Skip to content
Platform

Identity Provisioning (SCIM)

Netgraph can provision administrator accounts and groups automatically from your identity provider using SCIM 2.0 (System for Cross-domain Identity Management), the open standard identity providers use to push identity data. Provisioning sits alongside manual invitation and SAML single sign-on: when someone is added to the relevant group in your IdP they become an administrator in Netgraph, and the IdP group becomes a Netgraph Team; when they are removed or deactivated in the IdP, their access is withdrawn.

At a glance

Standard
SCIM 2.0 (Users and Groups)
Identity providers
Okta, Microsoft Entra ID, and other SCIM 2.0 providers
Provisions
Administrator accounts and groups (groups become Teams)
Scope
Organization and MSP partner
Authentication
A bearer API key, issued once per scope
Okta
Microsoft Entra ID
Other SCIM 2.0 provider
Netgraph Administrators · Teams

Your identity provider pushes users and groups over SCIM. Users become administrators; groups become Teams. Roles are never sent over SCIM: an administrator maps each Team to roles in Netgraph.

SCIM provisions administrators and groups, not end users or devices (those authenticate through the individual services). Two things are synchronized:

  • A SCIM user becomes an administrator account in the organization or MSP partner, with the default role configured for the integration.
  • A SCIM group becomes a Netgraph Team. Membership of the group in the IdP determines the Team’s members.

SCIM synchronizes membership and naming only. It never assigns roles: an administrator maps each Team to roles once in Netgraph, and that mapping stays under your control regardless of what changes in the IdP. This keeps provisioning (who exists) separate from authorization (what they can do).

SCIM provisioning is available at Organization and MSP partner scope. Each scope has a single SCIM registration.

SCIM is configured under Provisioning in the Administration Portal:

  1. Enable SAML single sign-on first, so provisioned administrators can sign in. See Identity and Authentication.
  2. Copy the SCIM endpoint URL shown in Netgraph into your IdP’s SCIM configuration.
  3. Generate an API key and paste it into your IdP as the bearer token. The key is shown once. It can be regenerated, which immediately invalidates the previous key, or removed.

Provisioning is continuous. When a user is deactivated or removed in the IdP, their administrator access is withdrawn and they are removed from every Team in that scope, so no team-derived access remains. When an IdP group is deleted, the corresponding Team is removed.

Next