SCIM 2.0 Configuration

SCIM (System for Cross-domain Identity Management) is an open standard used for automating user and group provisioning across systems.

SCIM 2.0 is the current version of the standard and defines REST-based APIs for identity provisioning and lifecycle management.

SCIM 2.0 Support in Kyvos

To meet enterprise identity management and security requirements, Kyvos supports SCIM 2.0 for automated user and group provisioning.

With SCIM 2.0 enabled, Kyvos integrates seamlessly with external Identity Providers (IdPs) with:

Okta
Microsoft Azure Entra ID, formerly Azure Active Directory (supported from Kyvos 2026.2.1 onwards)

This automatically creates, updates, deactivates, and manages users and groups in Kyvos.

Benefits

Eliminates manual user administration
Reduces operational overhead
Improves security through centralized identity control
Ensures compliance with enterprise IAM (Identity and Access Management) best practices

Important to know

Kyvos supports Okta SCIM provisioning only for Kyvos Web Portal. It is not applicable to Kyvos Manager.
Kyvos environment must be public to use it for SCIM provisioning.
To configure SCIM in created SAML app. Refer to Add SCIM provisioning to app integrations | Okta Identity Engine
Kyvos supports below authentication modes used in Okta SCIM app.
- Basic Auth
- OAuth2 with client credentials

Note

The SCIM protocol does not support role mapping.
As a result, a default role must be assigned to all users provisioned through SCIM.

The User Onboarding configuration will not be applied if the user already exists in Kyvos.

To configure a default role for SCIM users, perform the following steps.

For this, click the cluster name > Security > Kyvos Authentication on the navigation pane.
Click the Actions menu (…) > User Onboarding Configurations. The User Onboarding -Advanced Configurations dialog is displayed.
In the First Login Actions text box, enter the following configuration to define a default user role.
{ "roleName": "Business User", "sendWelcomeMailToUser": false, "updatePreferences": false, "defaultEntities": { } }
Click Save to apply the configuration.

Okta SCIM 2.0 / SAML Application Configuration with Kyvos

This section describes how to configure SCIM 2.0 provisioning between Okta and Kyvos. You can configure provisioning using either of the following:

Create a SCIM 2.0 Test Application directly in Okta, or
Create a SAML application for Single Sign-On (SSO) and then enable SCIM provisioning on top of the SAML application.

1. Create an Application in Okta

Log in to the Okta Admin Console.
Navigate to Applications > Applications.
Click Create App Integration.
Select one of the following application types:
- SCIM 2.0 Test App (Basic Auth)
- SCIM 2.0 Test App (OAuth Bearer Token)
- SAML 2.0 (if SAML-based SSO is required)
Complete the application creation process and save the application.

Note:
If a SAML application is created, SCIM provisioning must be enabled separately in the next steps.

2. Enable SCIM Provisioning

Open the created application in Okta.
Navigate to the General tab.
Click Edit under App Settings.
Under Provisioning, select SCIM.
Save the configuration.

3. Configure SCIM Settings in the Provisioning Tab

Navigate to the Provisioning tab.
Open the Integration section and click Edit.
Configure the SCIM connector details as follows:

Field	Value

Field	Value
SCIM Connector Base URL	`<KYVOS_URL>/rest/scim/v2`
Unique Identifier Field for Users	`username`

Select the required Supported Provisioning Actions, such as:

Import New Users and Profile Updates
Push New Users
Push Profile Updates
Push Groups
Import Groups

Save the configuration.

4. Choose the Authentication Mode

Okta supports Basic Authentication and OAuth 2.0 for SCIM provisioning.

Option A – Basic Authentication

If Basic Authentication is selected:
1. Set Authentication Mode to Basic Auth.
2. Provide the following credentials:

Field	Value

Field	Value
Username	Kyvos username
Password	Kyvos password or Personal Access Token (PAT)

Save the configuration.

Option B – OAuth 2.0 (Client Credentials)

If OAuth 2.0 is selected:
1. Set Authentication Mode to OAuth 2.0.
2. Set Grant Type to Client Credentials.
3. Provide the following details:

Field	Description

Field	Description
Access Token Endpoint URI	OAuth token endpoint of Kyvos
Client ID	Client ID of the Confidential OIDC application in Kyvos
Client Secret	Client Secret of the Confidential OIDC application in Kyvos

Save the configuration.

5. Additional Requirement – Default Scope Configuration in Okta

When using OAuth 2.0 authentication, a default scope must be configured in Okta.

To configure default scope:

Navigate to Security > API > Authorization Servers in the Okta Admin Console.
Select the Authorization Server used for SCIM (for example, Default or a custom server).
Open the Scopes tab.
Click Add Scope.
Configure the following:

Field	Value

Field	Value
Name	`scim` (or another appropriate scope name)
Default Scope	Enabled

Save the configuration.
Ensure that the SCIM OAuth client is allowed to use this scope under Access Policies.

6. Enable Provisioning to Application

After the SCIM integration is successfully configured, Okta exposes two provisioning sections:

To App
To Okta

Configure Provisioning > To App

Navigate to Provisioning > To App.
Click Edit under Provisioning to App.
Enable the following options:

Option	Description

Option	Description
Create Users	Creates or links a Kyvos user when the application is assigned in Okta
Update User Attributes	Automatically pushes attribute updates from Okta to Kyvos
Deactivate Users	Deactivates the Kyvos user when the application is unassigned or the Okta user is deactivated

Important
Do not enable "Sync Password". Password synchronization is not required and is not supported by Kyvos.

