From 860d75a3362bdc3f8ba5effa2e5e320ae02fa60e Mon Sep 17 00:00:00 2001 From: Cyril PETEL Date: Thu, 22 Jan 2026 15:32:21 +0100 Subject: [PATCH 1/9] first draft for scim doc --- pages/iam/how-to/manage-users-with-scim | 76 +++++++++++++++++++++++++ pages/iam/menu.ts | 6 +- 2 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 pages/iam/how-to/manage-users-with-scim diff --git a/pages/iam/how-to/manage-users-with-scim b/pages/iam/how-to/manage-users-with-scim new file mode 100644 index 0000000000..f8aac322f7 --- /dev/null +++ b/pages/iam/how-to/manage-users-with-scim @@ -0,0 +1,76 @@ +--- +title: How to manage users with SCIM +description: Learn how to automatically provision and edit users from your Identity Provider using SCIM +dates: + validation: 2025-02-01 + posted: 2025-02-01 +--- +import Requirements from '@macros/iam/requirements.mdx' + +**S**ystem for **C**ross-domain **I**dentity **Management** - also known as **SCIM**, is a standard protocol for exchanging user identity and authorization data between an Identity Provider and a Service Provider. + +Combined with [SAML](/iam/how-to/set-up-identity-federation), it allows IAM managers to fully manager User management through the Identity Provider: +- SAML is used for members to log in, by authentication on their Identity Provider with the related authentication policies +- SCIM is used to automatically create, update, (un)lock and delete users on Scaleway based on the actions performed on the user directory on the Identity Provider side + + + Only SCIM user-related actions are currently supported by Scaleway. Group auto-provisioning is planned to be available in the coming months. + + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization + +## How to access the SCIM configuration section + +1. Click **Settings** on the top-right of the Organization Dashboard. The [Organization settings](https://console.scaleway.com/settings) display. Alternatively, click **Settings** on the top-right drop-down menu of the Scaleway console +2. Click the **Automatic user provisioning (SCIM)** button. The SCIM-related section displays + + +## How to activate SCIM + +From the SCIM Configuration section, you can enable SCIM for the Organization. + + +1. Click on **Enable**. A pop-up displays to inform you that a token creation is needed to activate SCIM. + +2. Click the **Enable SCIM and create token** button. SCIM is now enabled for the Organization and two fields are displayed: +- **A SCIM token**, to be used by the Identity Provider to authenticate to Scaleway to perform the needed actions. This token is **sensitive** and should not be shared to anyone. It will only be displayed once by the console. +- **A base URL**, for the Identity Provider to connect to Scaleway. + +3. Click on **Close**. The configuration is complete on Scaleway side, but you need now to configure SCIM on your Identity provider. + +Both base URL and SCIM token need to be communicated to your Identity Provider using their SCIM configuration interface. Make sure both fields are used during the configuration as any provider will need it to provision users on Scaleway. Depending on the provider, you may be benefit from a test interface to make sure that the configuration is correct. + + + To ensure the correct configuration of SCIM, you can perform an action on your Identity Provider (changing a name, creating a new user). You should then see: + - The impacts reflected on [your users](https://console.scaleway.com/iam/users) + - The update events appearing on your [Audit Trail in the Paris region](https://console.scaleway.com/audit-trail/fr-par/events) + + + + All users created prior to the SCIM configuration, and not present in the Identity Provider directory, will not be impacted by the SCIM configuration and cannot be updated or deleted. If these users must be managed by SCIM, they must be re-created on the Identity Provider side. + + + + +## How to rotate the SCIM token + +At any moment, your SCIM configuration can have up to two active tokens. From the SCIM Configuration section, you can create a second token. + +1. Click on **Generate token** to create a second token +2. Follow the same steps as during the [first SCIM activation](/iam/how-to/manage-users-with-scim/#how-to-activate-scim) - don't