SCIM 2.0 Provisioning¶
Fudo Enterprise can act as a SCIM 2.0 Service Provider. It exposes a SCIM endpoint that an external identity provider (IdP) uses to provision and manage user identities and group membership in Fudo Enterprise. Fudo Enterprise only receives provisioning requests from the IdP - it never initiates them.
SCIM automates the user identity lifecycle (creating, updating, disabling, and re-enabling users) and group membership. It does not manage other Fudo Enterprise objects, such as servers, accounts, safes, password vaults, session policies, or authentication flows. Those remain configured locally in Fudo Enterprise.
Note
When OpenID Connect (OIDC) login is also used for SCIM-provisioned users, SCIM and OIDC must be configured on the same IdP application. At login, the user identity is matched against the SCIM-provisioned record, so both integrations have to refer to the same set of users.
Creating a Role and Service User for SCIM¶
Create a dedicated Fudo Enterprise service user for the identity provider and assign it a role that includes the SCIM privileges. SCIM operations are performed and audited under this service user, which keeps them distinguishable from local administrator actions.
Create Role
Select > and click .
Enter a unique name for the role.
On the GLOBAL PRIVILEGES tab, use the Permissions Navigation panel to open the User Sources section. Enable both SCIM read (
scim-read) and SCIM modify (scim-modify). These privileges allow the user to view and manage the SCIM provisioning configuration, including enabling or disabling provisioning and rotating the API key.
Grant the management privileges required for SCIM provisioning, such as Users and Groups, so the identity provider can create, update, and delete users and manage group membership.
Click .
Create the Service User
Select > and click .
Enter a user name.
From the Role drop-down list, select the role created above.
Click to create the user.
Add at least one authentication method for the user (from the Add authentication method drop-down list), for example Password or API key, then click .
Note
Above all, the role must have the SCIM privileges from the User Sources group enabled - at least scim-modify - otherwise SCIM provisioning cannot be configured. The other management privileges are selected at the administrator’s discretion, depending on what the service user needs to manage. For full instructions, see Creating Role and Creating a User.
Configuring SCIM Provisioning¶
To connect an identity provider to Fudo Enterprise, provide the IdP with the Fudo Enterprise SCIM Base URL and the API key that serves as the SCIM bearer token.
Select > .
Go to the SCIM Provisioning tab.
Click . Fudo Enterprise generates the Base URL and the API key.
Copy the Base URL - it is the SCIM endpoint address of this Fudo Enterprise instance (for example,
https://<fudo-address>/scim/v2).Copy the API key.
Warning
The API key is shown only once, at the moment it is generated. Copy it immediately and store it securely. If the key is lost, rotate it to generate a new one.
Configure your identity provider with these values, as described in Configuring the identity provider. No separate OAuth flow is required.
Configuring the Identity Provider¶
Note
The exact steps depend on the identity provider. The following procedure provides general guidance typical for SCIM 2.0-compliant identity providers.
In the identity provider, add or create an application that supports SCIM 2.0 provisioning.
In the application’s provisioning settings, set the SCIM endpoint (named SCIM connector base URL, Tenant URL, or similar) to the Fudo Enterprise Base URL.
Set the authentication method to a bearer token (HTTP header) and paste the Fudo Enterprise API key as the token (also called the Secret Token). Use the provider’s Test connection function to verify the setup.
Review the attribute mappings so that the provider sends at least
userName,name,displayName, the primaryemailsvalue,phoneNumbers,active, andexternalId. TheexternalIdis the correlation key (see Attribute mapping).Set the provisioning scope to the assigned users and groups, and enable provisioning.
Assign users and groups to the application to provision them in Fudo Enterprise. Some providers require an explicit step to provision groups (for example, the Okta Push Groups feature).
Note
In Okta, assigned users are provisioned automatically, while groups must be pushed explicitly with Push Groups.
Microsoft Entra ID requires an Entra ID P1 (or higher) license. Changes are applied with Provision on demand or on the automatic (approximately 40-minute) cycle; deletions are applied only on the automatic cycle.
Field names and navigation differ between providers and may change over time. Always follow the current SCIM 2.0 setup documentation of your identity provider (Okta or Microsoft Entra ID).
