Hadrian is experimental alpha software. Do not use in production.
Hadrian
Features

SCIM Provisioning

Automatic user and group provisioning with SCIM 2.0 for real-time identity sync

SCIM (System for Cross-domain Identity Management) enables real-time user provisioning and deprovisioning from your identity provider. When users are added, modified, or removed in your IdP, changes sync to Hadrian immediately.

Why SCIM?

JIT (Just-in-Time) provisioning creates users when they first log in. This creates a critical security gap:

ScenarioJIT BehaviorSCIM Behavior
User joins companyCreated on first loginCreated immediately
User terminatedRemains active until next login attemptDeactivated immediately
Group membership changesUpdated on next loginUpdated immediately
API keys on terminationRemain validRevoked immediately

Security Risk with JIT: When an employee is terminated, their API keys remain active until they try to log in. This can be days, weeks, or never. SCIM ensures immediate deprovisioning, meeting SOC 2, HIPAA, and FedRAMP requirements.

Supported Identity Providers

SCIM 2.0 is an open standard supported by major identity providers:

ProviderSCIM SupportNotes
OktaFullNative SCIM 2.0 application integration
Azure AD / Entra IDFullEnterprise Application provisioning
Google WorkspaceFullRequires Cloud Identity or Workspace admin
OneLoginFullNative SCIM connector
KeycloakPartialRequires SCIM plugin (keycloak-scim)
Auth0PartialVia Actions or third-party integration
JumpCloudFullNative SCIM 2.0 support

Prerequisites

Before configuring SCIM:

  1. Organization exists - Your organization must be created in Hadrian
  2. Admin access - You need organization admin role
  3. IdP SCIM support - Your identity provider must support SCIM 2.0

Configuring SCIM

Navigate to Admin → Organizations → [Your Org] → SCIM to access the SCIM configuration page.

Creating a SCIM Configuration

Click Configure SCIM to open the configuration form.

User Provisioning Settings

SettingDescriptionDefault
Enable SCIMActivate SCIM endpoint for this organizationOff
Create UsersCreate Hadrian users when provisioned via SCIMOn
Sync Display NameUpdate user display name from IdP on each syncOn
Default TeamTeam to add new users toNone
Default Org RoleRole in the organization (member, admin)member
Default Team RoleRole in the default teammember

Deprovisioning Settings

SettingDescriptionDefault
Revoke API Keys on DeactivateImmediately revoke all API keys when user is deactivatedOn
Delete User on DeactivatePermanently delete user record (vs. deactivate)Off

Recommended: Keep "Revoke API Keys on Deactivate" enabled. This ensures terminated employees lose API access immediately, not just UI access.

Bearer Token

After creating the configuration, Hadrian generates a bearer token for authenticating SCIM requests.

Copy the token now. This is the only time it will be displayed. The token is hashed before storage and cannot be retrieved later. If lost, rotate the token to generate a new one.

The token format is scim_ followed by random characters. Store it securely in your IdP's SCIM configuration.

SCIM Endpoint URL

Configure your IdP with this endpoint URL:

https://your-gateway.example.com/scim/v2

The endpoint requires Bearer token authentication:

Authorization: Bearer scim_abc123...

Identity Provider Setup

Okta

  1. Go to Applications → Applications → Add Application
  2. Search for "SCIM 2.0 Test App (OAuth Bearer Token)"
  3. Click Add and configure:
    • SCIM connector base URL: https://your-gateway.example.com/scim/v2
    • Unique identifier field for users: userName
    • Authentication Mode: HTTP Header
    • Authorization: Bearer <your-scim-token>
  4. Under Provisioning → To App, enable:
    • Create Users
    • Update User Attributes
    • Deactivate Users
  5. Assign users/groups to the application

Azure AD / Entra ID

  1. Go to Enterprise Applications → New application
  2. Click Create your own application → Non-gallery application
  3. Under Provisioning, set:
    • Provisioning Mode: Automatic
    • Tenant URL: https://your-gateway.example.com/scim/v2
    • Secret Token: Your SCIM bearer token
  4. Click Test Connection to verify
  5. Configure attribute mappings:
    • userPrincipalNameuserName
    • mailemails[type eq "work"].value
    • displayNamedisplayName
    • givenNamename.givenName
    • surnamename.familyName
  6. Start provisioning

Google Workspace

  1. Go to Admin Console → Apps → SAML apps
  2. Add a custom SAML app or use an existing one
  3. Under Auto-provisioning, configure:
    • SCIM endpoint: https://your-gateway.example.com/scim/v2
    • Authorization header: Bearer <your-scim-token>
  4. Enable user provisioning and deprovisioning
  5. Select organizational units to sync

User Provisioning Flow

When your IdP provisions a user via SCIM:

  1. POST /scim/v2/Users - IdP sends user data (email, name, attributes)
  2. User created - Hadrian creates user with mapped attributes
  3. Organization added - User added to the org with default role
  4. Team added - If configured, user added to default team
  5. Response - SCIM resource returned with Hadrian user ID