forget to replace the former SCIM token by the new one on your Identity provider +3. Make sure the SCIM configuration is still working + + + SCIM tokens have a time-to-live of 1 year. When a token is expired, it cannot be used to provision users, and a new token must be created. + + +## How to deactivate SCIM + +1. Click the **Disable** button on top of the Automatic user provisioning (SCIM) section +2. Type **Disable** to confirm. + + - If automatic user provisioning with SCIM is disabled on Scaleway, your Identity Provider will not be able to perform any actions on Users, even if the configuration is correctly done on this side. + diff --git a/pages/iam/menu.ts b/pages/iam/menu.ts index 23feb647c2..60f5920ca8 100644 --- a/pages/iam/menu.ts +++ b/pages/iam/menu.ts @@ -50,7 +50,11 @@ export const iamMenu = { label: 'Set up SSO with Authentik', slug: 'set-up-sso-with-authentik' }, - { + { + label: 'Set up automatic user provisioning with SCIM', + slug: 'manage-users-with-scim' + }, + { label: 'Set and manage credential maximum duration', slug: 'set-credentials-maximum-duration' }, From db5fcd551465a1bb932785322786f39f5aaf50c2 Mon Sep 17 00:00:00 2001 From: Cyril PETEL Date: Fri, 23 Jan 2026 11:26:52 +0100 Subject: [PATCH 2/9] fixing typo and inconsistencies and adding audit trail mention --- macros/audit-trail/iam-endpoints.mdx | 2 ++ ...s-with-scim => manage-users-with-scim.mdx} | 26 +++++++++++-------- 2 files changed, 17 insertions(+), 11 deletions(-) rename pages/iam/how-to/{manage-users-with-scim => manage-users-with-scim.mdx} (65%) diff --git a/macros/audit-trail/iam-endpoints.mdx b/macros/audit-trail/iam-endpoints.mdx index f52d6b8352..6dd5a57e39 100644 --- a/macros/audit-trail/iam-endpoints.mdx +++ b/macros/audit-trail/iam-endpoints.mdx @@ -40,4 +40,6 @@ macro: adt-iam-endpoints - DeletePolicy (`DELETE /iam/v1alpha1/policies/{policy_id}`) - ClonePolicy (`POST /iam/v1alpha1/policies/{policy_id}/clone`) - SetRules (`PUT /iam/v1alpha1/rules`) + + If SCIM is activated on your Organization, all calls performed by the Identity Provider will also appear on Audit Trail, using the same APIs as regular actions. \ No newline at end of file diff --git a/pages/iam/how-to/manage-users-with-scim b/pages/iam/how-to/manage-users-with-scim.mdx similarity index 65% rename from pages/iam/how-to/manage-users-with-scim rename to pages/iam/how-to/manage-users-with-scim.mdx index f8aac322f7..ff34fe8758 100644 --- a/pages/iam/how-to/manage-users-with-scim +++ b/pages/iam/how-to/manage-users-with-scim.mdx @@ -7,10 +7,10 @@ dates: --- import Requirements from '@macros/iam/requirements.mdx' -**S**ystem for **C**ross-domain **I**dentity **Management** - also known as **SCIM**, is a standard protocol for exchanging user identity and authorization data between an Identity Provider and a Service Provider. +**S**ystem for **C**ross-domain **I**dentity **Management** - also known as **SCIM** - is a standard protocol for exchanging user identity and authorization data between an Identity Provider (or "IdP") and a Service Provider. -Combined with [SAML](/iam/how-to/set-up-identity-federation), it allows IAM managers to fully manager User management through the Identity Provider: -- SAML is used for members to log in, by authentication on their Identity Provider with the related authentication policies +Combined with [SAML](/iam/how-to/set-up-identity-federation), it allows IAM managers to fully manage user authentication, lifecycle and personal data through the Identity Provider: +- SAML is used for members to log in, by authenticating on their Identity Provider with the IdP-defined authentication policies - SCIM is used to automatically create, update, (un)lock and delete users on Scaleway based on the actions performed on the user directory on the Identity Provider side @@ -24,8 +24,8 @@ Combined with [SAML](/iam/how-to/set-up-identity-federation), it allows IAM mana ## How to access the SCIM configuration section -1. Click **Settings** on the top-right of the Organization Dashboard. The [Organization settings](https://console.scaleway.com/settings) display. Alternatively, click **Settings** on the top-right drop-down menu of the Scaleway console -2. Click the **Automatic user provisioning (SCIM)** button. The SCIM-related section displays +1. Click **Settings** on the top-right of the Organization Dashboard. The [Organization settings](https://console.scaleway.com/settings) display. Alternatively, click **Settings** on the top-right drop-down menu of the Scaleway console +2. Click the **Automatic user provisioning (SCIM)** button. The SCIM-related section displays. ## How to activate SCIM @@ -35,13 +35,13 @@ From the SCIM Configuration section, you can enable SCIM for the Organization. 