Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            SCIM provisioning for user management

            Created by Certorix Online, Modified on Mon, 4 May at 9:28 PM by Certorix Online

            SCIM provisioning (Enterprise)

            System for Cross‑domain Identity Management (SCIM) allows automatic user provisioning and de‑provisioning from your identity provider to Certorix.

            Supported SCIM features

            • Create users when assigned in IdP (e.g., Okta, Azure AD)
            • Update user attributes (name, email)
            • Deactivate users when removed from IdP (revokes access)
            • Group mapping (assign roles based on IdP groups)

            Enabling SCIM

            1. Go to Company SettingsSCIM tab.
            2. Click Enable SCIM.
            3. Copy the SCIM base URL: https://certorix.com/api/scim/v2
            4. Copy the Bearer token (generated automatically). This token is the SCIM secret.
            5. In your IdP (Okta, Azure AD), create a new SCIM app using the base URL and bearer token.
            6. Configure attribute mapping (see below).
            7. Test connection.
            8. Save.

              9. Attribute mappings

              Map these SCIM attributes to Certorix fields:

              • userName → email (used for login)
              • emails[0].value → email (alternate)
              • name.givenName → firstName
              • name.familyName → lastName
              • active → status (true = active, false = deactivated)

              Group mapping (role assignment)

              1. In Certorix SCIM settings, define group mappings:
              2. Example: IdP group 'Certorix Admins' → Certorix role 'Admin'
              3. Example: IdP group 'Certorix Editors' → Certorix role 'Editor'
              4. Up to 10 group mappings allowed.

              When a user is assigned to a group in the IdP, Certorix automatically assigns the corresponding role. If a user belongs to multiple mapped groups, the highest privilege role is assigned (Admin > Editor > Viewer > custom).

              De‑provisioning behavior

              When a user is deactivated in the IdP (removed from app assignment or account disabled):

              • Certorix sets the user status to 'Inactive' within 1 hour.
              • Inactive users cannot log in.
              • Their API tokens are revoked.
              • Their audit log entries remain.
              • Their created trees/facts remain (ownership unchanged).
              • Admins can manually reactivate a SCIM‑managed user if needed.

              SCIM logs

              All SCIM operations are logged in the audit log with action type 'scim.user.created', 'scim.user.updated', 'scim.user.deactivated'.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0