Back to HR Integration
HR Integration

SCIM 2.0 Integration

18 views

title: SCIM 2.0 Integration category: HR Integration tags: hr, scim, provisioning, deprovisioning, standards priority: Normal

SCIM 2.0 Integration

SCIM 2.0 (System for Cross-domain Identity Management) is an open standard protocol designed specifically for automating the exchange of user identity information between systems. Unlike CSV imports or custom REST API integrations, SCIM provides a standardized schema and set of operations that any compliant system can use, eliminating the need for custom field mapping and parsing logic.

What is SCIM 2.0?

SCIM 2.0, defined in RFC 7642, 7643, and 7644, provides:

  • Standardized schema for user and group resources
  • RESTful operations for Create, Read, Update, Delete, and Search
  • Consistent data format across all SCIM-compliant systems
  • Real-time provisioning through push-based updates
  • Bulk operations for efficient large-scale changes
Aspect CSV Import REST API Import SCIM 2.0
Data freshness Batch (hours/days) Scheduled (minutes/hours) Real-time (seconds)
Setup effort Low Medium Low-Medium
Custom mapping Required Required Minimal (standard schema)
Error handling Manual review Custom logic Protocol-defined
Bidirectional No Possible but custom Yes (standard)
Vendor lock-in High (custom format) Medium (custom API) Low (open standard)

How IdentityCenter Uses SCIM

IdentityCenter can act as a SCIM client, connecting to HR systems that expose a SCIM 2.0 service provider endpoint. In this mode, IdentityCenter:

  1. Queries the HR system's SCIM endpoint for user and group resources
  2. Maps SCIM standard attributes to IdentityCenter identity fields
  3. Detects new, changed, and terminated employees
  4. Triggers lifecycle templates based on detected changes

IdentityCenter can also act as a SCIM service provider, allowing HR systems to push changes directly to IdentityCenter in real time.

Setting Up SCIM Connections

Navigate to Administration > HR Import (/admin/hr-import) and select SCIM 2.0 as the source type.

Step 1: Connection Details

Setting Description Example
SCIM Endpoint URL Base URL of the SCIM service https://hr.corp.com/scim/v2
Authentication Type How to authenticate with the SCIM service Bearer Token, OAuth 2.0
Bearer Token Static token for authentication scim-token-abc123
OAuth Token URL OAuth 2.0 token endpoint (if using OAuth) https://auth.corp.com/oauth/token
Client ID OAuth client identifier identitycenter-scim
Client Secret OAuth client secret (encrypted)
SSL Verification Validate TLS certificates Yes

Step 2: Resource Configuration

Configure which SCIM resources to synchronize:

Resource SCIM Endpoint Description
Users /Users Employee identity records
Groups /Groups Organizational groups and teams
Enterprise User /Users (with Enterprise extension) Extended employee attributes

Step 3: Schema Discovery

Click Discover Schema to have IdentityCenter query the SCIM service's /Schemas and /ResourceTypes endpoints. This automatically detects:

  • Available resource types
  • Supported attributes per resource
  • Required vs. optional fields
  • Attribute mutability (read-only, read-write)
  • Multi-valued attributes (emails, phone numbers, addresses)

SCIM User Schema

The SCIM Core User schema provides standard attributes that map directly to IdentityCenter fields:

Core Attributes

SCIM Attribute IdentityCenter Field Description
id ExternalId SCIM service-assigned unique ID
externalId EmployeeID HR system employee identifier
userName Username Unique login identifier
name.givenName FirstName First name
name.familyName LastName Last name
name.middleName MiddleName Middle name
displayName DisplayName Full display name
emails[primary].value Email Primary email address
phoneNumbers[work].value Phone Work phone number
phoneNumbers[mobile].value MobilePhone Mobile phone number
active IsActive Account active status

Enterprise User Extension

The Enterprise User extension (urn:ietf:params:scim:schemas:extension:enterprise:2.0:User) adds HR-specific attributes:

SCIM Attribute IdentityCenter Field Description
employeeNumber EmployeeID Employee number (alternative to externalId)
department Department Department name
division Division Business division
organization Company Company or legal entity
manager.value ManagerEmployeeID Manager's SCIM ID
manager.displayName ManagerDisplayName Manager's display name

Custom Extensions

If your HR system provides custom SCIM extensions, IdentityCenter can map those as well:

Setting Description Example
Extension URI The custom schema namespace urn:corp:scim:hr:1.0
Attribute Path Path within the extension hireDate, terminationDate
Target Field IdentityCenter field to map to StartDate, TerminationDate

Supported SCIM Operations

Create (POST /Users)

When IdentityCenter detects a new user resource in the SCIM service that does not exist in the identity database, it imports the record and evaluates Joiner templates.

Read (GET /Users/

Retrieve a specific user resource by ID. Used for individual record refresh and validation.

Update (PUT /Users/

When the SCIM service reports attribute changes on an existing user:

Change Type Lifecycle Impact
Department changed Mover template evaluation
Title changed Mover template evaluation
Manager changed Mover template evaluation
active set to false Leaver template evaluation
Address/phone updated Attribute update (no lifecycle trigger)

IdentityCenter supports both full replacement (PUT) and partial update (PATCH) operations.

Delete (DELETE /Users/

When a user resource is removed from the SCIM service, IdentityCenter:

  • Marks the identity as terminated
  • Evaluates Leaver templates
  • Logs the deletion event

Search (GET /Users?filter=...)

IdentityCenter uses SCIM filtering to query for specific records:

Filter Purpose Example
All users Full import GET /Users
Modified since Delta import GET /Users?filter=meta.lastModified gt "2026-02-19T00:00:00Z"
Active only Skip terminated GET /Users?filter=active eq true
By department Scoped import GET /Users?filter=urn:...:department eq "Engineering"

SCIM as Service Provider

When IdentityCenter acts as a SCIM service provider, the HR system pushes changes directly:

Endpoint Configuration

IdentityCenter exposes the following SCIM endpoints:

Endpoint Method Description
/scim/v2/Users GET List or search users
/scim/v2/Users POST Create a new user
/scim/v2/Users/{id} GET Get a specific user
/scim/v2/Users/{id} PUT Replace a user
/scim/v2/Users/{id} PATCH Update user attributes
/scim/v2/Users/{id} DELETE Delete a user
/scim/v2/Groups GET List or search groups
/scim/v2/Groups POST Create a new group
/scim/v2/Groups/{id} PATCH Update group membership
/scim/v2/Schemas GET Discover supported schemas
/scim/v2/ServiceProviderConfig GET Service capabilities

Authentication for Inbound SCIM

Method Description
Bearer Token HR system sends a pre-shared token in the Authorization header
OAuth 2.0 HR system obtains a token from IdentityCenter's token endpoint
IP Allowlist Restrict SCIM endpoint access to specific IP addresses

Inbound SCIM Processing

When the HR system pushes a change via SCIM:

  1. IdentityCenter validates the request authentication
  2. The SCIM resource is parsed and validated against the schema
  3. The change is applied to the identity database
  4. Lifecycle templates are evaluated against the change
  5. A response is returned with the updated resource representation
  6. The lifecycle event is logged

Group Management via SCIM

SCIM Groups represent organizational units, teams, or access groups from the HR system:

Operation Description
Create Group New team or department group imported from HR
Add Members Employees added to a group (e.g., joins a team)
Remove Members Employees removed from a group (e.g., leaves a team)
Delete Group Group dissolved in HR system

Group membership changes can trigger Mover templates when they indicate organizational reassignment.

Error Handling

SCIM defines standard error responses:

Status Code SCIM Error Description
400 invalidValue Request contains invalid data
401 unauthorized Authentication failed
403 forbidden Insufficient permissions
404 notFound Resource does not exist
409 uniqueness Duplicate resource detected
413 tooLarge Request payload exceeds limit
429 tooMany Rate limit exceeded
500 internalError Server-side processing error

IdentityCenter logs all SCIM errors and provides diagnostic details in the HR Import history.

Advantages of SCIM Over CSV and REST

Advantage Detail
Standardized protocol No custom parsing or mapping logic required
Real-time updates Push-based model delivers changes in seconds
Schema discovery Automatic detection of available attributes
Bidirectional Both systems can initiate changes
Vendor-neutral Works with any SCIM 2.0 compliant system
Error standardization Consistent error codes and messages
Bulk support Efficient handling of large-scale changes
Filtering Server-side filtering reduces data transfer

Best Practices

  1. Prefer SCIM over custom REST when your HR system supports it -- the standardization reduces maintenance effort
  2. Use SCIM service provider mode when possible for real-time push updates rather than scheduled pulls
  3. Implement IP allowlisting for inbound SCIM endpoints to restrict access to known HR system IPs
  4. Monitor SCIM logs for authentication failures that may indicate misconfiguration or unauthorized access attempts
  5. Test schema discovery after HR system upgrades to detect attribute changes
  6. Use the Enterprise User extension to access HR-specific attributes like department and manager
  7. Configure retry logic for outbound SCIM calls to handle transient network issues
  8. Document custom extensions so future administrators understand non-standard attribute mappings

Next Steps

Tags: hr scim provisioning deprovisioning standards

Was this article helpful?

Related Articles

HR Integration Overview
CSV Import
REST API Import