1. Click on **Enable**. A pop-up displays to inform you that a token creation is needed to activate SCIM. -2. Click the **Enable SCIM and create token** button. SCIM is now enabled for the Organization and two fields are displayed: +2. Click the **Enable SCIM and create token** button. SCIM is now enabled for the Organization and two fields must be copied: - **A SCIM token**, to be used by the Identity Provider to authenticate to Scaleway to perform the needed actions. This token is **sensitive** and should not be shared to anyone. It will only be displayed once by the console. -- **A base URL**, for the Identity Provider to connect to Scaleway. +- **A base URL**, for the Identity Provider to know where to connect to Scaleway. 3. Click on **Close**. The configuration is complete on Scaleway side, but you need now to configure SCIM on your Identity provider. -Both base URL and SCIM token need to be communicated to your Identity Provider using their SCIM configuration interface. Make sure both fields are used during the configuration as any provider will need it to provision users on Scaleway. Depending on the provider, you may be benefit from a test interface to make sure that the configuration is correct. +Both base URL and SCIM token need to be communicated to your Identity Provider using their SCIM configuration interface. Make sure both fields are used during the configuration as any provider will need both to provision users on Scaleway. Depending on the provider, you may benefit from a test interface to make sure that the configuration is correct. To ensure the correct configuration of SCIM, you can perform an action on your Identity Provider (changing a name, creating a new user). You should then see: @@ -50,21 +50,25 @@ Both base URL and SCIM token need to be communicated to your Identity Provider u - All users created prior to the SCIM configuration, and not present in the Identity Provider directory, will not be impacted by the SCIM configuration and cannot be updated or deleted. If these users must be managed by SCIM, they must be re-created on the Identity Provider side. + By default, SCIM will only manage users with a common username between the Identity Provider and Scaleway. The federation will **compare users from Identity Provider and from Scaleway on the username**, and all users who do not exist on the Identity provider sid, will not be impacted by the SCIM configuration. + + If these users must be managed through SCIM, they must be re-created on the Identity Provider side, or settings must be changed on the Identity Provider side. +Depending on the providers, the delay between a change on Identity Provider side and the reflected impact on Scaleway will vary from a few seconds to 30 minutes. This duration cannot be edited on Scaleway side. ## How to rotate the SCIM token -At any moment, your SCIM configuration can have up to two active tokens. From the SCIM Configuration section, you can create a second token. +At any moment, your SCIM configuration can have up to two active tokens. When your token is about to expire, from the SCIM Configuration section, you can create a second token. 