SCIM 2.0 lets your identity provider create, update, and deactivate oakallow users directly, without waiting for the user to sign in. It complements SSO: SSO authenticates users, SCIM provisions them.
What SCIM does
- Your IdP (Entra, Okta, Ping, JumpCloud, OneLogin, others) calls oakallow's SCIM endpoints with a bearer token
- When you add someone to the oakallow application assignment in your IdP, the IdP POSTs a Users resource to oakallow and the user appears in the Members list ready to sign in
- When you remove someone, the IdP DELETEs or PATCHes them and oakallow deactivates the row. Their next API request returns 401
- Group memberships sync the same way and feed into approver-group routing
Why SCIM matters
- Provisioning is decoupled from sign-in. A new hire shows up on Monday and oakallow already knows about them, without waiting for them to click through SSO
- Deprovisioning is decoupled from sign-out. A departing employee is removed from oakallow the moment HR removes them from your IdP, regardless of whether they had an active session
- Audit. Every provisioning event is logged on both sides
How to set it up
1. The team owner opens Account, then SCIM, in the dashboard 2. Generate a SCIM bearer token. The token is shown once. Store it in your IdP's credential store 3. Copy the SCIM base URL shown on the page 4. In your IdP, create or configure the oakallow application with provisioning enabled. Paste the base URL and bearer token 5. Assign users and groups to the application. The first provisioning cycle creates the rows
SCIM configuration is owner-only. SSO and SCIM use independent credentials, so you can adopt them separately or together.