SCIM Settings for User Provisioning

SCIM Settings for User Provisioning

This guide outlines the steps to generate a REST API v2 token to integrate with OKTA and Microsoft Entra.

* The previous method of using the Directory Tool and OAuth token to authenticate SCIM has been deprecated. Use the REST API v2 token to integrate SCIM. Refer to Netskope Product EOL Announcements for more information.
* There will be no impact for the existing User/Group info as they change the Base URL. When migrating to the new SCIM Base URL or Reverting the change back due to unforeseen issues.
* Full sync is not required as part of this migration.

Netskope currently supports OKTA and Microsoft Entra ID for the provisioning of users and groups.

  1. Log in to your tenant admin console and go to Settings > Tools > REST API v2.

    REST API V2
  2. New Token – Click the New Token button and in the Create REST API Token pop-up screen, enter a token name and the desired expiration interval.

    Rest API v2 new token
  3. Select Endpoint – Click the Add Endpoint dropdown and search for SCIM.

    Select the api/v2/scim/Users and the api/v2/scim/Groups endpoints one after the other and click Save.

    Rest API SCIM Endpoint
  4. Endpoint Permissions – Adjust permissions of the two endpoints that were just selected to support the ability to manage users and groups.

    SCIM Token endpoint privilege
  5. Click Save.

    Important

    If your Netskope tenant is hardened using IP Allowlist (Settings > Administration > IP Allowlist), then ensure that you add the respective source IP addresses of your integrated REST API V2 services to the Custom IP list.

  6. Collect Token – When the Success window opens, copy the token to a safe place.

    Important

    This token can not be retrieved in the future. If you lose the token, you must reissue the token again.

  7. In your IdP SCIM client, use the new URL for SCIM and the generated Token.

    • URL format: https://<tenant-name>.goskope.com/api/v2/scim

      Note

      The earlier URL format https://addon-<tenant-name>.goskope.com/api/v2/scim is deprecated.

    • Token obtained in the Collect Token step.

Follow the instructions specified for the respective applications to provision users. Once complete, test the connection. If the test succeeds, the SCIM integration process is complete.

For app-specific details refer to the following:

Share this Doc

SCIM Settings for User Provisioning

Or copy link

In this topic ...