Skip to main content

SCIM Provisioning

Mandaitor implements SCIM 2.0 (System for Cross-domain Identity Management) endpoints for automated user lifecycle management. When integrated with Okta or Microsoft Entra ID, user provisioning and deprovisioning are handled automatically.

Why SCIM?

When an employee leaves an organization, their delegations must be revoked immediately. SCIM ensures this happens automatically:

  • User provisioned → Created in Mandaitor with delegation authority from their groups
  • User deactivated → All active mandates frozen
  • User deprovisioned → All active mandates permanently revoked
  • Group membership changed → Delegation authority re-evaluated

Endpoints

MethodEndpointDescription
GET/scim/v2/UsersList provisioned users
POST/scim/v2/UsersCreate a new user
GET/scim/v2/Users/{id}Get user details
PUT/scim/v2/Users/{id}Replace user (full update)
PATCH/scim/v2/Users/{id}Partial update
DELETE/scim/v2/Users/{id}Delete user (revokes all mandates)

All endpoints require API key authentication via the Authorization header.

User Schema

Mandaitor supports the core SCIM User schema plus a custom extension:

{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User", "urn:mandaitor:scim:1.0:User"],
  "id": "scim_abc123",
  "userName": "jane.doe@company.com",
  "name": {
    "givenName": "Jane",
    "familyName": "Doe"
  },
  "emails": [{ "value": "jane.doe@company.com", "primary": true }],
  "active": true,
  "displayName": "Jane Doe",
  "urn:mandaitor:scim:1.0:User": {
    "identityProvider": "OKTA",
    "providerUid": "00u1234abcdef",
    "delegationAuthority": ["finance:approve", "construction:validate"]
  }
}

Automatic Mandate Revocation

When a user is deactivated (active: false) or deleted via SCIM:

  1. Mandaitor queries all active mandates where the user is the principal
  2. Each mandate is set to REVOKED status
  3. An audit event MANDATE_REVOKED is emitted for each with reason "User deprovisioned via SCIM"
  4. Webhook notifications are sent for each revocation

This ensures zero orphaned delegations when employees leave.

Setup with Okta

  1. In Okta Admin Console: Applications > Mandaitor > Provisioning > Configure API Integration
  2. SCIM Base URL: https://api.mandaitor.io/v1/scim/v2
  3. Authentication Mode: HTTP Header
  4. Authorization: Bearer tnt_your_tenant:mk_live_your_key
  5. Enable: Create Users, Update User Attributes, Deactivate Users

Setup with Entra ID

  1. In Azure Portal: Enterprise Applications > Mandaitor > Provisioning
  2. Provisioning Mode: Automatic
  3. Tenant URL: https://api.mandaitor.io/v1/scim/v2
  4. Secret Token: tnt_your_tenant:mk_live_your_key
  5. Map attributes and start provisioning