Skip to content
Scalekit Docs
Talk to an Engineer Start implementing

Provision users and groups with SCIM

Automate user and group lifecycle management using SCIM provisioning

Scalekit supports user and group provisioning using the SCIM protocol, allowing your customers to manage access to their organization in your app directly from their directory provider. With SCIM, the directory becomes the source of truth for organization membership, user profile attributes, and access — eliminating manual invites, role drift, and delayed deprovisioning. SCIM ensures that access to your application always reflects the organization’s directory state, from onboarding to offboarding.

Using SCIM, your customers can:

  • Add users to their organization
  • Keep user attributes (like name, email or role) in sync
  • Remove users from their organization
  • Control application roles through directory group membership

SCIM provisioning enables end-to-end lifecycle management, ensuring access is granted, updated, and revoked automatically as users move through the organization.

Who should use SCIM provisioning?

Section titled “Who should use SCIM provisioning?”

SCIM provisioning is recommended for:

  • Enterprise customers that require centralized identity management
  • Teams already using a directory provider like Okta, Azure AD (Entra ID), or Google Workspace
  • Customers that need group-based access control and automated deprovisioning
Review the SCIM provisioning flow SCIM Provisioning FlowAdminDirectory ProviderScalekitYour App Configure SCIM integration SCIM API calls (Users, Groups) Validate and authorize request Sync users and group memberships Assign user roles based on groups Reflect updated users, organization memberships and access

Manage SCIM provisioning

Section titled “Manage SCIM provisioning”

  1. Register organization-owned domains

    Section titled “Register organization-owned domains”

    Register the email domains owned by the organization. SCIM provisioning only works for users whose email domain matches one of the organization’s registered Organization domains. This ensures that only verified members of the organization can be automatically provisioned.

    Contractors and external users with non-matching domains (e.g., joe@ext.yourapp.com) cannot be automatically provisioned via SCIM. These users must be manually invited to join the organization. This ensures that unauthorized users cannot obtain access automatically.

    Navigate to Dashboard > Organizations and select the target organization > Overview > Organization Domains section to register organization domains.

  2. Enable SCIM provisioning for the organization

    Section titled “Enable SCIM provisioning for the organization”

    SCIM provisioning should be enabled for the target organization either through the Scalekit Dashboard or the self-service Admin Portal. Follow the detailed setup instructions here.

  3. Provision users and groups from the directory

    Section titled “Provision users and groups from the directory”

    Once SCIM provisioning is enabled for the organization, the directory becomes the system of record for that organization in your app. Organization administrators can manage access directly from their IdP by:

    • Assigning users or groups to your application
    • Updating user profile attributes
    • Removing users or groups to revoke access

  4. Group-based role assignment

    Section titled “Group-based role assignment”

    Scalekit supports assigning roles to users in your app based on directory group membership. This enables consistent, policy-driven access control managed entirely from the directory provider.

    • Map directory groups to application roles in Scalekit
    • Users receive roles automatically when added to mapped groups
    • Roles are revoked when users are removed from those groups

  5. User attribute mapping

    Section titled “User attribute mapping”

    Scalekit automatically maps the following user attributes from the directory to the Scalekit user profile:

    • email
    • preferred_username
    • name
    • given_name
    • family_name
    • picture
    • phone_number
    • locale
    • custom_attributes

    When attributes change in the directory, Scalekit updates the user profile automatically during SCIM synchronization.

Supported directory providers

Section titled “Supported directory providers”

Scalekit supports SCIM provisioning with common enterprise directory providers including Okta, Entra ID (Azure AD), and Google Workspace. See the full list of supported providers here.

Common SCIM provisioning scenarios

Section titled “Common SCIM provisioning scenarios”

Why isn’t a user appearing in Scalekit after SCIM sync? Check the following:

  • The user is assigned to the Scalekit application in the directory
  • The user has an email address defined in the directory
  • The user’s email domain matches a registered organization domain
  • The SCIM bearer token is valid and active

If a user’s email is changed in the directory, will this be reflected on the user’s email in Scalekit? No. Scalekit treats email as an immutable, unique identifier. If a directory attempts to update a user’s email, the SCIM update request will be rejected.

Can user lifecycle management happen only via SCIM if a user is provisioned through a SCIM connection? No. SCIM is not an exclusive control plane. Even if a user is provisioned via a SCIM connection, you can still manage that user using Scalekit APIs or SDKs. Scalekit follows a last-write-wins model. The most recent action — whether it comes from SCIM or from an API/SDK call — will be reflected on the user. This model gives you flexibility to:

  • Perform administrative or break-glass actions from your application
  • Run migrations or bulk updates using APIs
  • Rely on SCIM for ongoing, automated lifecycle management

Can both SSO and SCIM work for an organization? Yes. SSO handles authentication (how users log in), while SCIM handles lifecycle management (how users are created, updated, and removed). They are complementary and commonly used together.