SCIM Settings for User Provisioning
SCIM Settings for User Provisioning
This guide outlines the steps to generate a REST API v2 token to integrate with OKTA and Microsoft Entra.
* There will be no impact for the existing User/Group info as they change the Base URL. When migrating to the new SCIM Base URL or Reverting the change back due to unforeseen issues.
* Full sync is not required as part of this migration.
Netskope currently supports OKTA and Microsoft Entra ID for the provisioning of users and groups.
-
Log in to your tenant admin console and go to Settings > Tools > REST API v2.
-
New Token – Click the New Token button and in the Create REST API Token pop-up screen, enter a token name and the desired expiration interval.
-
Select Endpoint – Click the Add Endpoint dropdown and search for SCIM.
Select the
api/v2/scim/Users
and theapi/v2/scim/Groups
endpoints one after the other and click Save. -
Endpoint Permissions – Adjust permissions of the two endpoints that were just selected to support the ability to manage users and groups.
-
Click Save.
Important
If your Netskope tenant is hardened using IP Allowlist (Settings > Administration > IP Allowlist), then ensure that you add the respective source IP addresses of your integrated REST API V2 services to the Custom IP list.
-
Collect Token – When the Success window opens, copy the token to a safe place.
Important
This token can not be retrieved in the future. If you lose the token, you must reissue the token again.
-
In your IdP SCIM client, use the new URL for SCIM and the generated Token.
-
URL format:
https://<tenant-name>.goskope.com/api/v2/scim
Note
The earlier URL format
https://addon-<tenant-name>.goskope.com/api/v2/scim
is deprecated. -
Token obtained in the Collect Token step.
-
Follow the instructions specified for the respective applications to provision users. Once complete, test the connection. If the test succeeds, the SCIM integration process is complete.
For app-specific details refer to the following: