🔒 Identity Provisioning Automation

SCIM Provisioning
Done Carefully

Automate user lifecycle management with a SCIM 2.0 connector designed for tenant-scoped operation and a detailed audit history. See the capability matrix on the features page for what is supported today.

Start free trial → View pricing

How provisioning flows · illustrative

Your IdP
Okta, Microsoft Entra ID, Google, OneLogin, Ping, or custom — pushes SCIM changes.
LabsNinja SCIM
Validates, leases the work, and applies create / update / deactivate.
Your apps
Users and groups provisioned into your workspace.

Illustrative diagram — not a live feed; no customer data shown.

Access your area

🛡

Platform Administrator

Admin Console

Full platform control. Manage tenants, configure SCIM clients, monitor jobs, and review audit events across the entire deployment.

  • Tenant provisioning & lifecycle
  • SCIM client credential management
  • Job scheduling & execution logs
  • Platform-wide audit trail
Open Admin Console →

Tenant Operator

Operator Dashboard

Manage your tenant identity synchronization. Configure attribute mappings, trigger sync jobs, and monitor connector health in real time.

  • Identity connector configuration
  • Attribute mapping & transforms
  • Sync job monitoring
  • Per-tenant audit trail
Open Operator Dashboard →
👤

End Customer

Customer Portal

Access your provisioning status, manage your account, and view users and groups synced to your organization via SCIM.

  • Provisioning status overview
  • User & group visibility
  • Account & credential settings
  • Self-service onboarding
Open Customer Portal →

Built for Identity Teams That Read the Specs

A focused SCIM 2.0 connector with a published capability matrix — designed for any SCIM 2.0-capable identity provider — Okta, Microsoft Entra ID, Google, OneLogin, Ping, or custom/in-house. See the capability scope for the current supported subset.

🔐

Token-Based SCIM Auth

Bearer-token authentication, hashed at rest, scoped per tenant. Rotate and revoke at any time. No SAML or OIDC sign-in today — see capability matrix.

📋

Audit Event History

Structured, tenant-scoped audit events for every SCIM operation and operator action. Supports security reviews and customer audits with detailed provisioning logs.

🏢

Tenant Isolation

Strict tenant isolation at the data and runtime layers. Tokens, queries, and audit streams scoped per tenant. Operator and customer surfaces use separate auth stacks.

SCIM 2.0 Foundation

Standards-aligned SCIM 2.0 endpoints (Users, Groups, ServiceProviderConfig, Schemas, ResourceTypes). Narrow filter subset and PATCH-based updates — see capability matrix for the current scope.

🔑

Separated Auth Surfaces

Distinct authentication stacks for platform operators, customer portal users, and SCIM clients. Coarse scim:read and scim:write scopes for the data plane today; finer-grained authorization is on the backlog.

🔄

Push-Driven Provisioning

Your identity provider pushes SCIM requests to LabsNinja as users are created, updated, or deactivated. Provisioning state is visible in the customer portal and the audit log.

SCIM 2.0 Endpoints

The implemented SCIM 2.0 surface. Point any SCIM 2.0-capable IdP (Okta, Microsoft Entra ID, Google, OneLogin, Ping, or custom) at the base URL with a tenant bearer token. See the capability matrix for the supported filter and PATCH subset.

MethodsEndpoint
GET POST/scim/v2/Users
GET PUT PATCH DELETE/scim/v2/Users/{id}
GET POST/scim/v2/Groups
GET PUT PATCH DELETE/scim/v2/Groups/{id}
GET/scim/v2/ServiceProviderConfig
GET/scim/v2/Schemas
GET/scim/v2/ResourceTypes
 
curl -H "Authorization: Bearer <tenant-token>" \
  -H "Content-Type: application/scim+json" \
  https://scim.labsninja.com/scim/v2/Users

Simple, Transparent Pricing

Start free. Scale as you grow. No per-seat surprises.

View Plans →