Standard · reviewed 2026-05-22

SCIM 2.0 explained — the provisioning protocol that powers JML automation

SCIM 2.0 is the cross-domain user provisioning protocol — it's how your IdP keeps SaaS user accounts in sync.

SCIM 2.0 provisioning flow showing user lifecycle events from identity provider through SCIM endpoint to downstream application

TL;DR

SCIM 2.0 (RFC 7643 + RFC 7644, 2015) defines a REST + JSON protocol for managing users and groups across domains. The IdP is the SCIM client; the SaaS application is the SCIM server. When you hire someone in Workday → Entra creates the user → SCIM provisions accounts in Slack, GitHub, Salesforce, etc. When they leave → SCIM disables those accounts.

Published by

IETF

Spec

RFC 7643 (Schema) + RFC 7644 (Protocol)

Who uses it

Every modern IdP — Okta, Entra, Google, JumpCloud, OneLogin, Auth0. Every SaaS product that supports enterprise SSO almost always also supports SCIM provisioning (often as a higher-tier paid feature).

Reviewed

2026-05-22

When to use

Any time you need to keep user accounts in sync across two systems where one is the authoritative source. JML automation. Group / role membership sync. Cross-domain license management.

When not to use

Synchronous, low-latency provisioning (SCIM is REST + polling). Bidirectional sync (SCIM is one-way IdP → app). Complex transformation logic mid-stream (do that in the IdP's SCIM-client mapping layer, not in the SCIM call itself).

The 5 endpoints you actually use

SCIM 2.0 defines a small REST surface. In practice, almost all traffic hits these:

POST   /Users                # Create a user
GET    /Users/{id}           # Read a user
PUT    /Users/{id}           # Replace a user (full update)
PATCH  /Users/{id}           # Modify a user (partial update)
DELETE /Users/{id}           # Delete a user (often soft via active=false)

GET    /Users?filter=...     # Search (e.g. by userName)

# Same shape for /Groups

The User schema

A minimum-conformant User payload:

{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "userName": "[email protected]",
  "name": {
    "givenName": "Jane",
    "familyName": "Doe"
  },
  "emails": [
    { "value": "[email protected]", "primary": true, "type": "work" }
  ],
  "active": true
}

The enterprise extension

Almost every workforce-IdP SCIM integration uses the enterprise extension for manager / department / employee number:

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
  ],
  "userName": "[email protected]",
  "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
    "department": "Engineering",
    "employeeNumber": "E-12345",
    "manager": { "value": "mgr-123", "displayName": "John Manager" }
  }
}

Common failure modes

The recurring debugging surface for SCIM integrations:

Missing `schemas` field. Often produces a 400 even when the payload otherwise looks valid. The `schemas` array must list every namespace used in the payload.
Multiple `primary: true` emails. Only one of any multi-valued attribute (emails, phones, addresses) can be primary. Silent corruption otherwise.
Enterprise extension without URN declared in `schemas`. Servers ignore the extension data silently.
PATCH semantics confusion. RFC 7644 § 3.5.2 defines a specific operation language (`op`, `path`, `value`). Many implementations vary from spec; test against your specific server.
Pagination filter mismatch. `startIndex` is 1-based per spec but some servers 0-index.

Implementation patterns for the SCIM server side

If you're building SCIM into a SaaS product:

Pick a SCIM library, don't hand-roll. WSO2 Charon, sso/scimphp, scim-sdk-server (Java), node-scim-server. The spec is small but the edge cases are many.
Implement `/ServiceProviderConfig`, `/Schemas`, `/ResourceTypes` — IdPs query these to discover capabilities.
Soft-delete via `active=false` is overwhelmingly preferred over hard DELETE. Most IdPs configure that pattern by default.
Idempotency on PATCH. A retry must not produce a different result.
Authenticate via bearer token scoped to the SCIM integration, not the customer-facing API token.

FAQ

Questions we get on this standard.

What is SCIM?
SCIM (System for Cross-domain Identity Management) is an open standard for automating user provisioning — creating, updating, and deactivating user accounts across systems via a common REST + JSON API. When HR or an IdP adds, changes, or offboards a user, SCIM pushes that change to every connected app so accounts stay in sync without manual work. It is the protocol that powers joiner/mover/leaver (JML) automation; SCIM 2.0 (RFC 7643/7644) is the current version.
Is SCIM 2.0 the same as SCIM 1.0?
No. SCIM 1.0 was a different draft from 2011 that never reached IETF standardization. SCIM 2.0 is the published RFC-based standard. Anyone shipping SCIM today means SCIM 2.0.
Can SCIM do real-time provisioning?
It can in principle — SCIM is just HTTP REST. In practice, most IdP-side SCIM clients poll on a 5-15 minute interval rather than push. Some IdPs (Okta, Entra) do near-real-time on lifecycle events.
How does SCIM handle group membership sync?
Two equivalent patterns: managing members from the User side (`groups` attribute in the User resource) or from the Group side (`members` attribute in the Group resource). Pick one consistently — mixing both creates merge conflicts.

Use the tool

SCIM Payload Validator

Understanding the spec is the easy part.

We implement SCIM 2.0 integrations across regulated enterprises — workforce SSO, B2B SaaS federation, customer identity. Same-day reply.

Talk to a practice leadMore explainers

The 5 endpoints you actually use

SCIM 2.0 defines a small REST surface. In practice, almost all traffic hits these:

POST /Users # Create a user GET /Users/{id} # Read a user PUT /Users/{id} # Replace a user (full update) PATCH /Users/{id} # Modify a user (partial update) DELETE /Users/{id} # Delete a user (often soft via active=false) GET /Users?filter=... # Search (e.g. by userName) # Same shape for /Groups

The User schema

A minimum-conformant User payload:

{ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], "userName": "[email protected]", "name": { "givenName": "Jane", "familyName": "Doe" }, "emails": [ { "value": "[email protected]", "primary": true, "type": "work" } ], "active": true }

The enterprise extension

Almost every workforce-IdP SCIM integration uses the enterprise extension for manager / department / employee number:

{ "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" ], "userName": "[email protected]", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { "department": "Engineering", "employeeNumber": "E-12345", "manager": { "value": "mgr-123", "displayName": "John Manager" } } }

Common failure modes

The recurring debugging surface for SCIM integrations:

Missing `schemas` field. Often produces a 400 even when the payload otherwise looks valid. The `schemas` array must list every namespace used in the payload.

Multiple `primary: true` emails. Only one of any multi-valued attribute (emails, phones, addresses) can be primary. Silent corruption otherwise.

Enterprise extension without URN declared in `schemas`. Servers ignore the extension data silently.

PATCH semantics confusion. RFC 7644 § 3.5.2 defines a specific operation language (`op`, `path`, `value`). Many implementations vary from spec; test against your specific server.

Pagination filter mismatch. `startIndex` is 1-based per spec but some servers 0-index.

Implementation patterns for the SCIM server side

If you're building SCIM into a SaaS product:

Pick a SCIM library, don't hand-roll. WSO2 Charon, sso/scimphp, scim-sdk-server (Java), node-scim-server. The spec is small but the edge cases are many.

Implement `/ServiceProviderConfig`, `/Schemas`, `/ResourceTypes` — IdPs query these to discover capabilities.

Soft-delete via `active=false` is overwhelmingly preferred over hard DELETE. Most IdPs configure that pattern by default.

Idempotency on PATCH. A retry must not produce a different result.

Authenticate via bearer token scoped to the SCIM integration, not the customer-facing API token.

Questions we get on this standard.

What is SCIM?

SCIM (System for Cross-domain Identity Management) is an open standard for automating user provisioning — creating, updating, and deactivating user accounts across systems via a common REST + JSON API. When HR or an IdP adds, changes, or offboards a user, SCIM pushes that change to every connected app so accounts stay in sync without manual work. It is the protocol that powers joiner/mover/leaver (JML) automation; SCIM 2.0 (RFC 7643/7644) is the current version.

Is SCIM 2.0 the same as SCIM 1.0?

No. SCIM 1.0 was a different draft from 2011 that never reached IETF standardization. SCIM 2.0 is the published RFC-based standard. Anyone shipping SCIM today means SCIM 2.0.

Can SCIM do real-time provisioning?

It can in principle — SCIM is just HTTP REST. In practice, most IdP-side SCIM clients poll on a 5-15 minute interval rather than push. Some IdPs (Okta, Entra) do near-real-time on lifecycle events.

How does SCIM handle group membership sync?

Two equivalent patterns: managing members from the User side (`groups` attribute in the User resource) or from the Group side (`members` attribute in the Group resource). Pick one consistently — mixing both creates merge conflicts.