Attribute Mapping

SCIM AttributeHadrian Attribute
userNameemail (primary identifier)
emails[primary].valueemail
displayNamedisplay_name
name.givenNamefirst_name
name.familyNamelast_name
activeUser active status
externalIdexternal_id (IdP reference)

Group Provisioning

SCIM groups map to Hadrian teams. When you provision groups:

  1. POST /scim/v2/Groups - IdP creates group
  2. Team created or mapped - Group links to existing or new team
  3. Members synced - Group members added to team with configured role

Group-to-Team Mapping

SCIM AttributeHadrian Attribute
displayNameTeam name
externalIdTeam external reference
membersTeam membership

Groups provision users as team members with the default team role. For more granular role assignment, use SSO Group Mappings in combination with SCIM.

Deprovisioning

When a user is deactivated or deleted in your IdP:

  1. PATCH /scim/v2/Users/{id} - IdP sends active: false
  2. User deactivated - Hadrian marks user as inactive
  3. API keys revoked - If enabled, all API keys immediately revoked
  4. Sessions invalidated - Active sessions terminated
  5. Optional deletion - If configured, user record permanently deleted

Deprovisioning Timeline

EventJITSCIM
IdP disables userNo effectUser deactivated immediately
API key validityValid indefinitelyRevoked immediately
UI accessValid until next login attemptDenied immediately

Token Rotation

Rotate the SCIM bearer token periodically or if compromised:

  1. Navigate to Admin → Organizations → [Your Org] → SCIM
  2. Click Rotate Token
  3. Copy the new token immediately
  4. Update your IdP configuration with the new token

After rotation, the old token is immediately invalidated. Update your IdP configuration promptly to avoid provisioning failures.

API Reference

SCIM Endpoints

EndpointMethodDescription
/scim/v2/ServiceProviderConfigGETSCIM capabilities and configuration
/scim/v2/ResourceTypesGETSupported resource types (User, Group)
/scim/v2/SchemasGETSCIM schema definitions
/scim/v2/UsersGETList users with filtering and pagination
/scim/v2/UsersPOSTCreate a new user
/scim/v2/Users/{id}GETGet user by ID
/scim/v2/Users/{id}PUTReplace user
/scim/v2/Users/{id}PATCHUpdate user attributes
/scim/v2/Users/{id}DELETEDelete user
/scim/v2/GroupsGETList groups with filtering
/scim/v2/GroupsPOSTCreate a new group
/scim/v2/Groups/{id}GETGet group by ID
/scim/v2/Groups/{id}PUTReplace group
/scim/v2/Groups/{id}PATCHUpdate group attributes
/scim/v2/Groups/{id}DELETEDelete group

Admin API

EndpointMethodDescription
/admin/v1/organizations/{slug}/scim-configsGETGet SCIM configuration
/admin/v1/organizations/{slug}/scim-configsPOSTCreate SCIM configuration
/admin/v1/organizations/{slug}/scim-configsPUTUpdate SCIM configuration
/admin/v1/organizations/{slug}/scim-configsDELETEDelete SCIM configuration
/admin/v1/organizations/{slug}/scim-configs/rotate-tokenPOSTRotate bearer token

Troubleshooting

SCIM Requests Failing with 401

  • Verify the bearer token is correct and not rotated
  • Check the Authorization header format: Bearer <token>
  • Ensure the token was copied correctly (no trailing spaces)

Users Not Being Created

  • Verify "Create Users" is enabled in SCIM settings
  • Check that the userName attribute is being sent (required)
  • Review IdP attribute mappings

API Keys Not Revoked on Deactivation

  • Ensure "Revoke API Keys on Deactivate" is enabled
  • Verify the IdP is sending active: false (not deleting)
  • Check audit logs for deprovisioning events

Groups Not Syncing

  • Verify group provisioning is enabled in your IdP
  • Check that group displayName is unique within the org
  • Review IdP group assignment to the SCIM application

Duplicate User Errors

  • Ensure userName (email) is unique across your organization
  • Check for existing users with the same email
  • Use SCIM filter to query existing users before creation

Authentication Overview

SSO Admin Guide

Auth Configuration Reference

Multi-Tenancy

SAML 2.0 Authentication

Configure SAML 2.0 single sign-on for enterprise identity providers

Authorization

CEL-based role-based access control for fine-grained permissions

On this page

Why SCIM?Supported Identity ProvidersPrerequisitesConfiguring SCIMCreating a SCIM ConfigurationUser Provisioning SettingsDeprovisioning SettingsBearer TokenSCIM Endpoint URLIdentity Provider SetupOktaAzure AD / Entra IDGoogle WorkspaceUser Provisioning FlowAttribute MappingGroup ProvisioningGroup-to-Team MappingDeprovisioningDeprovisioning TimelineToken RotationAPI ReferenceSCIM EndpointsAdmin APITroubleshootingSCIM Requests Failing with 401Users Not Being CreatedAPI Keys Not Revoked on DeactivationGroups Not SyncingDuplicate User ErrorsRelated Topics