# SCIM (Beta)

# Preamble

The EE server support user and group management with SCIM, in combination with SAML. SCIM allows external services to create / delete / update users and groups. Psono doesn't implement the full SCIM specification and instead currently supports the subset required by Azure. This guide here will explain how to configure SCIM. We assume that your webclient is running on https://example.com, the server is reachable with https://example.com/server (e.g. https://example.com/server/info/ shows you some nice json output).

TIP

This feature is only available in the Enterprise Edition.

# Enable SCIM

Lookup the provider id of your SAML configuration. If your configuration looks like this:

SAML_CONFIGURATIONS:
    1:
        idp:
            entityId: ...
            ...

Then your provider id is 1. So create a SCIM configuration that looks like this:

SCIM_CONFIGURATIONS:
    1:
        TOKEN: 'Replace me with a secure long random string'
        AUTHENTICATION_METHOD: 'SAML'
        PROVIDER_ID: 1

Change TOKEN parameter and replace it with a secure random string. This will later be used by the SCIM provider as authentication.
Change PROVIDER_ID parameter to match your SAML configuration's provider id

Restart the server afterwards

The SCIM endpoint is now: https://example.com/server/scim/2.0/1, so e.g.

https://example.com/server/scim/2.0/1/Schema
https://example.com/server/scim/2.0/1/Users
https://example.com/server/scim/2.0/1/Groups

Users and groups should now automatically provision.

← OIDC - Zitadel SAML - Group Mapping →