1. Click on **Generate token** to create a second token 2. Follow the same steps as during the [first SCIM activation](/iam/how-to/manage-users-with-scim/#how-to-activate-scim) - don't forget to replace the former SCIM token by the new one on your Identity provider 3. Make sure the SCIM configuration is still working +4. Optionally, you can delete the previous token - SCIM tokens have a time-to-live of 1 year. When a token is expired, it cannot be used to provision users, and a new token must be created. + SCIM tokens have a time-to-live of 1 year. When a token is expired, it cannot be used to provision users, and a new token must be created to keep SCIM synchronization working. ## How to deactivate SCIM From 51a74c3f6d5e3222105a0e8c307c2e1dc126a55b Mon Sep 17 00:00:00 2001 From: Jessica <113192637+jcirinosclwy@users.noreply.github.com> Date: Fri, 23 Jan 2026 17:13:09 +0100 Subject: [PATCH 3/9] first-review-jess --- pages/iam/how-to/manage-users-with-scim.mdx | 26 ++++++++------------- 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/pages/iam/how-to/manage-users-with-scim.mdx b/pages/iam/how-to/manage-users-with-scim.mdx index ff34fe8758..10f87b4440 100644 --- a/pages/iam/how-to/manage-users-with-scim.mdx +++ b/pages/iam/how-to/manage-users-with-scim.mdx @@ -2,16 +2,16 @@ title: How to manage users with SCIM description: Learn how to automatically provision and edit users from your Identity Provider using SCIM dates: - validation: 2025-02-01 - posted: 2025-02-01 + validation: 2026-02-01 + posted: 2026-02-01 --- import Requirements from '@macros/iam/requirements.mdx' -**S**ystem for **C**ross-domain **I**dentity **Management** - also known as **SCIM** - is a standard protocol for exchanging user identity and authorization data between an Identity Provider (or "IdP") and a Service Provider. +**S**ystem for **C**ross-domain **I**dentity **M**anagement (SCIM) is a standard protocol for exchanging user identity and authorization data between an Identity Provider (IdP) and a Service Provider. -Combined with [SAML](/iam/how-to/set-up-identity-federation), it allows IAM managers to fully manage user authentication, lifecycle and personal data through the Identity Provider: +Combined with [SAML](/iam/how-to/set-up-identity-federation), it allows IAM managers to fully manage user authentication, lifecycle, and personal data through their Identity Provider: - SAML is used for members to log in, by authenticating on their Identity Provider with the IdP-defined authentication policies -- SCIM is used to automatically create, update, (un)lock and delete users on Scaleway based on the actions performed on the user directory on the Identity Provider side +- SCIM is used to automatically create, update, lock, unlock, and delete Scaleway users based on actions performed on the user directory of the Identity Provider Only SCIM user-related actions are currently supported by Scaleway. Group auto-provisioning is planned to be available in the coming months. @@ -22,18 +22,12 @@ Combined with [SAML](/iam/how-to/set-up-identity-federation), it allows IAM mana - A Scaleway account logged into the [console](https://console.scaleway.com) - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization -## How to access the SCIM configuration section +## How to enable SCIM -1. Click **Settings** on the top-right of the Organization Dashboard. The [Organization settings](https://console.scaleway.com/settings) display. Alternatively, click **Settings** on the top-right drop-down menu of the Scaleway console -2. Click the **Automatic user provisioning (SCIM)** button. The SCIM-related section displays. - - -## How to activate SCIM - -From the SCIM Configuration section, you can enable SCIM for the Organization. - - -1. Click on **Enable**. A pop-up displays to inform you that a token creation is needed to activate SCIM. +1. Click the **Settings** button in the upper-right corner of the Organization Dashboard. The [Organization Settings](https://console.scaleway.com/settings) page displays. + Alternatively, click the avatar icon on the upper-right corner of the header navigation, and select **Settings** on the drop-down menu. +2. Click **Automatic user provisioning (SCIM)**, under **Organization security**, on the left navigation menu. The SCIM section displays. +3. Click the **Enable** button. A pop-up displays to inform you that a token creation is required to enable SCIM. 2. Click the **Enable SCIM and create token** button. SCIM is now enabled for the Organization and two fields must be copied: - **A SCIM token**, to be used by the Identity Provider to authenticate to Scaleway to perform the needed actions. This token is **sensitive** and should not be shared to anyone. It will only be displayed once by the console. From 5dfcf3ffe6f4b3d80ae77357239f5818e259aeac Mon Sep 17 00:00:00 