SCIM Provisioning
AuthFI supports both inbound SCIM (IdPs push users to AuthFI) and outbound SCIM (AuthFI pushes users to downstream systems).
Inbound SCIM
Your identity provider (Okta, Azure AD, etc.) pushes user create/update/delete to AuthFI.
Base URL
https://api.authfi.app/scim/v2/{tenant}/Authentication
Bearer token — create a SCIM token in the console or via API.
Supported Operations
| Method | Endpoint | Description |
|---|---|---|
| GET | /Users | List users (paginated, filtered) |
| POST | /Users | Create user |
| GET | /Users/{id} | Get user |
| PUT | /Users/{id} | Replace user |
| PATCH | /Users/{id} | Update user (RFC 7644) |
| DELETE | /Users/{id} | Deactivate user |
User Schema
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "alice@acme.com",
"name": { "givenName": "Alice", "familyName": "Chen" },
"emails": [{ "value": "alice@acme.com", "primary": true }],
"active": true,
"externalId": "okta-user-id-123"
}The externalId links the IdP user to the AuthFI user for future updates.
Outbound SCIM
AuthFI pushes user changes to downstream systems (Epic, Salesforce, custom apps).
Configure a Target
POST /manage/v1/acme/scim-targets
{
"name": "Salesforce",
"endpoint_url": "https://salesforce.com/scim/v2",
"auth_type": "bearer",
"auth_token": "sf-token-...",
"sync_users": true,
"sync_groups": true
}Event-Driven Sync
When a user is created, updated, deleted, or blocked in AuthFI:
- Event triggers sync to all active SCIM targets
- AuthFI calls the target’s SCIM endpoint (POST/PUT/PATCH/DELETE)
- Success/failure is logged in
scim_sync_log - Failed pushes are retried with exponential backoff
Sync Log
GET /manage/v1/acme/scim-targets/{targetId}/logs{
"data": [
{ "action": "create_user", "user_id": "...", "status": "success", "timestamp": "..." },
{ "action": "update_user", "user_id": "...", "status": "failed", "error": "timeout", "retry_count": 2 }
]
}Test Connection
POST /manage/v1/acme/scim-targets/{targetId}/testVerifies the endpoint is reachable and credentials are valid.
Plan Availability
| Feature | Build | Ship | Scale | Enterprise |
|---|---|---|---|---|
| SCIM inbound | — | Add-on | Yes | Yes |
| SCIM outbound | — | — | Yes | Yes |