SCIM
Automatically sync users from your identity provider.
SCIM provisioning is available on Enterprise plans. Contact us to upgrade.
Overview
SCIM (System for Cross-domain Identity Management) allows you to automatically provision and deprovision users from your identity provider. When configured:
- New users added to your IdP are automatically created in TofuPilot
- Users removed from your IdP are automatically suspended in TofuPilot
- User details are kept in sync
TofuPilot supports SCIM 2.0, compatible with Okta, Azure AD, OneLogin, and other enterprise identity providers.
Configure SCIM
Navigate to Settings > Organization and find the SCIM Provisioning card.
Copy the SCIM Base URL. You'll need this for your IdP configuration.
Click Generate Token to create a bearer token for authentication.
Copy the token immediately. It won't be shown again. If lost, generate a new one.
In your identity provider, create a new SCIM integration using:
- SCIM Base URL: The URL from TofuPilot
- Bearer Token: The token you generated
Okta Configuration
In Okta Admin Console, go to Applications > Browse App Catalog.
Search for and add SCIM 2.0 Test App (Header Auth).
In the app's Provisioning tab, click Configure API Integration.
Enter:
- SCIM 2.0 Base URL: Your TofuPilot SCIM URL
- API Token: Your TofuPilot SCIM token
Enable the provisioning features you need:
- Create Users: Automatically create users in TofuPilot
- Update User Attributes: Keep user details in sync
- Deactivate Users: Suspend users when removed from Okta
Azure AD Configuration
In Azure Portal, go to Enterprise Applications and select your TofuPilot app.
Go to Provisioning and set mode to Automatic.
In Admin Credentials, enter:
- Tenant URL: Your TofuPilot SCIM URL
- Secret Token: Your TofuPilot SCIM token
Click Test Connection to verify, then Save.
Configure attribute mappings and enable provisioning.
Supported Operations
| Operation | Supported |
|---|---|
| Create User | ✓ |
| Update User | ✓ |
| Deactivate User | ✓ |
| Delete User | Soft delete (suspend) |
| Create Group | ✗ |
| Update Group | ✗ |
User Deprovisioning
When a user is deprovisioned via SCIM:
- The user is suspended, not deleted
- Their data (runs, procedures) remains accessible to the organization
- They cannot sign in until reactivated
- Their API keys are disabled
To permanently delete a user and their data, contact support.
Troubleshooting
Users not syncing
- Verify the SCIM token is correct and not expired
- Check your IdP's provisioning logs for errors
- Ensure the user has the required attributes (email, name)
Token expired or lost
- Generate a new token in Settings > Organization
- Update the token in your identity provider
How is this guide?