SCIM Provisioning
Automate user provisioning with SCIM 2.0.
SCIM provisioning requires a Business plan or higher.
What is SCIM?
SCIM (System for Cross-domain Identity Management) enables:
- Automatic user creation
- User attribute synchronization
- User deprovisioning
- Group management
Supported Identity Providers
SCIM works with:
- Okta
- Azure AD (Microsoft Entra ID)
- OneLogin
- JumpCloud
- Ping Identity
- And other SCIM 2.0 providers
Configuration
Step 1: Enable SCIM
- Go to Organization → Security → SCIM
- Click Enable SCIM
Step 2: Generate API Token
- Click Generate Token
- Copy the token immediately (shown only once)
- Store securely
Step 3: Note SCIM Endpoint
Your SCIM endpoint:
https://penvio.io/api/scim/v2/{org-id}Step 4: Configure Your IdP
In your identity provider:
- Add Penvio as a SCIM application
- Enter the SCIM endpoint URL
- Enter the API token as Bearer token
- Configure attribute mapping
- Enable provisioning
Supported Operations
Users
| Operation | Description |
|---|---|
| Create | New user from IdP |
| Update | Sync user attributes |
| Deactivate | Suspend user |
| Delete | Remove user |
Groups
| Operation | Description |
|---|---|
| Create | Create team from IdP group |
| Update | Update team membership |
| Delete | Remove team |
Attribute Mapping
User Attributes
| SCIM Attribute | Penvio Field |
|---|---|
| userName | |
| name.givenName | firstName |
| name.familyName | lastName |
| displayName | displayName |
| active | isActive |
Group Attributes
| SCIM Attribute | Penvio Field |
|---|---|
| displayName | teamName |
| members | teamMembers |
Provisioning Behavior
New Users
When IdP creates a user:
- User is created in Penvio
- Default role is assigned
- Welcome email sent (optional)
- User can sign in via SSO
Updated Users
When IdP updates a user:
- Attributes are synchronized
- Changes apply immediately
- Logged in audit trail
Deprovisioned Users
When IdP removes a user:
- User is deactivated in Penvio
- Access is immediately revoked
- Data is retained per policy
Token Management
Regenerate Token
If token is compromised:
- Go to SCIM settings
- Click Regenerate Token
- Update token in IdP
- Old token is invalidated
Regenerating a token immediately invalidates the previous token. Update your IdP configuration promptly to avoid provisioning failures.
Token Security
- Tokens never expire (until regenerated)
- Store securely in IdP
- Audit token usage in logs
Troubleshooting
Provisioning Failed
- Verify SCIM endpoint URL
- Check token is valid
- Confirm attribute mapping
- Review IdP logs
Users Not Created
- Ensure email is unique
- Check required attributes
- Verify user is assigned to app in IdP
Groups Not Syncing
- Confirm group is assigned to app
- Check group attribute mapping
- Verify team creation permissions
Next Steps
- SAML SSO - Configure single sign-on
- Roles & Permissions - Configure access control
- Audit Logs - Monitor provisioning activity
Last updated on