FOUNDING ACCESS First 3 months free — use it in production and tell us what to fix. Claim it →
Back to Connections
Connections

Connect a directory over SCIM 2.0

1 views

title: Connect a directory over SCIM 2.0 category: Connections tags: scim, provisioning, connector priority: Normal

Connect a directory over SCIM 2.0

This guide explains how to connect an identity source to Certification Center using SCIM 2.0, the standard protocol for exchanging user and group data between systems. Use the SCIM connector when your directory or identity provider is not Active Directory, Entra ID, Google Workspace, or AWS IAM, but does speak SCIM. Certification Center is cloud SaaS, so this is a configuration task, not an install.

Like the other connectors, SCIM starts read-only: Certification Center reads users and groups so you can certify them and spot orphaned or duplicate accounts. Optional write-back is off until you enable it.

Is SCIM the right connector?

Use SCIM when your source is one of the following and exposes a SCIM 2.0 endpoint: an HR system, a downstream SaaS application, or an identity provider you want to certify that has no dedicated connector. If your source is Active Directory, Entra ID, Google Workspace, or AWS IAM, use the dedicated connector instead, it is simpler and richer.

Source Use this connector
On-prem or hybrid AD Active Directory
Microsoft cloud Entra ID
Google Google Workspace
AWS accounts AWS (IAM)
Anything else with a SCIM 2.0 endpoint SCIM 2.0

Prerequisites

  • A Certification Center workspace (see Sign up and connect your first directory in 5 minutes)
  • A source system that exposes a SCIM 2.0 service provider endpoint (the /Users and /Groups resources)
  • The base URL of that SCIM endpoint
  • A bearer token (or the credentials your source uses to authorize SCIM calls)

How the SCIM connector works

Certification Center acts as a SCIM client against your source's SCIM service provider. It authenticates with a bearer token, reads the /Users and /Groups resources, maps the standard SCIM attributes onto Certification Center's identity model, and brings those identities under governance. Because SCIM is a standard, the same connector works across any compliant source; only the endpoint URL and token change.

Step 1: Get the SCIM endpoint and token from your source

From the system you want to connect, gather:

Value Where it usually lives
Base URL The provisioning or SCIM settings of your source system
Bearer token Generated in the same provisioning settings; treat it like a password
Supported resources Confirm the source exposes /Users (and /Groups if you certify groups)

Give the token the narrowest rights the source allows, ideally read access to users and groups. You only need write access if you later enable write-back.

Step 2: Create the connection in Certification Center

  1. Sign in to your Certification Center workspace as an administrator
  2. Go to Connections and choose to add a connection
  3. Select SCIM 2.0 as the directory type
  4. Provide the connection details:
Field Value
Name A descriptive name such as HR System (SCIM)
Base URL The SCIM 2.0 endpoint base URL from Step 1
Bearer token The token from Step 1
Access mode Read-only for the first sync
  1. Save the connection

Step 3: Test and run the first sync

  1. Use Test connection to confirm Certification Center can reach the endpoint and read a sample of users
  2. Resolve any errors (see Troubleshooting below) before continuing
  3. Run the first sync to pull users and groups into your workspace
  4. Review the results: Certification Center flags orphaned accounts and duplicate identities across all connected directories

Write-back (optional)

If your source supports SCIM writes, Certification Center can push a certification decision back as a SCIM update (for example, deactivating a user via a PATCH to active: false). Write-back is off by default and requires a token with write rights plus switching the connection to allow write-back. Keep it read-only until you need it.

Required permissions at a glance

Item Least-privilege setting
Protocol SCIM 2.0 service provider on your source
Token rights Read /Users and /Groups for the first sync
Transport HTTPS endpoint
Write-back Off until explicitly enabled, and only if the source supports SCIM writes

Troubleshooting

  • 401 Unauthorized — The bearer token is wrong, expired, or lacks read rights. Regenerate it in your source system.
  • 404 Not Found — The base URL is wrong or missing the SCIM path. Confirm it points at the SCIM 2.0 root that serves /Users.
  • Endpoint not reachable — The source's SCIM endpoint must be reachable over the public internet for a cloud connection. Confirm it is publicly resolvable and not restricted to an internal network.
  • Attributes look empty — The source may not populate standard SCIM attributes; check what your source's /Users schema actually returns.
  • For a broader symptom list, see Troubleshooting cloud directory connections.

Next steps

Was this article helpful?

Related articles

Connections Overview
Creating a Connection
Connect Google Workspace