Skip to main content
Version: 1.0

SCIM 2.0 Provisioning

SCIM (System for Cross-domain Identity Management) 2.0 enables automated user lifecycle management between your identity provider and SyVault. When you add a user in Okta, Azure AD, or any SCIM-compatible IdP, SyVault automatically creates their account. When you deactivate them, SyVault revokes access and re-wraps shared keys -- no manual intervention required.

info

SCIM provisioning is available on Business and Enterprise plans and requires SAML SSO to be configured first.

How It Works

Your identity provider sends HTTPS requests to SyVault's SCIM endpoint whenever a user is created, updated, or deactivated. SyVault processes these requests and reflects the changes in your organization's membership.

IdP ActionSCIM OperationSyVault Result
Assign user to appPOST /api/scim/v2/{org_slug}/UsersMember invitation created and sent
Unassign / deactivate userDELETE /api/scim/v2/{org_slug}/Users/:idMember deactivated, shared keys re-wrapped
List usersGET /api/scim/v2/{org_slug}/UsersReturns current organization members
Get single userGET /api/scim/v2/{org_slug}/Users/:idReturns specific member details

Enabling SCIM

  1. Navigate to Admin Console > SSO & SCIM > SCIM Provisioning.
  2. Click Enable SCIM.
  3. SyVault generates a SCIM Endpoint URL and a Bearer Token.
  4. Copy both values immediately -- the token is shown only once.
ParameterValue
SCIM Endpointhttps://api.syvault.com/api/scim/v2/{org_slug}/Users
AuthenticationBearer token (provided during setup)
Content-Typeapplication/scim+json
warning

The SCIM bearer token is displayed only once at generation time. If you lose it, revoke the current token and generate a new one from the Admin Console. Revoking a token immediately invalidates it, so update your IdP configuration promptly.

SCIM Endpoint Details

All SCIM endpoints are namespaced under the organization slug ({org_slug}), which you receive with the SCIM Endpoint URL during setup.

GET /api/scim/v2/{org_slug}/Users

Returns a paginated list of all members in the organization. Supports filter parameter for searching by userName (email):

GET /api/scim/v2/{org_slug}/Users?filter=userName eq "alice@acme.com"

POST /api/scim/v2/{org_slug}/Users

Creates a new member. The request body must include at minimum:

{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "alice@acme.com",
"name": {
"givenName": "Alice",
"familyName": "Chen"
},
"active": true
}

SyVault sends an invitation email to the user. The user must accept the invitation and set up their master password and encryption keys before they can access their vault.

DELETE /api/scim/v2/{org_slug}/Users/:id

Deactivates the user. SyVault does not permanently delete the user record on SCIM DELETE -- it sets the member to inactive, revokes all sessions, and re-wraps shared folder keys. This allows Owners to review the member's shared data before permanent removal.

note

SyVault does not currently implement SCIM PUT /Users/:id (full user replacement) or PATCH operations. Updating a user's email or display name must be done through the SyVault Admin Console.

Configuring Your IdP

Okta

  1. Open your SyVault SAML app in Okta Admin.
  2. Go to Provisioning > Configure API Integration.
  3. Check Enable API Integration.
  4. Paste the SCIM Endpoint URL and Bearer Token.
  5. Click Test API Credentials and then Save.
  6. Under Provisioning > To App, enable Create Users, Update User Attributes, and Deactivate Users.

Azure AD (Entra ID)

  1. Open your SyVault Enterprise App in Azure Portal.
  2. Navigate to Provisioning > Get Started.
  3. Set Provisioning Mode to Automatic.
  4. Enter the SCIM Endpoint URL as the Tenant URL and the Bearer Token as the Secret Token.
  5. Click Test Connection and then Save.
  6. Under Mappings, ensure userPrincipalName maps to userName and displayName maps to name.formatted.

Other IdPs

Any SCIM 2.0-compliant identity provider can integrate with SyVault. Use the SCIM Endpoint URL and Bearer Token in your IdP's SCIM configuration. SyVault implements the SCIM 2.0 Core Schema (urn:ietf:params:scim:schemas:core:2.0:User) and the /Users resource endpoint.