Implementation of SCIM 2.0 protocol
When you enable System for Cross-domain Identity Management (SCIM) in Application Security, a SCIM 2.0 API client pushes users and groups to Application Security using the SCIM 2.0 protocol for provisioning and managing identity data. This means that you do not have to go through the Application Security Administration view to add users. Instead, you configure users and groups from the SCIM 2.0 API client.
You can integrate with any SCIM 2.0 API client. However, if you do, you must test its interoperability with Application Security independently. Only Microsoft Entra ID integration is officially supported.
Because users provisioned using the SCIM API are externally managed and single sign-on users only, the following apply:
You can only assign roles and application versions to externally managed users from Application Security.
Users can only sign in using SSO.
If a username created locally (Administration > Users > Local Users) already exists in Application Security, a user with the same username cannot be provisioned using SCIM. Users created from the Administration view are read-only for SCIM provisioning.
Supported SCIM resources
Application Security supports the following SCIM resources:
User (
urn:ietf:params:scim:schemas:core:2.0:User schema)Application Security accepts all standard attributes of the User Schema, but stores only a subset of these (see User attribute mappings). Also accepts Enterprise User extension attributes (
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User schema) but does not store them.
Group (
urn:ietf:params:scim:schemas:core:2.0:Group schema)Application Security accepts all standard attributes from the Group Schema, but stores only a subset of these (see Group attribute mappings).
Optional features supported:
Resource filtering (RFC 7644 - 3.4.2.2 Filtering)
PATCH operations (RFC 7644 - 3.5.2 - Modifying with PATCH)
User attribute mappings
The following table shows how SCIM user attributes map to Application Security user attributes.
| SCIM user attribute | Application Security user attribute | Comment |
|---|---|---|
| meta.created | created | Read-only |
| meta.lastModified | lastModified | Read-only |
| id | N/A | Read-only, Unique, Opaque |
| userName | userName | Unique, Required |
| active | suspended (not) | The Suspended option in Application Security is set accordingly. |
| name.givenName | firstName | |
| name.familyName | lastName | |
| emails[type="work"].value |
Group attribute mappings
The following table shows how SCIM group attributes map to Application Security group attributes.
| SCIM group attribute | Application Security group attribute | Comment |
|---|---|---|
| meta.created | created | Read-only |
| meta.lastModified | lastModified | Read-only |
| id | N/A | Read-only, Unique, Opaque |
| displayName | name | Required |
| members | N/A | Must reference existing users and / or groups |
See Also
Using SCIM 2.0 and SAML 2.0 to configure a connection to Microsoft Entra ID for user provisioning
Configuring Application Security to work with SAML 2.0-compliant single sign-on