title: Connect a directory over SCIM 2.0 category: Connections tags: scim, provisioning, connector priority: Normal
Connect a directory over SCIM 2.0
This guide explains how to connect an identity source to Certification Center using SCIM 2.0, the standard protocol for exchanging user and group data between systems. Use the SCIM connector when your directory or identity provider is not Active Directory, Entra ID, Google Workspace, or AWS IAM, but does speak SCIM. Certification Center is cloud SaaS, so this is a configuration task, not an install.
Like the other connectors, SCIM starts read-only: Certification Center reads users and groups so you can certify them and spot orphaned or duplicate accounts. Optional write-back is off until you enable it.
Is SCIM the right connector?
Use SCIM when your source is one of the following and exposes a SCIM 2.0 endpoint: an HR system, a downstream SaaS application, or an identity provider you want to certify that has no dedicated connector. If your source is Active Directory, Entra ID, Google Workspace, or AWS IAM, use the dedicated connector instead, it is simpler and richer.
| Source | Use this connector |
|---|---|
| On-prem or hybrid AD | Active Directory |
| Microsoft cloud | Entra ID |
| Google Workspace | |
| AWS accounts | AWS (IAM) |
| Anything else with a SCIM 2.0 endpoint | SCIM 2.0 |
Prerequisites
- A Certification Center workspace (see Sign up and connect your first directory in 5 minutes)
- A source system that exposes a SCIM 2.0 service provider endpoint (the
/Usersand/Groupsresources) - The base URL of that SCIM endpoint
- A bearer token (or the credentials your source uses to authorize SCIM calls)
How the SCIM connector works
Certification Center acts as a SCIM client against your source's SCIM service provider. It authenticates with a bearer token, reads the /Users and /Groups resources, maps the standard SCIM attributes onto Certification Center's identity model, and brings those identities under governance. Because SCIM is a standard, the same connector works across any compliant source; only the endpoint URL and token change.
Step 1: Get the SCIM endpoint and token from your source
From the system you want to connect, gather:
| Value | Where it usually lives |
|---|---|
| Base URL | The provisioning or SCIM settings of your source system |
| Bearer token | Generated in the same provisioning settings; treat it like a password |
| Supported resources | Confirm the source exposes /Users (and /Groups if you certify groups) |
Give the token the narrowest rights the source allows, ideally read access to users and groups. You only need write access if you later enable write-back.
Step 2: Create the connection in Certification Center
- Sign in to your Certification Center workspace as an administrator
- Go to Connections and choose to add a connection
- Select SCIM 2.0 as the directory type
- Provide the connection details:
| Field | Value |
|---|---|
| Name | A descriptive name such as HR System (SCIM) |
| Base URL | The SCIM 2.0 endpoint base URL from Step 1 |
| Bearer token | The token from Step 1 |
| Access mode | Read-only for the first sync |
- Save the connection
Step 3: Test and run the first sync
- Use Test connection to confirm Certification Center can reach the endpoint and read a sample of users
- Resolve any errors (see Troubleshooting below) before continuing
- Run the first sync to pull users and groups into your workspace
- Review the results: Certification Center flags orphaned accounts and duplicate identities across all connected directories
Write-back (optional)
If your source supports SCIM writes, Certification Center can push a certification decision back as a SCIM update (for example, deactivating a user via a PATCH to active: false). Write-back is off by default and requires a token with write rights plus switching the connection to allow write-back. Keep it read-only until you need it.
Required permissions at a glance
| Item | Least-privilege setting |
|---|---|
| Protocol | SCIM 2.0 service provider on your source |
| Token rights | Read /Users and /Groups for the first sync |
| Transport | HTTPS endpoint |
| Write-back | Off until explicitly enabled, and only if the source supports SCIM writes |
Troubleshooting
- 401 Unauthorized — The bearer token is wrong, expired, or lacks read rights. Regenerate it in your source system.
- 404 Not Found — The base URL is wrong or missing the SCIM path. Confirm it points at the SCIM 2.0 root that serves
/Users. - Endpoint not reachable — The source's SCIM endpoint must be reachable over the public internet for a cloud connection. Confirm it is publicly resolvable and not restricted to an internal network.
- Attributes look empty — The source may not populate standard SCIM attributes; check what your source's
/Usersschema actually returns. - For a broader symptom list, see Troubleshooting cloud directory connections.