About SCIM provisioning

Updated July 17, 2025 16:56

Overview

SCIM provisioning allows you to automatically manage users in your Incydr environment. Once enabled, Incydr creates new users, deactivates users, and updates user roles and permissions based on syncs with your provisioning provider. This article gives an overview of provisioning as well as some tutorials for configuring provisioning in the Incydr console.

Definitions

authentication: The process of identifying and verifying users in a system. Methods for authentication include:

Local Incydr directory
Single sign-on (SSO)
Multi-factor authentication (MFA)

authentication provider: Allows access to Incydr. When enabled, users sign in using the authentication provider instead of Incydr. Examples of authentication providers include Okta, Google SSO, Ping, Entra ID (Azure AD), OneLogin, and Microsoft AD FS.

Incydr User Directory Sync Tool: Uses LDAP to automate user management between your directory service and your Incydr environment. This differs from other provisioning providers because it uses LDAP rather than SCIM.

identity management: An IT administrative area or market that deals with users in a IT system and gives them access to the right resources within the system.

identity provider (IdP): A general term to refer to a system that contains user identities. Identity provider can refer to a system performing authentication, provisioning, or both. Examples of identity providers include Okta, Google SSO, Ping, Entra ID (Azure AD), and OneLogin.

SCIM provisioning: An open standard protocol for automating user management.

provisioning provider: Automates user management. Applications like Incydr sync with a provisioning provider and then create, update, or deactivate users based on the provisioning provider's user profile. Examples of provisioning providers include Okta, Ping, and Entra ID (Azure AD).

single sign-on (SSO): SSO is one type of authentication method. It allows a user to use the same credentials to sign in to multiple applications.

What is SCIM provisioning?

SCIM provisioning is one way to manage users in your company. There are multiple ways to manage users in an IT system or application. For example:

Manually: You can manually create, update, and deactivate users in every application each time a change happens. This method is time consuming, and it is difficult to scale in larger environments.
Active Directory, OpenDirectory, or LDAP: Directory services where one user directory acts as a source of truth. Administrators make updates to one directory and the changes are synced to other systems and applications. This automates user management, which saves you time, and can scale to large environments. However, these directory services have firewall rules that may make it difficult to integrate with cloud applications.
SCIM provisioning: SCIM provisioning relies on a provisioning provider as a source of truth. The provisioning provider may even connect to Active Directory, OpenDirectory, or LDAP on the back end. However, SCIM provisioning leverages REST and JSON to communicate, which makes it easier to integrate with cloud apps. It is also able to scale in large environments.

How does SCIM provisioning work?

What it does

Performs actions to your Incydr environment based on the provisioning provider information:
- Adds or deactivates users
- Moves users to appropriate organizations based on the organization mapping method
- Applies roles to users based on the role mapping
- Provides groups for adding to watchlists
Performs sync when a change occurs on the provisioning provider side. This means you must make a change on the provisioning provider to apply any updates to Incydr.

What it doesn't do

Incydr does not make any changes to your provisioning provider. Therefore, Incydr does not add, modify, or deactivate users in the provisioning provider.
Use LDAP. If your directory service requires LDAP to connect to Incydr, use the Incydr User Directory Sync Tool. To configure the tool in your Incydr environment, contact your Customer Success Manager (CSM).

Requirements

The Incydr provisioning feature requires you to connect a third-party provisioning provider to Incydr. The following are the basic requirements that your provider and your Incydr environment need to integrate correctly:

SCIM 2.0: Incydr requires a provisioning provider to use the SCIM 2.0 protocol.
SCIM groups: The Custom SCIM mapping and role mapping require that your provider uses SCIM groups. Other provisioning features are available without SCIM groups.

Configuration articles

See the following articles to learn how to configure provisioning providers:

External resources

Okta: What is SCIM?