Rotating the API Key¶
You can rotate the API key at any time, for example as part of credential hygiene or if the key may have been exposed.
Select > > SCIM Provisioning.
Click and confirm.
Warning
Rotating the API key immediately invalidates the current key. Update the SCIM configuration in your identity provider with the new key to continue provisioning users and groups in Fudo Enterprise.
Disabling SCIM Provisioning¶
To stop accepting SCIM requests, click on the SCIM Provisioning tab. After disabling:
the API key stops working and the IdP can no longer provision changes;
existing SCIM-managed users and groups remain in Fudo Enterprise but become locally managed and can be edited by an administrator.
SCIM-Managed Account Behavior¶
After SCIM provisioning is enabled, the identity provider manages selected user accounts in Fudo Enterprise. Users assigned to the application on the IdP side are automatically created in Fudo Enterprise and marked as managed by SCIM.
During synchronization, Fudo Enterprise updates mapped user attributes, such as the login, email address, or display name. Fields managed by SCIM are treated as data coming from the IdP and should not be edited locally in Fudo Enterprise.
If a user is deactivated in the IdP or removed from the provisioning scope, Fudo Enterprise blocks the user account. Any active user sessions are terminated, while session history, audit data, and previous associations are preserved.
If the same user is synchronized again with the same externalId, Fudo Enterprise recognizes the user as an existing account and reactivates it instead of creating a duplicate.
Attribute Mapping¶
The identity provider is authoritative for all mapped identity attributes. In Fudo Enterprise, these fields are read-only for SCIM-managed users and are updated only through SCIM.
SCIM attribute (from IdP) |
Fudo Enterprise user field |
Notes |
|---|---|---|
|
Internal correlation key |
Primary correlation key. Not displayed and not editable. Used to match the same identity across creation, update, blocking, and re-enabling. |
|
Login / username |
Read-only. |
|
Name components |
Read-only. |
|
Full name |
Read-only. |
|
Only the primary email is stored; a secondary email is not shown. Read-only. |
|
|
Phone |
Read-only. |
|
Account state |
Drives blocking and unblocking (see Blocking model). |
Restrictions On Scim-Managed Objects¶
Once a user or group is managed by SCIM, the identity provider is its source of truth. In Fudo Enterprise you therefore cannot:
edit the identity data of a SCIM-managed user or group (name, email, phone, or the group name);
change a SCIM-managed group’s membership - the assign/remove user controls are disabled, and local Fudo Enterprise users cannot be added to it;
create or delete SCIM-managed users and groups manually.
You can still configure the following locally, because SCIM does not touch it:
safe access, account access, and object rights;
group-to-role, group-to-safe, and group-to-account mappings.
Local mappings are preserved when the identity provider updates a group, for example after a rename or a membership change. Roles are granted to SCIM users through these group mappings, not by assigning a role to each user.
Note
When a group is deleted in the identity provider, Fudo Enterprise removes the group and its members lose the access that the group granted. Access granted by other means is not affected.
Blocking Model¶
Fudo Enterprise tracks two independent block states for a SCIM-managed user; clearing one does not clear the other:
Blocked by SCIM- applied when the identity provider deactivates (active=false) or deletes the user.Blocked locally- applied when an administrator blocks the user manually in Fudo Enterprise. A local block requires a reason and is audited; an emergency local block of a SCIM-managed user is allowed.
The Managed by column shows the source of each object: SCIM, Fudo (local), or User directory. A SCIM-managed user also displays a Managed externally (SCIM) indicator on its details view.
Authentication with OIDC¶
SCIM-provisioned users sign in through OIDC, while SCIM stays authoritative for identity: OIDC only authenticates the user and never overwrites SCIM-managed attributes.
A user must be provisioned by SCIM before they can sign in. Fudo Enterprise rejects the login - and creates no account - when:
the user has never been provisioned through SCIM, or
the user has been deactivated by SCIM.
Auditing¶
Fudo Enterprise records every SCIM operation in the events log, capturing who performed it (the SCIM service user), what changed, and when. This keeps SCIM activity clearly distinguishable from local administrator actions. The events log can be exported to a SIEM over syslog.
Related topics: