2 min read 416 words Updated Jun 08, 2026 Created Jun 08, 2026

SCIM Provisioning

SCIM (System for Cross-domain Identity Management) lets Permiso automatically provision users into the apps your team uses. When you add someone to Permiso, their account gets created in the connected app. When you disable them, their account there is deactivated too. No manual work in each app required.

SCIM provisioning is configured per application. Each OIDC client can have its own SCIM connection.

How it works

Permiso is the source of truth for your users. When SCIM is enabled for an application, Permiso pushes user changes to that app's SCIM endpoint. The app receives those changes and keeps its own user records in sync.

This means you manage users in one place — Permiso — and the connected apps stay up to date automatically.

Set up SCIM for an application

You'll need the SCIM endpoint URL and a bearer token from the application you want to provision into. Most SCIM-compatible apps provide these in their directory sync, provisioning, or user management settings.

  1. In your application, find the SCIM configuration and note down:
    • The SCIM endpoint URL
    • A bearer token (sometimes called an API token or secret token)
  2. In Permiso, go to Settings → Administration → OIDC Clients and open the client for that application
  3. Find the SCIM Provisioning section and click Add SCIM provider
  4. Enter the endpoint URL and bearer token from step 1

Once saved, Permiso will begin syncing users to the application.

Triggering a sync

After setting up SCIM, you can trigger a manual sync from the SCIM provider card to push the current state of your users to the application. After that, changes are pushed automatically as they happen in Permiso.

What gets synced

When SCIM is active, Permiso pushes the following events to the connected app:

EventWhat Permiso does
User createdCreates the user in the app
User details updatedUpdates name, email, and other profile fields
User added to groupAdds the user to the corresponding group in the app (if the app supports group provisioning)
User disabledDeactivates the user in the app

Compatible applications

Any application that supports SCIM 2.0 can receive provisioning from Permiso. Look for "SCIM provisioning", "directory sync", or "automatic provisioning" in the application's settings to find the endpoint URL and token.

If you run into issues with a specific application, check the Troubleshooting guide.