Getting started with SCIM

Enterprises need to automatically provision and de-provision employee access to applications to ensure security. Scalekit simplifies this process by providing a single interface to your app, abstracting the complexities of various directory providers.

With SCIM Provisioning from Scalekit, you can:

Use webhooks to listen for events from your customers’ directory providers (e.g., user updates, group changes)
Use REST APIs to list users, groups, and directories on demand

Scalekit enables you to sync user accounts with the latest data in the directory provider. This allows you to:

Create accounts for new hires during onboarding
Deactivate accounts when employees depart
Adjust access levels as employees change roles

User provisioning with Scalekit’s directory API
Section titled “User provisioning with Scalekit’s directory API”

Scalekit’s directory API allows you to fetch information about users, groups, and directories associated with an organization on-demand. This is useful for scenarios like running cron jobs to sync user and group data. In this guide, we’ll demonstrate how to use the list users in a directory API to retrieve a list of users in a specific directory.

Before you begin, ensure that your organization has a directory set up in Scalekit.

Before diving in, ensure you have:
1. A Scalekit account
2. An organization with a configured directory
3. Access to the Scalekit dashboard
Setting up the SDK
Section titled “Setting up the SDK”

Scalekit offers language-specific SDKs for fast SSO integration. Use the installation instructions below for your technology stack:
npm install @scalekit-sdk/node
pip install scalekit-sdk-python
go get -u github.com/scalekit-inc/scalekit-sdk-go
/* Gradle users - add the following to your dependencies in build file */ implementation "com.scalekit:scalekit-sdk-java:1.1.3"
 <dependency> <groupId>com.scalekit</groupId> <artifactId>scalekit-sdk-java</artifactId> <version>1.1.3</version> </dependency>
Navigate to the API config tab in the Scalekit dashboard to obtain your credentials. Store your credentials securely in a .env file:
.env
```
1
SCALEKIT_ENVIRONMENT_URL='https://b2b-app-dev.scalekit.com'
2
SCALEKIT_CLIENT_ID='<CLIENT_ID_FROM_SCALEKIT_DASHBOARD>'
3
SCALEKIT_CLIENT_SECRET='<SECRET_FROM_SCALEKIT_DASHBOARD>'
```
Initialize the SDK with your API credentials and make your first API call to list organizations.
Terminal window
1 curl -L 'https://$ENV_URL/api/v1/organizations?page_size=5' \ 2 -H 'Authorization: Bearer <ACCESS_TOKEN>'
1 import { ScalekitClient } from '@scalekit-sdk/node'; 2 3 const scalekit = new ScalekitClient( 4 process.env.SCALEKIT_ENVIRONMENT_URL, 5 process.env.SCALEKIT_CLIENT_ID, 6 process.env.SCALEKIT_CLIENT_SECRET, 7 ); 8 9 const { organizations } = await scalekit.organization.listOrganization({ 10 pageSize: 5, 11 }); 12 13 console.log(`Name of the a organization: ${organizations[0].display_name}`);
1 from scalekit import ScalekitClient 2 3 # Initialize the SDK client 4 scalekit_client = ScalekitClient( 5 '<SCALEKIT_ENVIRONMENT_URL>', 6 '<SCALEKIT_CLIENT_ID>', 7 '<SCALEKIT_CLIENT_SECRET>' 8 ) 9 10 org_list = scalekit_client.organization.list_organizations(page_size='100') 11 12 print(f'Organisation details: {org_list[0]}')
1 sc := scalekit.NewScalekitClient( 2 <SCALEKIT_ENVIRONMENT_URL>, 3 <SCALEKIT_CLIENT_ID>, 4 <SCALEKIT_CLIENT_SECRET> 5 ) 6 7 organization, err := sc.Organization.GetOrganization( 8 ctx, 9 organizationId 10 )
1 import com.scalekit.ScalekitClient; 2 3 ScalekitClient scalekitClient = new ScalekitClient( 4 "<SCALEKIT_ENVIRONMENT_URL>", 5 "<SCALEKIT_CLIENT_ID>", 6 "<SCALEKIT_CLIENT_SECRET>" 7 ); 8 9 ListOrganizationsResponse organizations = scalekitClient.organizations().listOrganizations(5, "");