7. Kyvos OIDC Configuration Requirements

When using OAuth 2.0 authentication, the following configurations must be completed in Kyvos:

Configure a Confidential OIDC Application in Kyvos.
Enable the client_credentials grant type for the application.
Update the Kyvos OIDC configuration with:
- Client Credentials Token Identifier
- Mapped Kyvos Username associated with the token

Okta will obtain an access token using the client_credentials flow and include this token in the SCIM provisioning requests sent to Kyvos.

8. Final Validation

Use Test API Credentials in Okta to verify connectivity.
Assign users or groups to the application.
Verify that user creation, updates, and deactivation are correctly reflected in Kyvos.

Points to know

Okta can integrate with Kyvos using SCIM 2.0 directly or SAML + SCIM provisioning.
SCIM endpoint:

<KYVOS_URL>/rest/scim/v2

Supported authentication methods:
- Basic Authentication (Kyvos user name and password): SCIM-provisioned users (with basic authentication configured in the IdP) can log in to Kyvos using SAML or OAuth, provided that the corresponding authentication configurations are properly set up in Kyvos.
- OAuth 2.0 Client Credentials (recommended for enterprise deployments)
  OAuth configuration requires:
  - A Confidential OIDC application configured in Kyvos. SCIM-provisioned users (with OAuth 2.0 Client Credentials configured in the IdP) can log in to Kyvos only through OAuth configured in Kyvos.
  - A default scope configured on the Okta Authorization Server

Once these configurations are completed, Okta–Kyvos SCIM provisioning will be successfully enabled.

Kyvos SCIM Provisioning with Microsoft Azure Entra ID (OAuth 2.0)

Note

This is applicable from Kyvos 2026.2.1 onwards.

Group provisioning not yet certified with Microsoft Azure Entra ID.

This section contains step-by-step process to configure SCIM provisioning between Microsoft Azure Entra ID (formerly Azure Active Directory) and Kyvos using OAuth 2.0 authentication.

Prerequisites

Ensure the following prerequisites are completed before starting the configuration:

Administrator access to the Microsoft Azure Entra ID portal.
Public URL of the Kyvos environment
SCIM endpoint: <KYVOS_URL>/rest/scim/v2
OAuth Client ID and Client Secret generated from the Azure Entra ID application
OAuth token endpoint from the Azure Entra ID application

Kyvos Configuration Requirements

Before configuring provisioning in Azure, ensure the following configurations are completed in Kyvos:

A Confidential OIDC configuration must be created in Kyvos. User must first create an application in the same tenant where the enterprise application will be created for SCIM. For more information, refer to Kyvos documentation.
The same configuration used for Confidential OIDC in Kyvos must also be used in the Provisioning Configuration screen.
Configure the Client Credentials Token Identifier and mapped Kyvos Username associated with the token while creating the Confidential OIDC configuration.
Configure User Onboarding settings in Kyvos to assign a default role for provisioned users.

Step 1: Create an Enterprise Application in Azure Entra ID

Log in to the Azure Portal.
Navigate to Microsoft Entra ID.
Go to Enterprise Applications.
Click New Application.
Select Create your own application.
Enter the application name. For example: Kyvos SCIM Provisioning.
Select Integrate any other application you don't find in the gallery (Non-gallery).
Click Create.

Step 2: Configure Provisioning

Open the newly created Enterprise Application.
Navigate to Provisioning from the left panel.
Click New Configuration.
On the New Provisioning Configuration screen, configure the following fields.

Field	Value
Authentication Method	OAuth2 client credentials grant Note: Kyvos does not support Authentication Method=Secret Token.
Tenant URL	`<KYVOS_URL>/kyvos/rest/scim/v2`
Token Endpoint	Kyvos OAuth Token Endpoint Example: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
Client Identifier	Client ID from Azure Entra ID application
Client Secret	Client Secret from Azure Entra ID application

Click Test Connection. If the credentials are correct, Azure will display Connection Successful.
Click Create. After successful configuration, you will be redirected to the Provisioning Overview page.

Step 3: Provisioning Overview

Navigate to the Provisioning Overview page.
The Provisioning Status will be Off by default.
Verify the Scope from the Properties tab: Sync only assigned users and groups

Step 4: Attribute Mapping (Mappings Tab)

Navigate to Provisioning > Mappings.
Verify the attribute mappings between Azure Entra ID and Kyvos. Ensure the attributes required for SCIM provisioning are correctly mapped.

Step 5: Assign Users and Groups

Navigate to Users and Groups.
Click Add User/Group.
Select the required users or groups.
Click Assign.

Step 6: Start Provisioning

Navigate to Provisioning > Overview.
Set Provisioning Status to On.
Click Save.

Azure will start the SCIM provisioning process.

Provisioning typically runs automatically every ~40 minutes. However, you can test provisioning immediately using Provision on Demand.

Step 7: Provision on demand

Navigate to the Provision on Demand tab.
Search for the user you want to provision.
Select the user.
Click Provision. Azure will immediately provision the selected user.
Once provisioning is complete:
1. The user account will be automatically created in Kyvos with its default role.
2. Provisioned users can log in to Kyvos only through the OAuth configuration configured in Kyvos.