SCIM 2.0 Provisioning
SCIM (System for Cross-domain Identity Management) 2.0 enables automated user lifecycle management between your identity provider and SyVault. When you add a user in Okta, Azure AD, or any SCIM-compatible IdP, SyVault automatically creates their account. When you deactivate them, SyVault revokes access and re-wraps shared keys -- no manual intervention required.
SCIM provisioning is available on Business and Enterprise plans and requires SAML SSO to be configured first.
How It Works
Your identity provider sends HTTPS requests to SyVault's SCIM endpoint whenever a user is created, updated, or deactivated. SyVault processes these requests and reflects the changes in your organization's membership.
| IdP Action | SCIM Operation | SyVault Result |
|---|---|---|
| Assign user to app | POST /api/scim/v2/{org_slug}/Users | Member invitation created and sent |
| Unassign / deactivate user | DELETE /api/scim/v2/{org_slug}/Users/:id | Member deactivated, shared keys re-wrapped |
| List users | GET /api/scim/v2/{org_slug}/Users | Returns current organization members |
| Get single user | GET /api/scim/v2/{org_slug}/Users/:id | Returns specific member details |
Enabling SCIM
- Navigate to Admin Console > SSO & SCIM > SCIM Provisioning.
- Click Enable SCIM.
- SyVault generates a SCIM Endpoint URL and a Bearer Token.
- Copy both values immediately -- the token is shown only once.
| Parameter | Value |
|---|---|
| SCIM Endpoint | https://api.syvault.com/api/scim/v2/{org_slug}/Users |
| Authentication | Bearer token (provided during setup) |
| Content-Type | application/scim+json |
The SCIM bearer token is displayed only once at generation time. If you lose it, revoke the current token and generate a new one from the Admin Console. Revoking a token immediately invalidates it, so update your IdP configuration promptly.
SCIM Endpoint Details
All SCIM endpoints are namespaced under the organization slug ({org_slug}), which you receive with the SCIM Endpoint URL during setup.
GET /api/scim/v2/{org_slug}/Users
Returns a paginated list of all members in the organization. Supports filter parameter for searching by userName (email):
GET /api/scim/v2/{org_slug}/Users?filter=userName eq "alice@acme.com"
POST /api/scim/v2/{org_slug}/Users
Creates a new member. The request body must include at minimum:
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "alice@acme.com",
"name": {
"givenName": "Alice",
"familyName": "Chen"
},
"active": true
}
SyVault sends an invitation email to the user. The user must accept the invitation and set up their master password and encryption keys before they can access their vault.
DELETE /api/scim/v2/{org_slug}/Users/:id
Deactivates the user. SyVault does not permanently delete the user record on SCIM DELETE -- it sets the member to inactive, revokes all sessions, and re-wraps shared folder keys. This allows Owners to review the member's shared data before permanent removal.
SyVault does not currently implement SCIM PUT /Users/:id (full user replacement) or PATCH operations. Updating a user's email or display name must be done through the SyVault Admin Console.
Configuring Your IdP
Okta
- Open your SyVault SAML app in Okta Admin.
- Go to Provisioning > Configure API Integration.
- Check Enable API Integration.
- Paste the SCIM Endpoint URL and Bearer Token.
- Click Test API Credentials and then Save.
- Under Provisioning > To App, enable Create Users, Update User Attributes, and Deactivate Users.
Azure AD (Entra ID)
- Open your SyVault Enterprise App in Azure Portal.
- Navigate to Provisioning > Get Started.
- Set Provisioning Mode to Automatic.
- Enter the SCIM Endpoint URL as the Tenant URL and the Bearer Token as the Secret Token.
- Click Test Connection and then Save.
- Under Mappings, ensure
userPrincipalNamemaps touserNameanddisplayNamemaps toname.formatted.
Other IdPs
Any SCIM 2.0-compliant identity provider can integrate with SyVault. Use the SCIM Endpoint URL and Bearer Token in your IdP's SCIM configuration. SyVault implements the SCIM 2.0 Core Schema (urn:ietf:params:scim:schemas:core:2.0:User) and the /Users resource endpoint.