{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-apis/platform/iam/sidebars.yaml","oas-apis/platform/iam/openapi/iam-openapi.json":"oas-apis/platform/iam/openapi/iam-openapi.json"},"props":{"metadata":{"markdoc":{"tagList":["openapi-code-sample","admonition"]},"type":"markdown"},"seo":{"title":"SCIM Provisioning","keywords":"documentation, api, portal, banking, payment, account information, aritma, psd2, open banking, reconciliation","description":"Developer documentation for Aritma's banking and financial APIs - payments, account information, webhooks, authentication and integrations.","meta":[{"name":"google-site-verification","content":"hplqlK_5O42BZjNnjtVQMEpxv9JkxcD1eH4J1T-NQmI"}],"llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":["openapi"],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"scim-provisioning","__idx":0},"children":["SCIM Provisioning"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["SCIM (System for Cross-domain Identity Management) is an open standard (",{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://www.rfc-editor.org/rfc/rfc7644"},"children":["RFC 7644"]},") for automating user provisioning and deprovisioning between identity providers and service providers. Aritma IAM supports SCIM 2.0."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["With SCIM, your identity provider (such as Microsoft Entra ID or Okta) automatically syncs users and groups to Aritma. When you add a user to a group in your IdP, they are provisioned in Aritma. When you remove them, they are deprovisioned."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"how-it-works","__idx":1},"children":["How it works"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["You create a SCIM token in Aritma IAM"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["You configure your identity provider with the Aritma SCIM endpoint and the token"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Your identity provider pushes user and group changes to Aritma automatically"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Aritma creates, updates, or deactivates user subjects based on the incoming SCIM events"]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"scim-endpoint","__idx":2},"children":["SCIM endpoint"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Your Aritma SCIM endpoint is:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"header":{"controls":{"copy":{}}},"source":"https://id.aritma.io/{tenantId}/api/scim/v2\n"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This endpoint implements the SCIM 2.0 protocol. Identity providers use standard SCIM operations (",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["POST"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["GET"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["PUT"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["PATCH"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["DELETE"]},") on ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/Users"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/Groups"]}," resources at this base URL."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-1-create-a-scim-token","__idx":3},"children":["Step 1: Create a SCIM token"]},{"$$mdtype":"Tag","name":"OpenApiCodeSample","attributes":{"descriptionFile":"oas-apis/platform/iam/openapi/iam-openapi.json","operationId":"CreateScimToken","language":"curl","parameters":{},"environments":{}},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Request body:"]}]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Field"},"children":["Field"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Required"},"children":["Required"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["provider"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Yes"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The scheme name of the SSO identity provider to associate with this token"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["providerDisplayName"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Yes"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The human-readable name of the identity provider"]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["provider"]}," must match the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["scheme"]}," of an existing SSO provider on your tenant. This links the SCIM token to a specific identity provider configuration."]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"warning","name":"Save your token"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["token"]}," value is only shown once. Copy it immediately and store it securely - you will need it when configuring your identity provider. It cannot be retrieved again."]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-2-configure-your-identity-provider","__idx":4},"children":["Step 2: Configure your identity provider"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"microsoft-entra-id-azure-ad","__idx":5},"children":["Microsoft Entra ID (Azure AD)"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["In the ",{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://portal.azure.com"},"children":["Azure portal"]},", go to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Entra ID"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Enterprise applications"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["New application"]}," > ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create your own application"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Name it (e.g. ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Aritma SCIM"]},") and select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Integrate any other application you don't find in the gallery"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Go to the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Provisioning"]}," tab and set ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Provisioning Mode"]}," to ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Automatic"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Admin Credentials"]},", enter:",{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Tenant URL"]},": ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["https://api.dev.aritma.io/core/iam/v1/scim"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Secret Token"]},": the SCIM token from Step 1"]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Test Connection"]}," to verify"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Save"]}]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-3-configure-attribute-mapping","__idx":6},"children":["Step 3: Configure attribute mapping"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Your identity provider maps its user attributes to SCIM attributes that Aritma understands. The standard SCIM user attributes Aritma supports include:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"SCIM attribute"},"children":["SCIM attribute"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["userName"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Unique user identifier (typically email)"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["displayName"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Full display name"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["emails[primary]"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Primary email address"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["active"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Whether the user is active"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["name.givenName"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["First name"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["name.familyName"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Last name"]}]}]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For Microsoft Entra ID, the default attribute mappings are typically sufficient."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-4-assign-users-and-groups","__idx":7},"children":["Step 4: Assign users and groups"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In your identity provider, assign users or groups to the Aritma SCIM application. Only assigned users/groups are provisioned to Aritma."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Microsoft Entra ID"]},": In the Enterprise Application, go to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Users and groups"]}," and add the users or groups you want to sync"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Once assigned, provisioning will begin on the next sync cycle (or immediately if you trigger a manual sync)."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"managing-scim-tokens","__idx":8},"children":["Managing SCIM tokens"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"list-tokens","__idx":9},"children":["List tokens"]},{"$$mdtype":"Tag","name":"OpenApiCodeSample","attributes":{"descriptionFile":"oas-apis/platform/iam/openapi/iam-openapi.json","operationId":"ListScimTokens","language":"curl","parameters":{},"environments":{}},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Note that the token value itself is never returned after creation."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"delete-a-token","__idx":10},"children":["Delete a token"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If a token is compromised or no longer needed, delete it immediately:"]},{"$$mdtype":"Tag","name":"OpenApiCodeSample","attributes":{"descriptionFile":"oas-apis/platform/iam/openapi/iam-openapi.json","operationId":"DeleteScimToken","language":"curl","parameters":{},"environments":{}},"children":[]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"warning","name":"Revocation"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Deleting a token immediately revokes access for any identity provider using it. The user state at token deletion will remain. If you are rotating a token, create the new token first, update your IdP configuration, then delete the old token to avoid a provisioning gap."]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"scim-and-sso","__idx":11},"children":["SCIM and SSO"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["SCIM handles ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["provisioning"]}," (creating/deactivating accounts). SSO handles ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["authentication"]}," (logging in). They work independently but complement each other:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["SCIM alone: users are pre-created in Aritma, but still log in with Aritma ID credentials"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["SSO alone: users can log in with their corporate credentials, but must be pre-invited or have auto-provisioning enabled"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["SCIM + SSO: users are automatically provisioned from your directory and can log in seamlessly with their corporate credentials - the recommended setup for enterprise deployments"]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Tip"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When using SCIM with Microsoft Entra ID, pair it with the ",{"$$mdtype":"Tag","name":"a","attributes":{"href":"/apis/platform/iam/sso/overview"},"children":["Azure AD SSO provider"]}," for a fully integrated experience. Users are provisioned via SCIM and authenticate via Azure AD SSO."]}]}]},"headings":[{"value":"SCIM Provisioning","id":"scim-provisioning","depth":1},{"value":"How it works","id":"how-it-works","depth":2},{"value":"SCIM endpoint","id":"scim-endpoint","depth":2},{"value":"Step 1: Create a SCIM token","id":"step-1-create-a-scim-token","depth":2},{"value":"Step 2: Configure your identity provider","id":"step-2-configure-your-identity-provider","depth":2},{"value":"Microsoft Entra ID (Azure AD)","id":"microsoft-entra-id-azure-ad","depth":3},{"value":"Step 3: Configure attribute mapping","id":"step-3-configure-attribute-mapping","depth":2},{"value":"Step 4: Assign users and groups","id":"step-4-assign-users-and-groups","depth":2},{"value":"Managing SCIM tokens","id":"managing-scim-tokens","depth":2},{"value":"List tokens","id":"list-tokens","depth":3},{"value":"Delete a token","id":"delete-a-token","depth":3},{"value":"SCIM and SSO","id":"scim-and-sso","depth":2}],"frontmatter":{"title":"SCIM Provisioning","seo":{"title":"SCIM Provisioning"}},"lastModified":"2026-05-08T13:38:07.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/apis/platform/iam/scim/overview","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}