Breadcrumbs

Set Up SCIM Provisioning

Purpose

Set up SCIM provisioning to automatically sync users and groups from your identity provider (IdP) to Cantara. This end-to-end procedure covers generating a provisioning token in Cantara and configuring SCIM in your IdP.

Note: Use this procedure when you are setting up SCIM provisioning for the first time. If you have already configured SCIM provisioning and need to replace an expired token, see Generate a Provisioning Token.

Before you begin

  • You have access to the Cantara Administration Console.

  • You have permission to manage tenants and provisioning tokens.

  • You have access to your IdP administration console.

  • An IdP is configured for your tenant.

Procedure

Step 1: Generate a SCIM provisioning token in Cantara

Generate a provisioning token for the tenant you want to connect to your IdP. You need this token to authenticate SCIM requests from your IdP to Cantara.

SCIM1.gif

To generate a SCIM provisioning token:

  1. In Cantara, navigate to Tenants.

The Tenant Management screen displays a list of all existing Tenants.

  1. Select the tenant you want to edit.

  2. Scroll to the Provisioning Tokens section at the bottom of the Tenant Management screen.

SCIM2.png

  1. Click + Generate Provisioning Token.

SCIM3.png

  1. In the dialog box, select an expiry date.

Note: By default, tokens expire after 30 days. This can be adjusted using the date selector. Tokens function like passwords and expire after a configurable period. Once expired or deleted, a new token must be generated.

SCIM4.png

  1. Click Generate.

SCIM5.png

  1. Copy the token.

Note: Securely store the newly generated token immediately, it cannot be retrieved later.

 

Step 2: Configure SCIM in your identity provider

  1. Configure SCIM provisioning using the following details:

Tenant URL:

https://cip7.cantara.cloud/scim/v2/<TenantID>

Authentication method:

  • Bearer Token (use the token generated above)

Recommended user attributes:

Attribute

Required

userName

Yes

active

Yes

displayName

Yes

emails[type eq "work"].value

Yes

name.givenName

Yes

name.familyName

Yes

name.formatted

Yes

phoneNumbers[type eq "mobile"].value

Yes

externalID

Optional

Note: Some IdPs provide extra attributes by default. Remove any unnecessary fields to keep provisioning focused and efficient.

  1. Enable provisioning in your IdP.

    User accounts and group memberships will be automatically provisioned into Cantara from the Identity Provider.

What to expect

Once SCIM provisioning is enabled, accounts provisioned from the IdP will appear in Cantara with the following behaviour:

  • Account Source — Displays as SCIM (rather than Local).

  • Account fields — Read-only in Cantara. Changes must be made in the IdP.

  • User updates — Changes made in the IdP (e.g., name, email, phone) are automatically synced to Cantara.

  • Deactivation — When a user is deactivated or removed in the IdP, the account is automatically deactivated in Cantara