A comprehensive guide to the System for Cross-domain Identity Management โ from core concepts to enterprise deployment with Delinea Secret Server.
SCIM (System for Cross-domain Identity Management) is an open standard protocol that automates the exchange of user identity information between identity providers and cloud applications, eliminating manual provisioning.
Defined by RFCs 7642, 7643, and 7644. SCIM 2.0 is the current industry standard adopted by major cloud platforms worldwide.
Operates over HTTPS using standard REST methods (GET, POST, PUT, PATCH, DELETE) with JSON payloads for all operations.
The Identity Provider acts as the SCIM Client, pushing changes to the SCIM Server (service provider like Secret Server).
Secured via OAuth 2.0 Bearer tokens. All communications encrypted via TLS/HTTPS with defined authorization scopes.
| Term | Definition | In Context |
|---|---|---|
| SCIM Client | The initiating party that sends provisioning requests | Okta, Azure AD, Ping Identity |
| SCIM Server | The receiving application that processes provisioning requests | Delinea Secret Server |
| Resource | An entity managed by SCIM โ typically a User or Group | User accounts, AD groups, roles |
| Schema | Defines the attributes and structure for a resource type | Core User schema, Enterprise User extension |
| Provisioning | Creating/updating/deactivating accounts in a target system | Onboarding employees into Secret Server |
| Deprovisioning | Disabling or removing accounts when users leave | Revoking PAM access on termination |
| Bearer Token | Authentication credential passed in HTTP Authorization header | Token generated in Secret Server for IdP |
SCIM operates as a real-time synchronization bridge between your Identity Provider and downstream applications. When a change occurs in the IdP, SCIM instantly propagates that change.
SCIM defines two primary resource types that map to users and groups in Delinea Secret Server.
Represents individual user accounts. Contains attributes like userName, emails, displayName, active status, and enterprise extensions for department, manager, and employee number.
Represents groups or teams that map to Secret Server roles. Contains displayName and a members array linking to user IDs. Used for bulk role assignment.
Describes the SCIM capabilities supported by Secret Server โ including supported operations, authentication schemes, and pagination settings. Used by IdPs to auto-configure.
Returns the complete schema definitions for all resource types. Tells the IdP exactly which attributes are supported, required, or read-only in the target system.
Delinea Secret Server exposes a SCIM 2.0-compatible REST API at /api/v1/scim. When integrated with an IdP, Secret Server acts as the SCIM Server (Service Provider). User accounts provisioned via SCIM become local Secret Server users assigned to configurable roles. Group memberships from the IdP map directly to Secret Server groups, enabling automated role-based access control for privileged accounts.
SCIM leverages standard HTTP methods to perform create, read, update, and delete operations on identity resources. Each method serves a specific provisioning purpose.
// HTTP Request POST https://secretserver.example.com/api/v1/scim/Users Authorization: Bearer <scim_token> Content-Type: application/scim+json { "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" ], "userName": "jane.doe@example.com", "name": { "givenName": "Jane", "familyName": "Doe" }, "emails": [{ "value": "jane.doe@example.com", "primary": true }], "active": true, "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { "department": "Engineering", "manager": { "value": "john.smith" } } } // Response: 201 Created { "id": "8a3f2b1c-4d5e-6f7a-8b9c-0d1e2f3a4b5c", "userName": "jane.doe@example.com", "active": true, "meta": { "resourceType": "User", "created": "2025-03-01T10:00:00Z" } }
// Retrieve a specific user by ID GET /api/v1/scim/Users/8a3f2b1c-4d5e-6f7a-8b9c-0d1e2f3a4b5c Authorization: Bearer <scim_token> // Filter users by email (used by IdP to check if user exists) GET /api/v1/scim/Users?filter=userName+eq+"jane.doe@example.com" // List users with pagination GET /api/v1/scim/Users?startIndex=1&count=50 // Response: 200 OK (ListResponse) { "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"], "totalResults": 142, "startIndex": 1, "itemsPerPage": 50, "Resources": [ /* user objects */ ] }
// PUT replaces the ENTIRE resource โ include all attributes PUT /api/v1/scim/Users/8a3f2b1c-4d5e-6f7a-8b9c-0d1e2f3a4b5c Authorization: Bearer <scim_token> Content-Type: application/scim+json { "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], "id": "8a3f2b1c-4d5e-6f7a-8b9c-0d1e2f3a4b5c", "userName": "jane.doe@example.com", "displayName": "Jane Doe (Senior)", "active": true, "emails": [{ "value": "jane.doe@example.com", "primary": true }] } // โ ๏ธ Omitting any attribute may clear it. Use PATCH for partial updates.
// Most common SCIM operation โ set active: false to deprovision PATCH /api/v1/scim/Users/8a3f2b1c-4d5e-6f7a-8b9c-0d1e2f3a4b5c Authorization: Bearer <scim_token> Content-Type: application/scim+json { "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], "Operations": [ { "op": "Replace", "path": "active", "value": false // Disables user in Secret Server }, { "op": "Replace", "path": "displayName", "value": "Jane Doe (Deprovisioned)" } ] } // Response: 200 OK with updated user object
// Permanently delete โ most implementations prefer PATCH active:false DELETE /api/v1/scim/Users/8a3f2b1c-4d5e-6f7a-8b9c-0d1e2f3a4b5c Authorization: Bearer <scim_token> // Response: 204 No Content (success, no body) // โ ๏ธ Best Practice: Use PATCH to set active=false instead of DELETE. // This preserves audit trails and session history in Secret Server. // DELETE is permanent and may violate compliance requirements.
Follow these steps to configure SCIM between your Identity Provider and Delinea Secret Server. Click each step to expand detailed instructions.
Before configuring your IdP, you must enable SCIM within Secret Server and generate a bearer token for authentication.
https://[your-server]/api/v1/scimIn your Identity Provider, create a new SCIM-enabled application or use the generic SCIM connector template.
Attribute mapping ensures user data from your IdP correctly populates fields in Secret Server.
userName โ Secret Server username (typically email)name.givenName + name.familyName โ display nameemails[primary eq true].value โ email addressactive โ account enabled/disabled statusdepartment for departmental filteringGroup synchronization allows IdP groups to automatically assign Secret Server roles and folder permissions.
Select which lifecycle events the IdP should automatically push to Secret Server.
active=false on termination (triggers immediately)Testing ensures your SCIM integration works correctly under all lifecycle scenarios.
The full base URL format is: https://[server-address]/SecretServer/api/v1/scim (on-prem) or https://[tenant].secretservercloud.com/api/v1/scim (cloud). The ServiceProviderConfig discovery endpoint at /api/v1/scim/ServiceProviderConfig returns supported capabilities and can be used to auto-configure compliant IdPs.
SCIM delivers transformative improvements to how organizations manage identity lifecycles โ especially in privileged access environments like Delinea Secret Server.
User accounts are created in Secret Server automatically when added to the IdP โ no manual tickets, no waiting. New hires have PAM access within minutes of onboarding.
When an employee is terminated or changes roles, SCIM immediately disables their Secret Server account. This closes a critical security gap โ eliminating orphaned privileged accounts.
The Identity Provider becomes the authoritative system. No duplicate user management across PAM, AD, and other tools. One change in the IdP propagates everywhere.
Automated provisioning creates consistent, auditable trails. Every user change is logged with timestamps and source. Supports SOC 2, ISO 27001, and PCI-DSS access controls.
Eliminates manual IT helpdesk work for user provisioning. Studies show SCIM reduces identity administration time by 60โ80% for enterprises with 1,000+ users.
Group memberships automatically assign the correct Secret Server roles and folder permissions. Eliminates permission drift and ensures least-privilege principles are maintained.
Handles provisioning for thousands of users without performance degradation. Supports bulk operations and pagination for large enterprise directories.
SCIM 2.0 is supported by Okta, Azure AD, OneLogin, Ping Identity, and more. No vendor lock-in โ switch IdPs without reconfiguring Secret Server.
SCIM with Delinea Secret Server addresses critical identity lifecycle scenarios across the enterprise, from onboarding to offboarding and everything in between.
When HR creates a new hire in Workday or the IdP, SCIM automatically provisions a Secret Server account with the correct role based on their job title group. Day-one PAM access without a single IT ticket.
When an employee is terminated, the IdP disables their account and SCIM sets active: false in Secret Server within seconds. No manual process โ no lingering privileged access.
When a developer moves to a DevOps role, their IdP group changes. SCIM updates group membership in Secret Server, automatically granting infrastructure access while removing developer-only permissions.
During company mergers, thousands of acquired employees need PAM access. SCIM can bulk-provision entire acquired directories into Secret Server by integrating the acquired company's IdP within hours.
External contractors are provisioned in the IdP with a defined end date. When their contract expires, the IdP automatically deactivates them and SCIM removes their Secret Server access โ no manual tracking required.
Organizations with multiple Secret Server instances (on-prem + cloud tenants) use SCIM to synchronize users from a central IdP across all environments, maintaining consistent access controls enterprise-wide.
SCIM ensures all access changes are automatically logged with source attribution. Auditors receive clean, machine-generated evidence of provisioning events for access reviews and certifications.
SCIM's GET operations allow periodic sweeps to identify accounts in Secret Server that no longer exist in the IdP โ enabling automated cleanup of stale accounts discovered during access certification cycles.
In Privileged Access Management, speed of deprovisioning is critical. A disgruntled employee with active PAM access represents a high-severity risk. SCIM eliminates the gap between HR termination and PAM access revocation โ reducing the window of unauthorized privileged access from hours (manual) to seconds (automated). This is often cited as the single highest-ROI justification for SCIM in PAM environments.
Answer these questions to validate your understanding of SCIM and its integration with Delinea Secret Server.