2001 From: Jessica <113192637+jcirinosclwy@users.noreply.github.com> Date: Fri, 23 Jan 2026 18:01:47 +0100 Subject: [PATCH 4/9] review-jess-2 --- macros/audit-trail/iam-endpoints.mdx | 2 +- pages/iam/how-to/manage-users-with-scim.mdx | 65 ++++++++++++--------- 2 files changed, 39 insertions(+), 28 deletions(-) diff --git a/macros/audit-trail/iam-endpoints.mdx b/macros/audit-trail/iam-endpoints.mdx index 6dd5a57e39..505d183fa4 100644 --- a/macros/audit-trail/iam-endpoints.mdx +++ b/macros/audit-trail/iam-endpoints.mdx @@ -41,5 +41,5 @@ macro: adt-iam-endpoints - ClonePolicy (`POST /iam/v1alpha1/policies/{policy_id}/clone`) - SetRules (`PUT /iam/v1alpha1/rules`) - If SCIM is activated on your Organization, all calls performed by the Identity Provider will also appear on Audit Trail, using the same APIs as regular actions. + If SCIM is enabled in your Organization, all calls performed by the Identity Provider will also appear on Audit Trail, using the same APIs as regular actions. \ No newline at end of file diff --git a/pages/iam/how-to/manage-users-with-scim.mdx b/pages/iam/how-to/manage-users-with-scim.mdx index 10f87b4440..ca14b82da9 100644 --- a/pages/iam/how-to/manage-users-with-scim.mdx +++ b/pages/iam/how-to/manage-users-with-scim.mdx @@ -27,48 +27,59 @@ Combined with [SAML](/iam/how-to/set-up-identity-federation), it allows IAM mana 1. Click the **Settings** button in the upper-right corner of the Organization Dashboard. The [Organization Settings](https://console.scaleway.com/settings) page displays. Alternatively, click the avatar icon on the upper-right corner of the header navigation, and select **Settings** on the drop-down menu. 2. Click **Automatic user provisioning (SCIM)**, under **Organization security**, on the left navigation menu. The SCIM section displays. -3. Click the **Enable** button. A pop-up displays to inform you that a token creation is required to enable SCIM. +3. Click the **Enable** button. A pop-up displays, informing you that a token creation is required to enable SCIM. -2. Click the **Enable SCIM and create token** button. SCIM is now enabled for the Organization and two fields must be copied: -- **A SCIM token**, to be used by the Identity Provider to authenticate to Scaleway to perform the needed actions. This token is **sensitive** and should not be shared to anyone. It will only be displayed once by the console. -- **A base URL**, for the Identity Provider to know where to connect to Scaleway. +4. Click the **Enable SCIM and create token** button. SCIM is now enabled for the Organization, and two fields are displayed and must be copied: +- A **SCIM token**, which is used by the Identity Provider to authenticate to Scaleway and perform the necessary actions. This token is **sensitive** and should not be shared with anyone. +- A **base URL**, which is used by the Identity Provider to locate the Scaleway account to which connect. -3. Click on **Close**. The configuration is complete on Scaleway side, but you need now to configure SCIM on your Identity provider. - -Both base URL and SCIM token need to be communicated to your Identity Provider using their SCIM configuration interface. Make sure both fields are used during the configuration as any provider will need both to provision users on Scaleway. Depending on the provider, you may benefit from a test interface to make sure that the configuration is correct. + + Both the SCIM token and the base URL are important pieces of information that are only displayed once. Copy and safely store them before closing the pop-up. **You will need them to set up SCIM with your Identity Provider.