SCIM provisioning

Connect Deloc to Okta, Microsoft Entra ID, or any SCIM 2.0 identity provider so users are created, updated, and — most importantly — deactivated automatically. When IT offboards someone in your IdP, their Deloc access is revoked the same moment.

Enterprise feature
SCIM provisioning is available on the Enterprise plan. It pairs with SSO: your IdP becomes the single source of truth for who can sign in. See pricing or reach out to enable it.

Why SCIM

The first question every IT team asks before adopting a tool is "what happens when we offboard someone?" Without SCIM, the answer is "an admin removes them by hand" — which leaves orphaned access after a termination. SCIM closes that gap: deprovisioning is driven by your directory, not a manual checklist.

Deloc's SCIM connector handles three things:

  • Provision — assign a user to the Deloc app in your IdP and a Deloc account is created automatically.
  • Update — name and status changes in your directory flow through.
  • Deprovision — unassign or deactivate a user and Deloc immediately locks them out and revokes every active session and token.

Step 1 — Enable SCIM in Deloc

In the dashboard, go to Settings → User Provisioning (SCIM) and click Enable SCIM & Generate Token. You'll get two values to copy into your IdP:

  • SCIM Base URL — the endpoint your IdP talks to. In production this is:
text
https://api.deloc.dev/api/scim/v2
  • Bearer token — a per-organization secret prefixed dlscim_. Your IdP sends it as Authorization: Bearer dlscim_… on every request.
The token is shown once
Deloc stores only a hash of the token — the raw value is displayed exactly once at generation. Copy it straight into your IdP. If you lose it, click Regenerate Token (which rotates and invalidates the old one) and update the IdP with the new value.

Copy the exact Base URL shown in your dashboard rather than hard-coding the one above — it reflects the environment your org is on.


Step 2 — Connect your IdP

Point your provider's SCIM connector at the Base URL and token from Step 1. The exact clicks differ per IdP:

Add the Deloc app from the Okta Integration Network. It bundles SSO and SCIM, so a single app integration carries both the Sign On and Provisioning tabs.

  1. Go to Applications → Browse App Catalog, search Deloc, and click Add Integration.
  2. On the Sign On tab, complete the OIDC sign-on setup — Okta issues a client ID and secret; add them to your Deloc SSO config.
  3. Open the Provisioning tab → Configure API Integration → check Enable API integration.
  4. Set Base URL to your Deloc SCIM Base URL and API Token to the dlscim_ bearer token.
  5. Click Test API Credentials — Okta probes the endpoint and confirms the token works — then Save.
  6. Under Provisioning → To App, enable Create Users, Update User Attributes, and Deactivate Users.
  7. On the Assignments tab, assign the people or groups who should have Deloc access — they provision immediately and deprovision the moment they're unassigned.

What gets provisioned

Deloc maps SCIM Users to Deloc accounts in your organization.

  • userName must be the user's email and is the unique key.
  • displayName (or name.givenName + familyName) becomes the Deloc display name.
  • externalId is stored so your IdP can match users on subsequent syncs.
  • New users are created with the viewer role by default — viewers are free, so provisioning never creates a surprise publisher seat. Promote someone to publisher or admin from the members screen in the dashboard.
Email is globally unique
If you provision a userName that already exists as a Deloc account, the API returns 409 Conflict. A well-behaved IdP will then locate the user with a filtered GET and reconcile via PATCH — this is expected, not an error to chase.

Deprovisioning & offboarding

This is the reason SCIM matters. When a user is unassigned or set inactive in your IdP, Deloc receives a PATCH (or DELETE) and performs a soft deprovision:

  • The user is marked deactivated and is locked out everywhere immediately.
  • All of their API tokens, dashboard sessions, and refresh tokens are revoked — any CLI, MCP, or browser session stops working on the next request.
  • They can no longer load domain-restricted apps behind the edge auth proxy.
  • The account record and org membership are kept, so re-activating the user in your IdP (active: true) restores their access cleanly — no re-invite needed.
Re-hire / re-enable just works
Because deprovision is soft, a returning employee re-assigned to the app in your IdP is reactivated in place. Their prior role is preserved; only the revoked credentials need to be re-established by signing in again.

Supported operations

Deloc exposes a standard SCIM 2.0 surface under /scim/v2:

  • DiscoveryGET /ServiceProviderConfig, /ResourceTypes, /Schemas
  • List / filterGET /Users with startIndex + count pagination (max 200)
  • ReadGET /Users/{id}
  • CreatePOST /Users
  • ReplacePUT /Users/{id}
  • PatchPATCH /Users/{id} (the primary path Okta and Entra use to toggle active)
  • DeleteDELETE /Users/{id} (soft-deprovision, same as active: false)

Filtering

GET /Users supports equality filters your IdP uses to locate existing users:

text
userName eq "[email protected]"
externalId eq "00u1a2b3c4"
emails[value eq "[email protected]"]

Capabilities

Reported via /ServiceProviderConfig: PATCH supported, filtering supported (max 200 results), bearer-token auth. Bulk, sort, ETag, and password-change are not supported (Deloc doesn't store passwords for SSO users — the IdP owns credentials).


Audit trail

Every provisioning action is written to the Enterprise audit log with source IP and user-agent, so IT can prove who was provisioned and when:

  • scim.enabled / scim.token_rotated / scim.disabled — token lifecycle (admin actions)
  • scim.user.provisioned — a user was created via SCIM
  • scim.user.deactivated — a user was deprovisioned (the offboarding event)
  • scim.user.reactivated — a previously deactivated user was restored

These flow to your SIEM too if you've configured the audit webhook under Settings → Audit Log Streaming.


Rotating & disabling

  • Rotate — click Regenerate Token in Settings. The old token stops working immediately; paste the new one into your IdP's connector.
  • Disable — click Disable to turn off provisioning and revoke the token. Existing Deloc users are unaffected (no one is deprovisioned), but your IdP can no longer reach the SCIM endpoints until you re-enable.

Troubleshooting

  • 401 from Test Connection — the token is wrong, was rotated, or SCIM is disabled. Regenerate in Settings and re-paste. The header must be Authorization: Bearer dlscim_….
  • 409 on create — the email already exists as a Deloc account. Expected; your IdP should match the user via a filtered GET and PATCH instead of recreating.
  • New users can't publish — provisioned users default to the viewer role. Promote them to publisher or admin from the members screen.
  • "SCIM provisioning is an Enterprise feature." — the org isn't on the Enterprise plan. The panel shows an upgrade prompt until it is.