Breadcrumbs

Configure SCIM Provisioning

Purpose

Guide administrators through configuring SCIM provisioning to automatically sync user accounts and groups from an Identity Provider into Cantara. If your Identity Provider supports SCIM, you can enable automatic provisioning so that user accounts and group memberships are managed in the IdP and synced into Cantara. SCIM is optional and does not affect user authentication.

Before you begin

  • You have access to the Cantara Administration Console.

  • You have permission to manage tenants and provisioning tokens.

  • You have access to your IdP administration console.

  • An IdP is configured for your tenant.

Procedure

Step 1: Generate a SCIM Provisioning Token in Cantara


SCIM1.gif

To generate a SCIM provisioning token:

  1. In Cantara, navigate to Tenants.

The Tenant Management screen displays a list of all existing Tenants.

  1. Select the tenant you want to edit.

  2. Scroll to the Provisioning Tokens section at the bottom of the Tenant Management screen.

SCIM2.png

  1. Click + Generate Provisioning Token.

SCIM3.png

  1. In the dialog box, select an expiry date.

Note: By default, tokens expire after 30 days. This can be adjusted using the date selector. Tokens function like passwords and expire after a configurable period. Once expired or deleted, a new token must be generated.

SCIM4.png

  1. Click Generate.

SCIM5.png

  1. Copy the token.

Note: Securely store the newly generated token immediately, it cannot be retrieved later.


Step 2: SCIM Setup Information in Your Identity Provider

  1. Configure SCIM provisioning using the following details:

Tenant URL: 

https://cip7.cantara.cloud/scim/v2/<TenantID>

Authentication Method:

  • Bearer Token (use the token generated above)

Attribute

Required

userName

Yes

active

Yes

displayName

Yes

emails[type eq "work"].value

Yes

name.givenName

Yes

name.familyName

Yes

name.formatted

Yes

phoneNumbers[type eq "mobile"].value

Yes

externalID

Optional

Note: Some IdPs provide extra attributes by default. Remove any unnecessary fields to keep provisioning focused and efficient.

  1. Enable provisioning in your IdP.

    User accounts and group memberships will be automatically provisioned into Cantara from the Identity Provider.

What to Expect

Once SCIM provisioning is enabled, accounts provisioned from the IdP will appear in Cantara with the following behaviour:

  • Account Source — Displays as SCIM (rather than Local).

  • Account fields — Read-only in Cantara. Changes must be made in the IdP.

  • User updates — Changes made in the IdP (e.g., name, email, phone) are automatically synced to Cantara.

  • Deactivation — When a user is deactivated or removed in the IdP, the account is automatically deactivated in Cantara.

  • Groups — Group memberships configured in the IdP are synced and reflected in Cantara Security Groups.


What’s next

With user access and provisioning set up, the next step is to understand how to assign Security Topics, see Setting Up User Permissions.