** + +5. Click **Close**. + The configuration is complete on the Scaleway side, but you must now carry out the SCIM setup on your Identity provider. + - To ensure the correct configuration of SCIM, you can perform an action on your Identity Provider (changing a name, creating a new user). You should then see: - - The impacts reflected on [your users](https://console.scaleway.com/iam/users) - - The update events appearing on your [Audit Trail in the Paris region](https://console.scaleway.com/audit-trail/fr-par/events) - + To ensure the correct configuration of SCIM, you can perform actions such as changing a name or creating a user directly on your Identity Provider. You should then see: + - The impacts reflected on your Scaleway [users](https://console.scaleway.com/iam/users) + - The update events listed in the Paris region of your [Audit Trail dashboard](https://console.scaleway.com/audit-trail/fr-par/events) + - By default, SCIM will only manage users with a common username between the Identity Provider and Scaleway. The federation will **compare users from Identity Provider and from Scaleway on the username**, and all users who do not exist on the Identity provider sid, will not be impacted by the SCIM configuration. + By default, SCIM manages users only if their usernames match between the Identity Provider and Scaleway. The federation **compares users from both sources**, and users not found on the Identity Provider are not impacted by SCIM configuration. + If you wish to manage not-found users via SCIM, you must re-create them on the Identity Provider or change settings on the Identity Provider side. + - If these users must be managed through SCIM, they must be re-created on the Identity Provider side, or settings must be changed on the Identity Provider side. - +Depending on the provider, changes might take from a few seconds to up to 30 minutes to be synchronized. This delay cannot be modified by Scaleway. + +## How to rotate a SCIM token -Depending on the providers, the delay between a change on Identity Provider side and the reflected impact on Scaleway will vary from a few seconds to 30 minutes. This duration cannot be edited on Scaleway side. +You can have up to two active SCIM tokens at a time. To create a second token: +1. Click the **Settings** button in the upper-right corner of the Organization Dashboard. The [Organization Settings](https://console.scaleway.com/settings) page displays. +2. Click **Automatic user provisioning (SCIM)**, under **Organization security**, on the left navigation menu. The SCIM section displays. +3. Click **Generate token**. A pop-up displays. +4. Follow the same steps for [first enabling SCIM](/iam/how-to/manage-users-with-scim/#how-to-enable-scim). -## How to rotate the SCIM token + + Ensure to replace the previous SCIM token with the new one on your Identity Provider. + -At any moment, your SCIM configuration can have up to two active tokens. When your token is about to expire, from the SCIM Configuration section, you can create a second token. +5. Check if the SCIM configuration is still working. -1. Click on **Generate token** to create a second token -2. Follow the same steps as during the [first SCIM activation](/iam/how-to/manage-users-with-scim/#how-to-activate-scim) - don't forget to replace the former SCIM token by the new one on your Identity provider -3. Make sure the SCIM configuration is still working -4. Optionally, you can delete the previous token + Optionally, you can delete the previous token if no longer necessary. - SCIM tokens have a time-to-live of 1 year. When a token is expired, it cannot be used to provision users, and a new token must be created to keep SCIM synchronization working. - + SCIM tokens have a time-to-live of 1 year. When a token expires, it can no longer be used to provision users, and a new token must be created to keep SCIM synchronization working. + -## How to deactivate SCIM +## How to disable SCIM -1. Click the **Disable** button on top of the Automatic user provisioning (SCIM) section -2. Type **Disable** to confirm. +1. Click the **Settings** button in the upper-right corner of the Organization Dashboard. The [Organization Settings](https://console.scaleway.com/settings) page displays. +2. Click **Automatic user provisioning (SCIM)**, under **Organization security**, on the left navigation menu. The SCIM section displays. +3. Click the **Disable** button. +4. Type **Disable** to confirm. - - If automatic user provisioning with SCIM is disabled on Scaleway, your Identity Provider will not be able to perform any actions on Users, even if the configuration is correctly done on this side. + If SCIM is disabled on Scaleway, your Identity Provider will no longer be able to perform any actions on users, even if the configuration is correctly done on this side. From 040facd70dcc17d396d116efeb52163b416e7fb7 Mon