Working with directories

Retrieving a directory

To begin syncing user and group data, first retrieve the directory associated with your organization:

1
// Get directory using organization ID and directory ID
2
const { directory } = await scalekit.directory.getDirectory('<organization_id>', '<directory_id>');
3

4
// Get directory using organization ID
5
const { directory } =
6
  await scalekit.directory.getPrimaryDirectoryByOrganizationId('<organization_id>');

1
# Get directory using organization ID and directory ID
2
directory = scalekit_client.directory.get_directory(
3
  organization_id='<organization_id>', directory_id='<directory_id>'
4
)
5

6
# Get directory using organization ID
7
primary_directory = scalekit_client.directory.get_primary_directory_by_organization_id(
8
  organization_id='<organization_id>'
9
)

1
// Get directory using organization ID and directory ID
2
directory, err := sc.Directory().GetDirectory(ctx, organizationId, directoryId)
3

4
// Get directory using organization ID
5
directory, err := sc.Directory().GetPrimaryDirectoryByOrganizationId(ctx, organizationId)

1
// Get directory using organization ID and directory ID
2
Directory directory = scalekitClient.directories().getDirectory("<directoryId>", "<organizationId>");
3

4
// Get directory using organization ID
5
Directory directory = scalekitClient.directories().getPrimaryDirectoryByOrganizationId("<organizationId>");

Listing users in a directory

Fetch users within a specific directory:

1
const { users } = await scalekit.directory.listDirectoryUsers('<organization_id>', '<directory_id>');
2
//  users[0].email has the email of the first user in the directory

1
directory_users = scalekit_client.directory.list_directory_users(
2
  organization_id='<organization_id>', directory_id='<directory_id>'
3
)

1
options := &ListDirectoryUsersOptions{
2
    PageSize: 10,
3
    PageToken: "",
4
}
5

6
directoryUsers,err := sc.Directory().ListDirectoryUsers(ctx, organizationId, directoryId, options)

1
var options = ListDirectoryResourceOptions.builder()
2
  .pageSize(10)
3
  .pageToken("")
4
  .includeDetail(true)
5
  .build();
6

7
ListDirectoryUsersResponse usersResponse = scalekitClient
8
  .directories()
9
  .listDirectoryUsers(directory.getId(), organizationId, options);

Example Use Case: When setting up a new customer account, you can use this function to automatically connect to their directory and start syncing user data.

Listing groups

Retrieve groups within a directory:

1
const { groups } = await scalekit.directory.listDirectoryGroups(
2
  '<organization_id>',
3
  '<directory_id>',
4
);

1
directory_groups = scalekit_client.directory.list_directory_groups(
2
  directory_id='<directory_id>', organization_id='<organization_id>'
3
)

1
options := &ListDirectoryGroupsOptions{
2
    PageSize: 10,
3
    PageToken:"",
4
}
5

6
directoryGroups, err := sc.Directory().ListDirectoryGroups(ctx, organizationId, directoryId, options)

1
var options = ListDirectoryResourceOptions.builder()
2
  .pageSize(10)
3
  .pageToken("")
4
  .includeDetail(true)
5
  .build();
6

7
ListDirectoryGroupsResponse groupsResponse = scalekitClient
8
  .directories()
9
  .listDirectoryGroups(directory.getId(), organizationId, options);

Example Use Case: You can use this function to implement role-based access control in your application, assigning permissions based on the groups a user belongs to.

Scalekit’s Directory API provides a simple way to fetch user and group information on-demand. Refer to our API reference and examples to explore more capabilities.

Realtime user provisioning with webhooks

Create a webhook endpoint

To receive realtime events from directory providers, create a webhook endpoint and register it in the Scalekit dashboard. The secret to verify the webhook payload will be available in the Scalekit dashboard (→ Webhooks) after the endpoint is registered.

