Inbound SCIM for Okta Customer Identity Cloud is now Generally Available

We’re excited to announce that Inbound SCIM for Okta Customer Identity Cloud, is now Generally Available. This release marks the culmination of years of research and insights into how to build a vendor-neutral inbound System for Cross-domain Identity Management (SCIM) solution that enables B2B SaaS customers to solve real-world user provisioning and de-provisioning problems.

What is SCIM?

SCIM is a protocol and schema used to provision, de-provision, and manage SaaS user accounts in a standardized way. SaaS application providers face increasing pressure to implement standards like SCIM because of the increasing amount of user data modern enterprise organizations store in SaaS.

If you’re a SaaS developer selling to large enterprises, your customers may have already asked you to implement SCIM endpoints that can integrate with the Workforce Identity providers and SaaS user management tooling they use. To address this need, Okta Customer Identity Cloud provides an inbound SCIM service that eliminates the need for your business to build and self-host SCIM endpoints. 

SCIM is secure and enterprise-ready

SCIM provides numerous benefits to SaaS developers and their customers.

• Automate and enable secure end-user access: SCIM helps automate user account provisioning and de-provisioning across multiple systems and applications, allowing for consistent and up-to-date data.
• Improve security posture: According to the FBI, non-de-provisioned account access is one of the leading causes of data breaches and insider threat attacks. Automate user provisioning using SCIM to support timely access revocation and reduce reliance on manual de-provisioning processes.
• Become enterprise-ready: Unlock larger deployments that require automated user lifecycle management and improve compliance with flexible deployment options.

Inbound SCIM for Okta Customer Identity Cloud

We tailored the initial release of Customer Identity Cloud inbound SCIM for B2B SaaS application developers who need to integrate with enterprise Identity providers that use SCIM 2.0 to manage user accounts in SaaS applications. 

This includes integrations with Okta Workforce Identity Cloud, Microsoft Entra ID, and others. These enterprise Identity providers use SAML or OpenID Connect for user authentication, in addition to supporting SCIM for user management. Auth0 supports inbound SCIM for these connection types:

• SAML
• OpenID Connect
• Okta Workforce Identity Cloud (OpenID Connect)
• Microsoft Entra ID (OpenID Connect)

This release also includes features that allow B2B SaaS developers to offer SCIM-based user provisioning to their enterprise customers in a secure, flexible, and broadly compatible manner.

• Multi-tenant support: Each enterprise customer gets a dedicated SCIM endpoint and credential that allows them to provision, de-provision, and manage ONLY their user accounts stored inside the Auth0 tenant.
• Flexible attribute mapping: SaaS developers can configure attribute mapping between the SCIM user schema and the Auth0 user schema on a per-connection basis. This enables developers to add SCIM functionality to their existing enterprise connection deployments without resetting their Auth0 user data.
• Session revocation and logout: When Auth0 receives a SCIM message to deactivate a user, it terminates all their Auth0 sessions, revokes refresh tokens, and triggers OpenID Connect back-channel logout for your applications (if configured).
• Webhooks: Do you need to notify another system when a user is created or deactivated? All SCIM operations in Okta Customer Identity Cloud can be streamed to external systems using log streaming.

Since SCIM is a standard protocol for user management, you’re not limited to integrating with specific enterprise Identity providers. You’re free to use your own tooling and build custom solutions that read and write user data to Okta Customer Identity Cloud’s SCIM endpoints.

What customers are saying

“It was fairly straightforward. It all made sense from the get-go.” — J. Tonee, INX Software

“The integration in terms of setting it up was excellent. The ways the console immediately presents the credentials … it’s super intuitive to find the information.” — J. Fox, OnFrontiers

Inbound SCIM is part of SaaS Enterprise, B2B Professional, and B2B Essentials SKUs and is available globally for new and existing Customer Identity Cloud customers. What’s more, inbound SCIM is available free of charge to all customers using Okta Workforce Identity Cloud connections.

Get started in minutes

Developers can follow our configuration guide to see SCIM working in a matter of minutes. You can discover more by reading our inbound SCIM documentation here:

• Configure Inbound SCIM

Want to launch a B2B SaaS application quickly? Check out our newest SaaS reference application, SaaStart, to learn by example how Auth0 by Okta can help you onboard business customers and let them manage themselves. You can also gain hands-on experience on Inbound SCIM and other essential CIAM features.  Learn about CIAM within the frame of a modern B2B SaaS application. You can quickly deploy a sample Auth0 template directly within the SaaStart repo or from our new integration in the Vercel marketplace.