SCIM 2.0 Provisioning
SCIM (System for Cross-domain Identity Management) enables automated user provisioning and deprovisioning from your identity provider to AxonFlow.
What is SCIM?
SCIM 2.0 is an open standard (RFC 7643/7644) for automating the exchange of user identity information between identity providers and service providers. When a user is added, modified, or removed in your IdP, those changes automatically sync to AxonFlow.
Identity Provider (Okta, Azure AD, OneLogin)
|
| SCIM 2.0 API Calls
| (Create, Update, Delete)
v
+-------------------+
| AxonFlow SCIM |
| Endpoint |
| /scim/v2/* |
+-------------------+
|
v
+-------------------+
| User Accounts |
| & Role Sync |
+-------------------+
Benefits
Automated User Lifecycle
| Action in IdP | Result in AxonFlow |
|---|---|
| Assign user to app | User created with access |
| Update user attributes | User profile updated |
| Unassign user from app | User deactivated |
| Delete user | User removed |
Security & Compliance
- Zero manual provisioning - No shared credentials or manual account creation
- Instant deprovisioning - Users lose access immediately when terminated
- Audit trail - All SCIM operations are logged for compliance
- Single source of truth - IdP remains authoritative for user identity
Supported Identity Providers
AxonFlow's SCIM 2.0 implementation is compatible with:
- Okta
- Azure Active Directory (Entra ID)
- OneLogin
- Ping Identity
- JumpCloud
- Any SCIM 2.0 compliant identity provider
How It Works
1. Create a SCIM Token
Generate a bearer token in the AxonFlow Customer Portal:
Settings > SCIM Provisioning > Create Token
2. Configure Your IdP
Point your identity provider to AxonFlow's SCIM endpoint:
Base URL: https://customer.getaxonflow.com/scim/v2
3. Enable Provisioning
Enable user provisioning in your IdP and assign users/groups to the AxonFlow application.
SCIM Operations
User Management
| Endpoint | Method | Description |
|---|---|---|
/scim/v2/Users | GET | List users with filtering |
/scim/v2/Users | POST | Create new user |
/scim/v2/Users/{id} | GET | Get user by ID |
/scim/v2/Users/{id} | PUT | Replace user |
/scim/v2/Users/{id} | PATCH | Update user attributes |
/scim/v2/Users/{id} | DELETE | Delete user |
Group Management
| Endpoint | Method | Description |
|---|---|---|
/scim/v2/Groups | GET | List groups |
/scim/v2/Groups | POST | Create group |
/scim/v2/Groups/{id} | GET | Get group by ID |
/scim/v2/Groups/{id} | PUT | Replace group |
/scim/v2/Groups/{id} | PATCH | Update group members |
/scim/v2/Groups/{id} | DELETE | Delete group |
Discovery Endpoints
These endpoints provide SCIM service information (no authentication required per RFC 7644):
| Endpoint | Description |
|---|---|
/scim/v2/ServiceProviderConfig | SCIM capabilities |
/scim/v2/Schemas | Supported schemas |
/scim/v2/ResourceTypes | Available resource types |
User Schema
AxonFlow supports the SCIM 2.0 Core User schema:
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "jsmith@example.com",
"name": {
"givenName": "John",
"familyName": "Smith"
},
"emails": [
{
"value": "jsmith@example.com",
"type": "work",
"primary": true
}
],
"active": true,
"externalId": "12345"
}
Filtering
SCIM filter syntax is supported for querying users and groups:
GET /scim/v2/Users?filter=userName eq "john@example.com"
GET /scim/v2/Users?filter=name.familyName co "Smith"
GET /scim/v2/Users?filter=active eq true
Supported operators: eq, ne, co, sw, ew, pr, gt, ge, lt, le
Community vs Enterprise
| Feature | Community | Enterprise |
|---|---|---|
| Basic SCIM 2.0 support | ✅ | |
| User provisioning | ✅ | |
| User deprovisioning | ✅ | |
| Group sync | ✅ | |
| Group-to-role mapping | ✅ | |
| Token management UI | ✅ | |
| SCIM audit logging | ✅ |
SCIM provisioning is available exclusively with AxonFlow Enterprise. Contact sales to enable automated user provisioning for your organization.
Related Documentation
- Audit Logging - Track all SCIM operations
- Enterprise Overview - Enterprise features