1
app.post('/webhook', async (req, res) => {
2
  // Parse the JSON body of the request
3
  const event = req.body;
4
  const { email, name } = event.data;
5
  const headers = req.headers;
6
  const secret = process.env.SCALEKIT_WEBHOOK_SECRET;
7

8
  try {
9
    // Verify the webhook payload using the secret, headers, and event data
10
    await scalekit.verifyWebhookPayload(secret, headers, event);
11
  } catch (error) {
12
    // Return a 400 response if the signature is invalid
13
    return res.status(400).json({ error: 'Invalid signature' });
14
  }
15

16
  // Call a function to perform business logic
17
  await createUserAccount(email, name);
18

19
  // Return a JSON response with a status code of 201
20
  res.status(201).json({ message: 'User account created' });
21
});

1
from fastapi import FastAPI, Request
2

3
app = FastAPI()
4

5
@app.post("/webhook")
6
async def api_webhook(request: Request):
7
    headers = request.headers
8
    body = await request.json()
9

10
    print(
11
        scale.verify_webhook_payload(
12
            secret='<secret>', headers=headers, payload=json.dumps(body).encode('utf-8')
13
        )
14
    )
15
    # business logic to create user account
16
    await create_user_account(email, name);
17

18
    response = JSONResponse(status_code=201, content='')
19
    return response

1
@PostMapping("/webhook")
2
public String webhook(@RequestBody String body, @RequestHeader Map<String, String> headers) {
3
  String secret = "<WEBHOOK SECRET>";
4
  boolean valid = scalekit.webhook().verifyWebhookPayload(secret, headers, body.getBytes());
5
  if (!valid) {
6
    return "error";
7
  }
8
  ObjectMapper mapper = new ObjectMapper();
9
  try {
10
    JsonNode node = mapper.readTree(body);
11
    String object = node.get("object").asText();
12
    JsonNode data = node.get("data");
13
    System.out.println("Object: " + object);
14
    System.out.println("Data: " + data);
15
    //business logic on data goes here
16
  } catch (IOException e) {
17
    return "error";
18
  }
19
  return "ok";
20
}

1
webhookSecret := os.Getenv("SCALEKIT_WEBHOOK_SECRET")
2
mux.HandleFunc("POST /webhook", func(w http.ResponseWriter, r *http.Request) {
3
    body, err := io.ReadAll(r.Body)
4
    if err != nil {
5
        http.Error(w, err.Error(), http.StatusBadRequest)
6
        return
7
    }
8
    headers := map[string]string{
9
        "webhook-id":        r.Header.Get("webhook-id"),
10
        "webhook-signature": r.Header.Get("webhook-signature"),
11
        "webhook-timestamp": r.Header.Get("webhook-timestamp"),
12
    }
13
    _, err = sc.VerifyWebhookPayload(webhookSecret, headers, body)
14
    if err != nil {
15
        http.Error(w, err.Error(), http.StatusUnauthorized)
16
        return
17
    }
18
    w.WriteHeader(http.StatusOK)
19
})

In this example, the endpoint URL is https://www.your-app.app/api/webhook/user-access

When the endpoint receives an HTTP POST request with event data, it extracts the name and email from the payload and calls createUserAccount() to perform the necessary business logic — in this case, creating a user account.

Register webhook endpoint

First, navigate to the “Webhooks” tab in the Scalekit Dashboard. Click on the “+Add Endpoint” button and enter the endpoint URL along with a meaningful description. Finally, select the desired event types, for example organization.directory.user_created, to subscribe to the relevant events.

Click “Create” Once registered, the webhook endpoint will start receiving event payloads from the directory providers.

Refer to the API reference for the list of all available event types and setting up webhooks to explore testing webhooks with test endpoints.

Receive event payloads

Scalekit sends event payloads to your app for consumption and standardizes the payload structure across different directory providers your customers may use.Since we subscribed to user events, let’s log an example of a new hire gaining access to your app when Scalekit sends a user creation event.

See Webhook events for the list of all available event types.

You have now successfully created and registered a webhook endpoint, allowing your app to receive real-time events to automate user provisioning.