Skip to main content

Overview

Use SCIM 2.0 to automate user provisioning and deprovisioning from an external identity provider such as Okta, Azure AD, or Google Workspace. SCIM keeps users, attributes, and access in sync with your identity system and reduces manual administration.

How it works

When you use SCIM provisioning:
  • Poolside creates users automatically when you add them in your identity provider
  • Poolside keeps user attributes in sync
  • Poolside can assign users to a default team
  • Removing or disabling a user in your identity provider revokes access in Poolside
Poolside isolates provisioned users to your organization. When you remove a user, Poolside does not delete their resources.

Notes and limitations

  • SCIM provisioning manages users, not roles, and you assign roles to teams separately
  • The SCIM team assignment setting controls team membership
  • Poolside logs SCIM operations for audit and troubleshooting purposes

Set up automatic provisioning

Prerequisites
  • You belong to a team with the tenant-admin role.
  • You can configure SCIM in your identity provider.
Steps
1

Create a SCIM provisioning role

SCIM requests require a role that grants the Provision Users with SCIM action at the tenant level.
You cannot assign roles directly to API keys. Instead, API keys inherit permissions from the team they are associated with.
  1. In the Poolside Console, navigate to Organization > https://mintcdn.com/poolside/fyUKzbRkxqIwtXwu/images/icons/roles-icon.svg?fit=max&auto=format&n=fyUKzbRkxqIwtXwu&q=85&s=c3bc327ba3a8acc9935770cb68f65769 Roles.
  2. Click New Role.
  3. Enter a Role Name, for example provisioner.
  4. Click Add Permission.
  5. Set Scope to Tenant and select Provision Users with SCIM.
  6. Click Create Role.
2

Create a team and assign the role

Create a team and assign the SCIM provisioning role to it.
  1. In the Poolside Console, navigate to Organization > https://mintcdn.com/poolside/fyUKzbRkxqIwtXwu/images/icons/teams-icon.svg?fit=max&auto=format&n=fyUKzbRkxqIwtXwu&q=85&s=6d4c9daabfd118ac816f1545265e99cc Teams.
  2. Click New Team.
  3. Enter a Team Name, for example SCIM.
  4. For Role, select the SCIM provisioning role you created.
  5. Click Create.
3

Create an API key for SCIM

Create an API key and select the team you created for SCIM provisioning.
  1. In the Poolside Console, navigate to Settings > https://mintcdn.com/poolside/fyUKzbRkxqIwtXwu/images/icons/key-icon.svg?fit=max&auto=format&n=fyUKzbRkxqIwtXwu&q=85&s=b4dba51791f4df5d4e8732dbfe2459c9 API Keys.
  2. Click New API Key.
  3. For Team, select the team with the SCIM provisioning role you created.
  4. For Name, enter an API key name.
  5. Click Create.
The API key inherits the permissions of the selected team. Store the key securely. Your identity provider uses this key as a bearer token.The authorization header should be Authorization: Bearer <api-key>.
4

Optional: Configure team assignment

Optionally assign users provisioned via SCIM to a specific team. When enabled, all users created via SCIM are added to the selected team and inherit that team’s roles and permissions.To configure team assignment:
  1. In the Poolside Console, navigate to Settings > https://mintcdn.com/poolside/fyUKzbRkxqIwtXwu/images/icons/userprov-icon.svg?fit=max&auto=format&n=fyUKzbRkxqIwtXwu&q=85&s=5ed58728566e89d064c89efeb6c62f8f User Provisioning.
  2. Enable Team Assignment and select a team.
  3. Click Save Assignment.
5

Configure your identity provider

  1. In the Poolside Console, navigate to Settings > https://mintcdn.com/poolside/fyUKzbRkxqIwtXwu/images/icons/userprov-icon.svg?fit=max&auto=format&n=fyUKzbRkxqIwtXwu&q=85&s=5ed58728566e89d064c89efeb6c62f8f User Provisioning.
  2. In the SCIM Integration section, copy the provided URL Endpoint. For example: https://api.poolside.example.com/scim
  3. Using the copied URL and the API key as the bearer token, configure SCIM provisioning in your identity provider. For more information, see the documentation for your identity provider.
After configuration, your identity provider begins synchronizing users.