Capabilities

SCIM 2.0 Connector

A SCIM 2.0 connector for any SCIM 2.0-capable identity provider — Okta, Microsoft Entra ID, Google, OneLogin, Ping, or custom/in-house. Operator tooling, customer self-service, and a security-focused architecture. The capability matrix below reflects the current supported scope.

SCIM Protocol

👤 User Provisioning

Full user lifecycle: create, read, update, deactivate. Attribute mapping, external ID tracking, and idempotent operations.

👥 Group Sync

Group create, update, membership add/remove, and delete. Handles large membership sets with robust filtering.

🔍 Filtering & Pagination

SCIM filter support (userName eq, externalId eq, displayName eq), sorted paginated responses.

🔄 Reconciliation

Background consistency checks detect drift between IdP state and connector state. Dry-run preview before applying fixes.

📊 Audit Events

Every SCIM operation emits a structured audit event with actor, tenant, resource, outcome, and timestamp.

⚙ ServiceProviderConfig

Standards-compliant capability discovery endpoint for automated IdP configuration.

Operator Tooling

🏢 Multi-Tenant

Full tenant isolation per customer. Separate credentials, data scoping, and audit streams per tenant.

🔐 Token Management

Generate, rotate, and revoke SCIM bearer tokens per tenant from the operator dashboard.

📅 Job Scheduling

Schedule background sync jobs, reconciliation runs, and health checks on configurable intervals.

Capability matrix (current scope)

This matrix is the source of truth for what LabsNinja SCIM supports today. We update it as scope changes. Items marked as not supported or planned are tracked on our internal backlog; talk to us if any of them are blockers.

CapabilityStatusNotes
SCIM /Users endpointAvailablelist, create, get, patch, delete
SCIM /Groups endpointAvailablelist, create, get, patch, delete; membership add/remove
ServiceProviderConfigAvailableAdvertises supported subset honestly
Schemas / ResourceTypesAvailableUser and Group schemas only
Token-based SCIM authenticationAvailableBearer tokens, hashed at rest (PBKDF2-SHA256), per-tenant scope
Tenant isolationAvailableRow-level scoping on every SCIM endpoint
Audit event historyAvailableTenant-scoped, structured, queryable from operator dashboard
Okta provisioning compatibilityPartialPATCH-based attribute updates; configure Okta to use PATCH instead of PUT
Microsoft Entra (Azure AD) provisioning compatibilityPartialStandard SCIM 2.0 flow; EnterpriseUser extension fields not yet stored
SCIM PATCHAvailableNarrow op subset, normalized error responses
SCIM PUT (full-resource replace)Not yet supportedOn the backlog
EnterpriseUser extensionNot yet supportedOn the backlog
SCIM filter operators beyond eqNot yet supportedToday: eq on a whitelisted attribute subset only
SCIM bulk operationsNot yet supportedOn the backlog
SAML / OIDC sign-in (customer portal)AvailableCustomer portal SSO via Google & Microsoft (OIDC) and Okta (SAML), enabled per workspace. The SCIM API uses bearer-token auth; the admin console uses an operator UI session.
Formal uptime SLANot offered todayBest-effort operation; no contractual SLA
SOC 2 / ISO 27001 certificationNot certifiedWe do not claim SOC 2, ISO 27001, or any other certification at this time

Ready to see it in action?

Talk to us about your identity stack and provisioning requirements.

Request a Demo

Worker automation

Provisioning runs on leased background workers. Your identity provider pushes SCIM changes to the control plane, which dispatches work to a worker pool that applies changes to target apps.

IdP
SCIM push
Control plane
queue + lease
Worker pool
leased workers
Target apps
provisioned

Work is leased with a configurable lease TTL; stale leases are detected and recovered (exported as the scim_job_stale_lease_total signal). Worker concurrency is configured per deployment. We do not publish fixed latency or failover SLAs.

Observability

Exported metrics for internal Prometheus scrape. These are operational signals, not public live values. Operator alerting is configured against them per our operator runbook.

MetricMeaning
scim_admin_failure_totalAdmin / control-plane operation failures, by endpoint and error type.
scim_auth_failure_totalSCIM bearer-token authentication failures, per tenant.
scim_job_stale_lease_totalStale worker-lease detections — spikes indicate crashed workers or network issues.

SCIM 2.0 endpoints

The implemented SCIM 2.0 surface. Point any SCIM 2.0-capable IdP (Okta, Microsoft Entra ID, Google, OneLogin, Ping, or custom) at the base URL with a tenant bearer token. The capability matrix above is the source of truth for the supported filter and PATCH subset.

MethodsEndpoint
GET POST/scim/v2/Users
GET PUT PATCH DELETE/scim/v2/Users/{id}
GET POST/scim/v2/Groups
GET PUT PATCH DELETE/scim/v2/Groups/{id}
GET/scim/v2/ServiceProviderConfig
GET/scim/v2/Schemas
GET/scim/v2/ResourceTypes
curl -H "Authorization: Bearer <tenant-token>" \
  -H "Content-Type: application/scim+json" \
  https://scim.labsninja.com/scim/v2/Users