/manage-users/user-accounts/user-profiles/root-attributes) attributes, note that only the root attributes listed in [User profile attributes](/docs/manage-users/user-accounts/user-profiles/user-profile-structure#user-profile-attributes) can be searched using a SCIM query. If you need an attribute to be searchable that is not in this list, place it in app\_metadata. |
| Metadata attribute mapping | The use of user\_metadata is allowed, but generally not recommended for synchronized attributes as it is intended to store attributes that can be edited directly by the end user. Use app\_metadata or root attributes instead. |
| Blocked attribute behavior | The mapping to the Auth0 blocked attribute has a special behavior when it is mapped to the SCIM active attribute. When active contains a value of true or false, Auth0 reverses the value and sets Auth0 blocked attribute to false or true, respectively. |
Auth0 also allows you to provision attributes using SCIM in parallel with attributes provisioned during login. For more information, see the next section.
### Sync additional attributes at login
If you are integrating with an identity provider that does not support the same set of user attributes across SAML/OIDC, and SCIM, you can access the additional attributes by enabling **Sync user profile attributes at login** in parallel with SCIM provisioning.
When **Sync user profile attributes at login** is enabled, all [root](/docs/manage-users/user-accounts/user-profiles/root-attributes) attributes on the user profile are overwritten each time a user logs in. To avoid potential conflicts between SCIM and login sync, follow these guidelines:
* Ensure common Auth0 root attributes like `email` and `username` are mapped in your [SAML](/docs/authenticate/protocols/saml/saml-configuration) or [OpenID Connect](/docs/authenticate/identity-providers/enterprise-identity-providers/configure-pkce-claim-mapping-for-oidc) attribute map if they are also present in your SCIM attribute map.
* In your SCIM attribute map, map all of the other SCIM attributes (except the `active` attribute) to values inside the Auth0 `app_metadata` attribute.
### Sync roles as a user attribute
Auth0 supports syncing the SCIM 2.0 `roles` user attribute as defined in [RFC7643](https://datatracker.ietf.org/doc/html/rfc7643). To accept roles, ensure the SCIM attribute map for your connection maps the SCIM `roles` attribute to an Auth0 user attribute like `app_metadata.roles`.
To learn how to sync application-specific roles from Okta Workforce Identity, read [How to Add Multi-value Roles in SCIM Cloud Integration](https://support.okta.com/help/s/article/How-to-add-multivalue-roles-in-SCIM-Cloud-integration). For Microsoft Entra ID roles, read [Customize user provisioning attribute-mappings for SaaS applications in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/customize-application-attributes#provisioning-a-role-to-a-scim-app).
To learn how to assign Auth0 roles to groups provisioned via SCIM, read [Group Provisioning Options](/docs/authenticate/protocols/scim/configure-inbound-scim#group-provisioning-options).
### Organization membership
For SCIM-provisioned users to become members of an Organization, the connection must be configured to **Enable Auto-Membership** as described in [Grant Just-In-Time Membership to an Organization Connection](/docs/manage-users/organizations/configure-organizations/grant-just-in-time-membership).
### User account linking
When using [user account linking](/docs/manage-users/user-accounts/user-account-linking), the SCIM-provisioned user account must be set as the primary user account. Setting as a secondary account will change the SCIM `id` attribute which goes against the [SCIM 2.0 core schema specification](https://datatracker.ietf.org/doc/html/rfc7643#section-3.1). Account linking Enterprise user accounts to social and personal user accounts is not recommended.
## Group Provisioning Options
View the sections below for guidance on how to use SCIM-provisioned groups for authorization, and how SCIM-provisioned groups can be used with Auth0 organizations.
### Use groups with roles
Groups pushed from Enterprise identity providers can be assigned to [core authorization roles](/docs/manage-users/access-control/configure-core-rbac) in Auth0. When assigned, all members of the group inherit the assigned role when they log in. For more information, read [Assign Roles for Enterprise Groups](/docs/manage-users/access-control/configure-core-rbac/rbac-users/assign-roles-to-groups).
Note the tenant-level entity limits for Enterprise groups and core authorization roles in the [Entity Limit Policy](/docs/troubleshoot/customer-support/operational-policies/entity-limit-policy#entity-limit-policy).
### Use groups with organizational roles
Similar to the above, groups pushed from Enterprise identity providers can be [assigned to roles within an organization](/docs/manage-users/organizations/organizations-overview). When an organization member logs in, they inherit any organization roles assigned to the synced groups they are a member of.
If you are looking to represent customers or partners in a B2B or SaaS application, we recommend representing them as [Organizations](/docs/manage-users/organizations/organizations-overview) and using groups and roles within this context.
For SCIM-provisioned users to become members of an Organization, the connection must first be configured to **Enable Auto-Membership** as described in [Grant Just-In-Time Membership to an Organization Connection](/docs/manage-users/organizations/configure-organizations/grant-just-in-time-membership).
Then organizational roles can be assigned to any groups synced from the Enterprise connections associated with the Organization. For more information, read [Assign Roles for Enterprise Groups](/docs/manage-users/access-control/configure-core-rbac/rbac-users/assign-roles-to-groups).
