SCIM provisioning

Sync user and group changes from your identity provider to TridentStack Control automatically. Disable a user in your IdP, they lose Control access immediately. No more manual offboarding. Group memberships sync, which keeps role assignments aligned with your IdP.

Before you begin

You will need:

• SAML SSO configured first (see Single sign-on (SAML)). SCIM and SSO work together: SSO authenticates users, SCIM keeps the user list in sync.
• A TridentStack Control admin account.
• Permission in your IdP to configure SCIM provisioning.

Setup overview

1. Generate a SCIM token in TridentStack Control (shown once, save it).
2. Configure SCIM in your IdP using the SCIM base URL and the token.
3. Map IdP attributes to TridentStack Control fields.
4. Push your IdP groups (use the same group names you mapped in the SSO setup).
5. Test by deactivating a test user in the IdP and confirming they appear inactive in Control.

Step 1: Generate a SCIM token

In TridentStack Control, go to Settings -> Authentication -> SCIM Provisioning. Click Generate token, give it a descriptive name (e.g. "Okta SCIM"), and click Generate.

The token is shown once. Copy it now and save it somewhere safe (your IdP's secret manager or a password manager). For security, TridentStack Control never displays the full token again. If you lose it, revoke the token and generate a new one.

The same panel shows the SCIM Base URL you will need: https://control.tridentstack.com/scim/v2.

Step 2: Configure SCIM in your IdP

Okta

1. Open your TridentStack Control app in Okta admin.
2. Provisioning -> Configure API Integration. Check "Enable API integration".
3. Paste the SCIM Base URL into "Base URL".
4. Paste the SCIM token into "API Token".
5. Click Test API Credentials then Save.
6. Provisioning -> To App. Enable "Create Users", "Update User Attributes", and "Deactivate Users".
7. Under Push Groups, add the groups you want synced (typically the same ones you map to roles in TridentStack Control).

Microsoft Entra ID

1. In your TridentStack Control enterprise application, Provisioning -> Get started.
2. Set Provisioning Mode to Automatic.
3. Tenant URL: paste the SCIM Base URL.
4. Secret Token: paste the SCIM token.
5. Click Test Connection, then Save.
6. Under Mappings, configure the User and Group attribute mappings (the defaults work for most setups).
7. Set provisioning scope to "Sync only assigned users and groups" (recommended) and turn provisioning On.

JumpCloud

1. Open your TridentStack Control SSO app in JumpCloud admin.
2. Identity Management -> Set up Identity Management, choose SCIM Version 2.0.
3. Paste the SCIM Base URL as the API URL.
4. Paste the SCIM token as the bearer token.
5. Save and enable user/group provisioning.

Step 3: Map attributes

The default attribute mappings work for most setups:

• userName maps to email.
• externalId maps to your IdP's stable user ID (used to detect renames).
• active maps to your IdP's user-status flag.
• displayName maps to the user's full name.
• groups maps to group memberships.

The most important mapping is groups: the group names your IdP pushes must match the IdP group names you configured in the SSO group-to-role mapping.

Step 4: Push groups

Push the groups your team uses in TridentStack Control. When a user joins or leaves an IdP group:

• Their TridentStack Control role updates automatically (per the SSO group-to-role mapping).
• Manual role assignments (granted directly in TridentStack Control, not via the mapping) are preserved.

Step 5: Test deactivation

The most important sync to verify is offboarding:

1. In your IdP, mark a test user as inactive (or unassign them from the TridentStack Control app).
2. Wait up to 60 seconds for your IdP to push the change.
3. In TridentStack Control, go to Settings -> User Management and confirm the test user shows inactive.
4. The user's existing browser sessions are invalidated; their next request returns to the sign-in page.
5. Reactivate them in your IdP and confirm they reactivate in TridentStack Control.

What gets synced

• Users: created, updated, deactivated, reactivated.
• Group memberships: drive role assignments via the SSO group-to-role mapping.
• Display name and email: kept in sync from your IdP.

What does NOT sync:

• Passwords: TridentStack Control does not store passwords. Authentication is via SAML SSO.
• Tenant settings, agent configurations, policies, deployment rings: managed in TridentStack Control.

What happens during deactivation

When your IdP marks a user inactive (via SCIM active=false or by removing them from the app):

• The user is marked inactive in TridentStack Control.
• Their active browser sessions end immediately.
• IdP-mapped roles are removed.
• Manual role assignments are preserved in case you reactivate them later.
• The user's audit history is preserved.

Token rotation and revocation

To rotate a token:

1. Generate a new token in TridentStack Control.
2. Paste the new token into your IdP's SCIM configuration. Save and test.
3. Once your IdP is using the new token, revoke the old one in TridentStack Control.

To revoke without rotation:

• Click Revoke next to the token. The token stops working immediately. Any IdP using it will need a new token to resume sync.

Limits and troubleshooting

Rate limit: 60 requests per minute per token (with a small burst allowance). This is well above what any standard IdP needs for normal sync.

Common errors:

• 401 Invalid or revoked token: your IdP is using a stale or revoked token. Generate a new one and update the IdP.
• 400 invalidFilter: your IdP sent a SCIM filter that uses an unsupported attribute. Most IdPs work fine; if you hit this with a specific provider, contact support with the filter string.
• Sync stops working without errors: check the Last Used column in the SCIM Provisioning panel; if it has not updated recently, your IdP is not pushing. Re-test the connection in your IdP's admin console.

For anything not covered here, contact TridentStack support at tridentstack.com/dashboard/support.