Skip to navigationSkip to main contentSkip to footerScaleway DocsAsk our AI
Ask our AI
Log inSign up

How to manage users with SCIM

System for Cross-domain Identity Management (SCIM) is a standard protocol for exchanging user identity and authorization data between an Identity Provider (IdP) and a Service Provider.

Combined with SAML, it allows IAM managers to fully manage user authentication, lifecycle, and personal data through their Identity Provider:

  • SAML is used for members to log in by authenticating on their Identity Provider with the IdP-defined authentication policies
  • SCIM is used to automatically create, update, lock, unlock, and delete Scaleway users based on actions performed on the user directory of the Identity Provider
Important

This feature is in the Early Access phase and is only available to some Organizations.

Important

Only SCIM user-related actions are currently supported by Scaleway. Group auto-provisioning is planned for availability in the coming months.

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization

How to enable SCIM

  1. Click the Settings button in the upper-right corner of the Organization Dashboard. The Organization Settings page displays. Alternatively, click the avatar icon in the upper-right corner of the header navigation, then select Settings on the drop-down menu.
  2. Click Automatic user provisioning (SCIM), under Organization security, on the left navigation menu. The SCIM section displays.
  3. Click the Enable button. A pop-up displays, informing you that a token creation is required to enable SCIM.
  4. Click the Enable SCIM and create token button. SCIM is now enabled for the Organization, and two fields are displayed and must be copied:
  • A SCIM token, which is used by the Identity Provider to authenticate to Scaleway and perform the necessary actions. This token is sensitive and should not be shared with anyone.
  • A base URL, which is used by the Identity Provider to locate the Scaleway account to which connect.
Important

Both the SCIM token and the base URL are important pieces of information that are only displayed once. Copy and safely store them before closing the pop-up. You will need them to set up SCIM with your Identity Provider.

  1. Click Close. The configuration is complete on the Scaleway side, but you now need to carry out the SCIM setup on your Identity provider.
Note

To ensure the correct SCIM configuration, you can perform actions such as changing a name or creating a user directly on your Identity Provider. You should then see:

Important

By default, SCIM manages users only if their usernames match between the Identity Provider and Scaleway. The federation compares users from both sources, and users not found in the Identity Provider are not impacted by SCIM configuration. If you wish to manage not-found users via SCIM, you must re-create them on the Identity Provider or change settings on the Identity Provider side.

Depending on the provider, changes might take from a few seconds to up to 30 minutes to be synchronized. This delay cannot be modified by Scaleway.

How to rotate a SCIM token

You can have up to two active SCIM tokens at a time. To create a second token:

  1. Click the Settings button in the upper-right corner of the Organization Dashboard. The Organization Settings page displays.
  2. Click Automatic user provisioning (SCIM), under Organization security, on the left navigation menu. The SCIM section displays.
  3. Click Generate token. A pop-up displays.
  4. Follow the same steps for first enabling SCIM.
Important

Ensure to replace the previous SCIM token with the new one on your Identity Provider.

  1. Check if the SCIM configuration is still working.

    Optionally, you can delete the previous token if no longer necessary.

Note

SCIM tokens have a time-to-live of 1 year. When a token expires, it can no longer be used to provision users, and a new token must be created to keep SCIM synchronization working.

How to disable SCIM

  1. Click the Settings button in the upper-right corner of the Organization Dashboard. The Organization Settings page displays.
  2. Click Automatic user provisioning (SCIM), under Organization security, on the left navigation menu. The SCIM section displays.
  3. Click the Disable button.
  4. Type Disable to confirm.
    Important

    If SCIM is disabled on Scaleway, your Identity Provider will no longer be able to perform any actions on users, even if the configuration is correctly done on this side.

See Also
How to set up SSO with AuthentikHow to set and manage credential maximum duration
Still need help?

Create a support ticket
No Results