Sep 17 00:00:00 2001 From: Jessica <113192637+jcirinosclwy@users.noreply.github.com> Date: Fri, 23 Jan 2026 18:02:24 +0100 Subject: [PATCH 5/9] Apply suggestion from @jcirinosclwy --- pages/iam/how-to/manage-users-with-scim.mdx | 1 - 1 file changed, 1 deletion(-) diff --git a/pages/iam/how-to/manage-users-with-scim.mdx b/pages/iam/how-to/manage-users-with-scim.mdx index ca14b82da9..81234d7376 100644 --- a/pages/iam/how-to/manage-users-with-scim.mdx +++ b/pages/iam/how-to/manage-users-with-scim.mdx @@ -28,7 +28,6 @@ Combined with [SAML](/iam/how-to/set-up-identity-federation), it allows IAM mana Alternatively, click the avatar icon on the upper-right corner of the header navigation, and select **Settings** on the drop-down menu. 2. Click **Automatic user provisioning (SCIM)**, under **Organization security**, on the left navigation menu. The SCIM section displays. 3. Click the **Enable** button. A pop-up displays, informing you that a token creation is required to enable SCIM. - 4. Click the **Enable SCIM and create token** button. SCIM is now enabled for the Organization, and two fields are displayed and must be copied: - A **SCIM token**, which is used by the Identity Provider to authenticate to Scaleway and perform the necessary actions. This token is **sensitive** and should not be shared with anyone. - A **base URL**, which is used by the Identity Provider to locate the Scaleway account to which connect. From dd9887db69fac554119a82482af1caab96555a95 Mon Sep 17 00:00:00 2001 From: Cyril Petel <100215794+crlptl@users.noreply.github.com> Date: Wed, 4 Feb 2026 16:20:57 +0100 Subject: [PATCH 6/9] Update manage-users-with-scim.mdx --- pages/iam/how-to/manage-users-with-scim.mdx | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pages/iam/how-to/manage-users-with-scim.mdx b/pages/iam/how-to/manage-users-with-scim.mdx index 81234d7376..8cddccb94e 100644 --- a/pages/iam/how-to/manage-users-with-scim.mdx +++ b/pages/iam/how-to/manage-users-with-scim.mdx @@ -13,6 +13,10 @@ Combined with [SAML](/iam/how-to/set-up-identity-federation), it allows IAM mana - SAML is used for members to log in, by authenticating on their Identity Provider with the IdP-defined authentication policies - SCIM is used to automatically create, update, lock, unlock, and delete Scaleway users based on actions performed on the user directory of the Identity Provider + + This feature is on Early Access phase and obly available for some Organizations + + Only SCIM user-related actions are currently supported by Scaleway. Group auto-provisioning is planned to be available in the coming months. From 27b0795c769fbc5e3afe6a47e516d29c5d530ea8 Mon Sep 17 00:00:00 2001 From: Jessica <113192637+jcirinosclwy@users.noreply.github.com> Date: Wed, 4 Feb 2026 16:36:45 +0100 Subject: [PATCH 7/9] Apply suggestions from code review --- pages/iam/how-to/manage-users-with-scim.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/iam/how-to/manage-users-with-scim.mdx b/pages/iam/how-to/manage-users-with-scim.mdx index 8cddccb94e..8bf8da0dc0 100644 --- a/pages/iam/how-to/manage-users-with-scim.mdx +++ b/pages/iam/how-to/manage-users-with-scim.mdx @@ -10,11 +10,11 @@ import Requirements from '@macros/iam/requirements.mdx' **S**ystem for **C**ross-domain **I**dentity **M**anagement (SCIM) is a standard protocol for exchanging user identity and authorization data between an Identity Provider (IdP) and a Service Provider. Combined with [SAML](/iam/how-to/set-up-identity-federation), it allows IAM managers to fully manage user authentication, lifecycle, and personal data through their Identity Provider: -- SAML is used for members to log in, by authenticating on their Identity Provider with the IdP-defined authentication policies +- SAML is used for members to log in by authenticating on their Identity Provider with the IdP-defined authentication policies - SCIM is used to automatically create, update, lock, unlock, and delete Scaleway users based on actions performed on the user directory of the Identity Provider - This feature is on Early Access phase and obly available for some Organizations + This feature is in the **Early Access** phase and is only available to some Organizations. From 6eadb9baac895b4aaf45df08af45f9447e06cdd5 Mon Sep 17 