SCIM-based User Provisioning

SCIM-based User Provisioning

System for Cross-domain Identity Management (SCIM) defines a standard for exchanging identity information across different cloud app vendors. The objects that are exchanged using SCIM are called resources (like user resource, group resource etc). The purpose of SCIM is to automate the exchange of user identity information across apps for user provisioning.

A SCIM-enabled directory server (like Microsoft Entra ID or Okta) can directly send user information to the SCIM server in Netskope cloud. This service is currently available for Microsoft Entra ID and Okta via REST API v2 token authentication.

The previous method of using the Directory Tool and OAuth token to authenticate SCIM has been deprecated. Refer to Netskope Product EOL Announcements for more information. Use the REST API v2 token to integrate SCIM.

For specific integration instructions, go to Microsoft Entra SCIM Integration

Follow the instructions specified for the respective applications to the app and provision users. Once complete, test the connection. If the test succeeds, the SCIM integration process is complete. For more details about SCIM integrations with Microsoft Entra and Okta, go to:

Microsoft Microsoft Entra Support

Netskope currently supports the following:

  • Provisioning of users.
  • Provisioning of groups.
Okta Support

Netskope currently supports the following:

  • Provisioning of users and user groups.

Using APIv2 with SCIM

  1. Navigate to Settings → Tools → REST API v2

  2. Click the New Token Button

  3. Enter a token name, and the desired expiration interval.

  4. Click the ADD ENDPOINT drop down and search for SCIM

  5. Select the api/v2/scim/Users endpoint

  6. Repeat Step 4, and select the api/v2/scim/Groups endpoint

  7. Adjust permissions of the two endpoints that were just selected to support the ability to manage users and groups.

  8. Click Save

  9. When Success windows shows up, please copy token to a safe place.
    NOTE: This token can not be retrieved in the future. If you lose the token, you must reissue the token again.

  10. In your IDP SCIM client, use the new URL for SCIM and Token that was generated.

    a. https://<tenant>

    b. token obtained in step 9

Share this Doc

SCIM-based User Provisioning

Or copy link

In this topic ...