Identity Provisioning (SCIM)
Netgraph can provision administrator accounts and groups automatically from your identity provider using SCIM 2.0 (System for Cross-domain Identity Management), the open standard identity providers use to push identity data. Provisioning sits alongside manual invitation and SAML single sign-on: when someone is added to the relevant group in your IdP they become an administrator in Netgraph, and the IdP group becomes a Netgraph Team; when they are removed or deactivated in the IdP, their access is withdrawn.
At a glance
- Standard
- SCIM 2.0 (Users and Groups)
- Identity providers
- Okta, Microsoft Entra ID, and other SCIM 2.0 providers
- Provisions
- Administrator accounts and groups (groups become Teams)
- Scope
- Organization and MSP partner
- Authentication
- A bearer API key, issued once per scope
Your identity provider pushes users and groups over SCIM. Users become administrators; groups become Teams. Roles are never sent over SCIM: an administrator maps each Team to roles in Netgraph.
What SCIM provisions
Section titled “What SCIM provisions”SCIM provisions administrators and groups, not end users or devices (those authenticate through the individual services). Two things are synchronized:
- A SCIM user becomes an administrator account in the organization or MSP partner, with the default role configured for the integration.
- A SCIM group becomes a Netgraph Team. Membership of the group in the IdP determines the Team’s members.
SCIM synchronizes membership and naming only. It never assigns roles: an administrator maps each Team to roles once in Netgraph, and that mapping stays under your control regardless of what changes in the IdP. This keeps provisioning (who exists) separate from authorization (what they can do).
SCIM provisioning is available at Organization and MSP partner scope. Each scope has a single SCIM registration.
SCIM is configured under Provisioning in the Administration Portal:
- Enable SAML single sign-on first, so provisioned administrators can sign in. See Identity and Authentication.
- Copy the SCIM endpoint URL shown in Netgraph into your IdP’s SCIM configuration.
- Generate an API key and paste it into your IdP as the bearer token. The key is shown once. It can be regenerated, which immediately invalidates the previous key, or removed.
Lifecycle and deprovisioning
Section titled “Lifecycle and deprovisioning”Provisioning is continuous. When a user is deactivated or removed in the IdP, their administrator access is withdrawn and they are removed from every Team in that scope, so no team-derived access remains. When an IdP group is deleted, the corresponding Team is removed.
Related sections
Section titled “Related sections”- Teams: how provisioned groups grant access.
- Identity and Authentication: the SAML single sign-on that provisioned administrators sign in with.
- Roles and Administration Levels: the roles a Team can hold.