SCIM provisioning
Connect Deloc to Okta, Microsoft Entra ID, or any SCIM 2.0 identity provider so users are created, updated, and — most importantly — deactivated automatically. When IT offboards someone in your IdP, their Deloc access is revoked the same moment.
Why SCIM
The first question every IT team asks before adopting a tool is "what happens when we offboard someone?" Without SCIM, the answer is "an admin removes them by hand" — which leaves orphaned access after a termination. SCIM closes that gap: deprovisioning is driven by your directory, not a manual checklist.
Deloc's SCIM connector handles three things:
- Provision — assign a user to the Deloc app in your IdP and a Deloc account is created automatically.
- Update — name and status changes in your directory flow through.
- Deprovision — unassign or deactivate a user and Deloc immediately locks them out and revokes every active session and token.
Step 1 — Enable SCIM in Deloc
In the dashboard, go to Settings → User Provisioning (SCIM) and click Enable SCIM & Generate Token. You'll get two values to copy into your IdP:
- SCIM Base URL — the endpoint your IdP talks to. In production this is:
- Bearer token — a per-organization secret prefixed
dlscim_. Your IdP sends it asAuthorization: Bearer dlscim_…on every request.
Copy the exact Base URL shown in your dashboard rather than hard-coding the one above — it reflects the environment your org is on.
Step 2 — Connect your IdP
Point your provider's SCIM connector at the Base URL and token from Step 1. The exact clicks differ per IdP:
Add the Deloc app from the Okta Integration Network. It bundles SSO and SCIM, so a single app integration carries both the Sign On and Provisioning tabs.
- Go to Applications → Browse App Catalog, search Deloc, and click Add Integration.
- On the Sign On tab, complete the OIDC sign-on setup — Okta issues a client ID and secret; add them to your Deloc SSO config.
- Open the Provisioning tab → Configure API Integration → check Enable API integration.
- Set Base URL to your Deloc SCIM Base URL and API Token to the
dlscim_bearer token. - Click Test API Credentials — Okta probes the endpoint and confirms the token works — then Save.
- Under Provisioning → To App, enable Create Users, Update User Attributes, and Deactivate Users.
- On the Assignments tab, assign the people or groups who should have Deloc access — they provision immediately and deprovision the moment they're unassigned.
What gets provisioned
Deloc maps SCIM Users to Deloc accounts in your organization.
userNamemust be the user's email and is the unique key.displayName(orname.givenName+familyName) becomes the Deloc display name.externalIdis stored so your IdP can match users on subsequent syncs.- New users are created with the viewer role by default — viewers are free, so provisioning never creates a surprise publisher seat. Promote someone to publisher or admin from the members screen in the dashboard.
userName that already exists as a Deloc account, the API returns 409 Conflict. A well-behaved IdP will then locate the user with a filtered GET and reconcile via PATCH — this is expected, not an error to chase.Deprovisioning & offboarding
This is the reason SCIM matters. When a user is unassigned or set inactive in your IdP, Deloc receives a PATCH (or DELETE) and performs a soft deprovision:
- The user is marked deactivated and is locked out everywhere immediately.
- All of their API tokens, dashboard sessions, and refresh tokens are revoked — any CLI, MCP, or browser session stops working on the next request.
- They can no longer load domain-restricted apps behind the edge auth proxy.
- The account record and org membership are kept, so re-activating the user in your IdP (
active: true) restores their access cleanly — no re-invite needed.
Supported operations
Deloc exposes a standard SCIM 2.0 surface under /scim/v2:
- Discovery —
GET /ServiceProviderConfig,/ResourceTypes,/Schemas - List / filter —
GET /UserswithstartIndex+countpagination (max 200) - Read —
GET /Users/{id} - Create —
POST /Users - Replace —
PUT /Users/{id} - Patch —
PATCH /Users/{id}(the primary path Okta and Entra use to toggleactive) - Delete —
DELETE /Users/{id}(soft-deprovision, same asactive: false)
Filtering
GET /Users supports equality filters your IdP uses to locate existing users:
Capabilities
Reported via /ServiceProviderConfig: PATCH supported, filtering supported (max 200 results), bearer-token auth. Bulk, sort, ETag, and password-change are not supported (Deloc doesn't store passwords for SSO users — the IdP owns credentials).
Audit trail
Every provisioning action is written to the Enterprise audit log with source IP and user-agent, so IT can prove who was provisioned and when:
scim.enabled/scim.token_rotated/scim.disabled— token lifecycle (admin actions)scim.user.provisioned— a user was created via SCIMscim.user.deactivated— a user was deprovisioned (the offboarding event)scim.user.reactivated— a previously deactivated user was restored
These flow to your SIEM too if you've configured the audit webhook under Settings → Audit Log Streaming.
Rotating & disabling
- Rotate — click Regenerate Token in Settings. The old token stops working immediately; paste the new one into your IdP's connector.
- Disable — click Disable to turn off provisioning and revoke the token. Existing Deloc users are unaffected (no one is deprovisioned), but your IdP can no longer reach the SCIM endpoints until you re-enable.
Troubleshooting
- 401 from Test Connection — the token is wrong, was rotated, or SCIM is disabled. Regenerate in Settings and re-paste. The header must be
Authorization: Bearer dlscim_…. - 409 on create — the email already exists as a Deloc account. Expected; your IdP should match the user via a filtered GET and PATCH instead of recreating.
- New users can't publish — provisioned users default to the viewer role. Promote them to publisher or admin from the members screen.
- "SCIM provisioning is an Enterprise feature." — the org isn't on the Enterprise plan. The panel shows an upgrade prompt until it is.