00:00:00 2001 From: Jessica <113192637+jcirinosclwy@users.noreply.github.com> Date: Wed, 4 Feb 2026 16:39:51 +0100 Subject: [PATCH 8/9] last-review --- pages/iam/how-to/manage-users-with-scim.mdx | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pages/iam/how-to/manage-users-with-scim.mdx b/pages/iam/how-to/manage-users-with-scim.mdx index 8bf8da0dc0..597251497d 100644 --- a/pages/iam/how-to/manage-users-with-scim.mdx +++ b/pages/iam/how-to/manage-users-with-scim.mdx @@ -18,7 +18,7 @@ Combined with [SAML](/iam/how-to/set-up-identity-federation), it allows IAM mana - Only SCIM user-related actions are currently supported by Scaleway. Group auto-provisioning is planned to be available in the coming months. + Only SCIM user-related actions are currently supported by Scaleway. Group auto-provisioning is planned for availability in the coming months. @@ -29,7 +29,7 @@ Combined with [SAML](/iam/how-to/set-up-identity-federation), it allows IAM mana ## How to enable SCIM 1. Click the **Settings** button in the upper-right corner of the Organization Dashboard. The [Organization Settings](https://console.scaleway.com/settings) page displays. - Alternatively, click the avatar icon on the upper-right corner of the header navigation, and select **Settings** on the drop-down menu. + Alternatively, click the avatar icon in the upper-right corner of the header navigation, then select **Settings** on the drop-down menu. 2. Click **Automatic user provisioning (SCIM)**, under **Organization security**, on the left navigation menu. The SCIM section displays. 3. Click the **Enable** button. A pop-up displays, informing you that a token creation is required to enable SCIM. 4. Click the **Enable SCIM and create token** button. SCIM is now enabled for the Organization, and two fields are displayed and must be copied: @@ -41,16 +41,16 @@ Combined with [SAML](/iam/how-to/set-up-identity-federation), it allows IAM mana 5. Click **Close**. - The configuration is complete on the Scaleway side, but you must now carry out the SCIM setup on your Identity provider. + The configuration is complete on the Scaleway side, but you now need to carry out the SCIM setup on your Identity provider. - To ensure the correct configuration of SCIM, you can perform actions such as changing a name or creating a user directly on your Identity Provider. You should then see: + To ensure the correct SCIM configuration, you can perform actions such as changing a name or creating a user directly on your Identity Provider. You should then see: - The impacts reflected on your Scaleway [users](https://console.scaleway.com/iam/users) - The update events listed in the Paris region of your [Audit Trail dashboard](https://console.scaleway.com/audit-trail/fr-par/events) - By default, SCIM manages users only if their usernames match between the Identity Provider and Scaleway. The federation **compares users from both sources**, and users not found on the Identity Provider are not impacted by SCIM configuration. + By default, SCIM manages users only if their usernames match between the Identity Provider and Scaleway. The federation **compares users from both sources**, and users not found in the Identity Provider are not impacted by SCIM configuration. If you wish to manage not-found users via SCIM, you must re-create them on the Identity Provider or change settings on the Identity Provider side. From 0e8e6ed8db77c314ce2baafaf4daa6a30b806d3d Mon Sep 17 00:00:00 2001 From: Jessica <113192637+jcirinosclwy@users.noreply.github.com> Date: Wed, 4 Feb 2026 16:40:14 +0100 Subject: [PATCH 9/9] Apply suggestions from code review --- pages/iam/how-to/manage-users-with-scim.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/iam/how-to/manage-users-with-scim.mdx b/pages/iam/how-to/manage-users-with-scim.mdx index 597251497d..3bfb3f33e6 100644 --- a/pages/iam/how-to/manage-users-with-scim.mdx +++ b/pages/iam/how-to/manage-users-with-scim.mdx @@ -2,8 +2,8 @@ title: How to manage users with SCIM description: Learn how to automatically provision and edit users from your Identity Provider using SCIM dates: - validation: 2026-02-01 - posted: 2026-02-01 + validation: 2026-02-05 + posted: 2026-02-05 --- import Requirements from '@macros/iam/requirements.mdx'