Note the organization-level entity limits for Enterprise groups and core authorization roles in the [Entity Limit Policy](/docs/troubleshoot/customer-support/operational-policies/entity-limit-policy#entity-limit-policy).
### Use groups in a Post-Login Action
You can use group information pushed from Enterprise identity providers in your post-login actions to make custom access control and authorization decisions in Auth0. For more information, see the documentation for the `api.groups.getUserGroups()` and `api.groups.hasGroupMembership()` functions in [Actions Triggers: post-login - API Object](/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger/post-login-api-object).
## Sync Users and Groups to External Systems
Use Auth0's [Events](/docs/customize/events) feature to sync users, groups, and group memberships outbound from Auth0 into external systems. This allows you to send real-time notifications about changes to users and groups to a custom webhook endpoint, to AWS EventBridge, or to a custom Auth0 Action.
To configure outbound users and group sync:
1. Follow the instructions at [Create an Event Stream](/docs/customize/events/create-an-event-stream) to create an event stream in the Auth0 Dashboard. Choose from using a custom webhook endpoint, AWS EventBridge, or a custom Auth0 Action as the destination for the events.
2. On the configuration page for your event stream, select the desired events to stream for Users and Groups. Selecting all User and Group events is recommended for most cases. To see the information included in each User and Group event, see the [Events Catalog](/docs/events).
3. After your event stream and desired destination is configured, you can generate user and group events for testing by using the Postman collection provided earlier, or by using an Enterprise identity provider to create, update, or delete users and groups using SCIM.
## Deployment Guidelines
### Leverage integration galleries for streamlined setup
To give your customers a tailored experience for setting up both SCIM and SSO, consider listing your application in the [Okta Integration Network](https://www.okta.com/integrations/) and other workforce identity provider integration galleries that you plan to integrate with.
Today Auth0 supports [Express Configuration with Okta](/docs/authenticate/identity-providers/enterprise-identity-providers/okta/express-configuration) which automates the set up of OpenID Connect, SCIM, and Universal Logout for apps published to the [Okta Integration Network](https://www.okta.com/integrations/).
### Use Auth0 Self-Service SSO and User Provisioning
If not using an integration gallery, use [Auth0 Self-Service Enterprise Configuration](/docs/authenticate/enterprise-connections/self-service-enterprise-configuration) to enable your customers or IDP administrators to configure SCIM directly.
### Test SCIM in lower-level environments first
Do not enable SCIM in a production Auth0 tenant before thoroughly testing your integration in a development or staging Auth0 tenant.
### Send SCIM tokens securely
Never send SCIM tokens in plaintext, over email, or via insecure channels. Use a secure communication service like [SendSafely](https://www.sendsafely.com/) or use [Auth0 Self-Service Enterprise Configuration](/docs/authenticate/enterprise-connections/self-service-enterprise-configuration) to issue SCIM tokens directly to your customers.
When using [Express Configuration with Okta](/docs/authenticate/identity-providers/enterprise-identity-providers/okta/express-configuration), the token configuration is automated and not shown.
## Management API
The configuration of SCIM for an Enterprise connection can be automated using the Auth0 management API. For more information, read [Manage an Inbound SCIM Deployment with the Management API](/docs/authenticate/protocols/scim/manage-an-inbound-scim-deployment-with-the-management-api).
All Enterprise users and groups created in your Auth0 tenant via SCIM can also be searched, viewed, or deleted via the Auth0 Management API. The following Management API endpoints are available:
* [GET /api/v2/users](https://auth0.com/docs/api/management/v2/users/get-users)
* [GET /api/v2/users/:id](https://auth0.com/docs/api/management/v2/users/get-users-by-id)
* [GET /api/v2/users/:id/groups](https://auth0.com/docs/api/management/v2/users/get-user-groups)
* [GET /api/v2/groups](https://auth0.com/docs/api/management/v2/groups/get-groups)
* [GET /api/v2/groups/:id](https://auth0.com/docs/api/management/v2/groups/get-group)
* [GET /api/v2/groups/:id/members](https://auth0.com/docs/api/management/v2/groups/get-group-members)
* [DELETE /api/v2/users/:id](https://auth0.com/docs/api/management/v2/users/delete-users-by-id)
* [DELETE /api/v2/groups/:id](https://auth0.com/docs/api/management/v2/groups/delete-group)
## Learn more
* [Configure Inbound SCIM for Identity Providers using SAML or OpenID](/docs/authenticate/protocols/scim/configure-inbound-scim-for-identity-providers-using-saml-or-openid)
* [Inbound SCIM for Okta Workforce Connections](/docs/authenticate/protocols/scim/inbound-scim-for-okta-workforce-connections)
* [Inbound SCIM for Okta Workforce SAML Connections](/docs/authenticate/protocols/scim/inbound-scim-for-okta-workforce-saml-connections)
* [Inbound SCIM for Azure AD SAML Connections](/docs/authenticate/protocols/scim/inbound-scim-for-azure-ad-saml-connections)
* [Inbound SCIM for New Azure AD Connections](/docs/authenticate/protocols/scim/inbound-scim-for-new-azure-ad-connections)
* [Inbound SCIM for Older Azure AD Connections](/docs/authenticate/protocols/scim/inbound-scim-for-older-azure-ad-connections)