SCIM provisioning
AxisSynapse implements the SCIM 2.0 standard so your identity provider can push user lifecycle events — additions, role changes, deactivations — directly into your workspace. Once SCIM is live, your directory becomes the source of truth: a new hire who lands in the directory shows up in AxisSynapse within seconds, and a departing employee loses access the moment they're disabled upstream.
TL;DR — Generate a bearer token in Settings → Identity → SCIM, paste it (with the workspace's SCIM endpoint URL) into your IdP's connector, pick the groups to scope, run a pilot user, then open the sync to the rest of the directory. Round trip on the pilot takes about thirty minutes.
Before you start
- You must be a Workspace admin.
- Your identity provider must support SCIM 2.0. The major enterprise IdPs — Microsoft Entra ID, Okta, OneLogin, JumpCloud, Ping — all do.
- Have SSO already configured for the same workspace. SCIM provisions accounts; SSO authenticates them. The two work together.
- Pick a pilot scope: a single security group of 5-10 users you can validate end-to-end before opening the sync to everyone.
Token handling
The SCIM bearer token is shown once, immediately after generation. AxisSynapse never displays it again. Copy it straight into your IdP connector; if you lose it, revoke and regenerate.
Wire up the SCIM connector
Generate the bearer token
From Settings → Identity → SCIM, click Generate token. A dialog reveals the workspace's SCIM endpoint URL (e.g.
https://<your-workspace>.axissynapse.com/scim/v2) and the bearer token. Copy both — the token disappears on close.Open your IdP's provisioning configuration
The exact path varies. Microsoft Entra ID → Enterprise application → Provisioning. Okta → Applications → SCIM Provisioning. OneLogin → Applications → Configuration → API Connection.
Paste the endpoint URL and token
Paste the SCIM endpoint URL into the Tenant URL (Entra ID) / Base URL (Okta) field. Paste the bearer token into Secret Token / Bearer Token.
Click Test connection
Your IdP exchanges a
/ServiceProviderConfigprobe. Expect a green check; if it fails, double-check the URL and the token.Configure attribute mappings
The preset mappings work for most workspaces. Confirm that
userName,name.givenName,name.familyName,emails[primary]andactiveare mapped. Custom attributes can be added later.Scope the sync to your pilot group
Add a single group to the connector's Assignments / Scope. The sync starts on save.
Verify the pilot users land
Within a few minutes, the pilot users appear in Settings → Members with a SCIM badge. Provisioning events appear in Security Console.
Open the scope to the rest of the directory
When the pilot is clean, add the remaining groups. AxisSynapse de-duplicates by email; any existing local accounts merge with the inbound SCIM record on first sync.
Provider walkthroughs
Microsoft Entra ID
Open the AxisSynapse enterprise application
Azure portal → Microsoft Entra ID → Enterprise applications → AxisSynapse → Provisioning.
Switch Provisioning Mode to "Automatic"
Paste the SCIM endpoint URL into Tenant URL and the bearer token into Secret Token.
Click "Test Connection"
A success notification appears at the top of the page. Save.
Confirm the attribute mappings
Expand Mappings. The defaults work; keep them unless your directory needs custom claims.
Assign users and groups
Under Users and groups, add the pilot group. Then on the Provisioning page set Provisioning Status to On.
Okta
Open the AxisSynapse application's Provisioning tab
Okta admin → Applications → AxisSynapse → Provisioning.
Configure the API integration
Paste the SCIM endpoint URL into Base URL, the bearer token into API Token, and ensure the username format is Email. Click Test API Credentials.
Enable "Create Users", "Update User Attributes", "Deactivate Users"
These three drive the full lifecycle — without all three, lifecycle events drift between Okta and AxisSynapse.
Assign the pilot group
Okta admin → Applications → AxisSynapse → Assignments → add a group. Provisioning starts immediately.
Every field, explained
| Field | What it does | Accepted values / default |
|---|---|---|
| SCIM endpoint URL | The base URL your IdP POSTs SCIM operations to. | Workspace-scoped — every workspace has its own. Shown in Settings → Identity → SCIM. |
| Bearer token | Authenticates your IdP's SCIM connector. | Shown ONCE on generation. Copy immediately. Revoke and regenerate if compromised. |
| userName | Required SCIM attribute. Identifies the user. | Defaults to the user's email at all major IdPs. |
| name.givenName / name.familyName | Standard SCIM attributes for first / last name. | Required for new-user creation. |
| emails[primary] | The user's primary email — the identifier AxisSynapse de-duplicates against. | Required. Must be unique across the workspace. |
| active | SCIM boolean controlling whether the user can sign in. | false → user is deactivated and their sessions are invalidated. true → re-enabled. |
| externalId | The IdP's stable identifier for the user. | Stored so AxisSynapse can correlate updates after an email change. |
| Pilot group | Scope the initial sync to a small group for validation. | Single group; 5-10 users. Expand after the round trip is verified. |
What appears in the audit log
Every SCIM operation surfaces both in Security Console and in any
webhook subscription that includes platform.scim.*.
TENANT_SCIM_TOKEN_CREATED/..._REVOKED— every token issuance and revocation, with the admin who acted on it.ACCOUNT_SCIM_USER_CREATED— new user provisioned. Always carries theexternalIdso you can trace the source.ACCOUNT_SCIM_USER_UPDATED— attribute changes (name, email, attribute mapping updates).ACCOUNT_SCIM_USER_DEACTIVATED— user disabled upstream. Their active sessions are revoked immediately.ACCOUNT_SCIM_USER_REACTIVATED— user re-enabled upstream.
Common gotchas
- "My pilot user is in the directory but doesn't appear in
AxisSynapse." Check the connector's last-sync timestamp. If the
IdP hasn't pushed yet, force a manual sync from its admin
interface. If it has pushed and the user isn't here, look in
Security Console for the rejected operation — most often the
email doesn't match the group's
userNamemapping. - "A user was deactivated in the directory but still has active
AxisSynapse sessions." SCIM deactivation revokes new sessions and
active ones; if sessions persist, the IdP may not have sent the
active: falsePATCH. Verify in the connector logs. - "SCIM is updating a user's email and breaking sign-in
bookmarks." AxisSynapse honors the IdP's email change but keeps
the user's audit-log identity stable via
externalId. Coordinate with the user on the new sign-in email. - "Two users with the same email exist." Almost always means one was provisioned locally before SCIM was wired up. Merge from Settings → Members.
- "The bearer token leaked into a shared screenshot during setup." Revoke it immediately from Settings → Identity → SCIM and re-generate. The audit log records both events.
Troubleshooting
| Error code | What it means | Fix |
|---|---|---|
| SCIM_UNAUTHORIZED | Missing or invalid bearer token. | Generate a new token, update the IdP. |
| SCIM_USER_CONFLICT | Incoming user has the same email as an existing local account. | Merge the duplicate in Settings → Members. |
| SCIM_INVALID_FILTER | The IdP issued a SCIM filter we don't support. | Reduce the connector's filter complexity — userName eq is always supported. |
| SCIM_SCHEMA_MISMATCH | The IdP's schemas array doesn't include the SCIM 2.0 user schema. | Update the connector to SCIM 2.0; SCIM 1.1 is not supported. |
| SCIM_RATE_LIMITED | Burst exceeded the per-workspace quota. | Pace the initial bulk-import; the connector should retry after the documented backoff. |
Related