Skip to content

feat(iam): add SCIM doc pages #6089

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jcirinosclwy merged 9 commits into from
Feb 4, 2026
Merged

feat(iam): add SCIM doc pages #6089

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
860d75a
first draft for scim doc
Jan 22, 2026
db5fcd5
fixing typo and inconsistencies and adding audit trail mention
Jan 23, 2026
51a74c3
first-review-jess
jcirinosclwy Jan 23, 2026
5dfcf3f
review-jess-2
jcirinosclwy Jan 23, 2026
040facd
Apply suggestion from @jcirinosclwy
jcirinosclwy Jan 23, 2026
dd9887d
Update manage-users-with-scim.mdx
crlptl Feb 4, 2026
27b0795
Apply suggestions from code review
jcirinosclwy Feb 4, 2026
6eadb9b
last-review
jcirinosclwy Feb 4, 2026
0e8e6ed
Apply suggestions from code review
jcirinosclwy Feb 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions macros/audit-trail/iam-endpoints.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,4 +40,6 @@ macro: adt-iam-endpoints
- DeletePolicy (`DELETE /iam/v1alpha1/policies/{policy_id}`)
- ClonePolicy (`POST /iam/v1alpha1/policies/{policy_id}/clone`)
- SetRules (`PUT /iam/v1alpha1/rules`)

If SCIM is enabled in your Organization, all calls performed by the Identity Provider will also appear on Audit Trail, using the same APIs as regular actions.
</Accordion>
88 changes: 88 additions & 0 deletions pages/iam/how-to/manage-users-with-scim.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
---
title: How to manage users with SCIM
description: Learn how to automatically provision and edit users from your Identity Provider using SCIM
dates:
validation: 2026-02-05
posted: 2026-02-05
---
import Requirements from '@macros/iam/requirements.mdx'

**S**ystem for **C**ross-domain **I**dentity **M**anagement (SCIM) is a standard protocol for exchanging user identity and authorization data between an Identity Provider (IdP) and a Service Provider.

Combined with [SAML](/iam/how-to/set-up-identity-federation), it allows IAM managers to fully manage user authentication, lifecycle, and personal data through their Identity Provider:
- SAML is used for members to log in by authenticating on their Identity Provider with the IdP-defined authentication policies
- SCIM is used to automatically create, update, lock, unlock, and delete Scaleway users based on actions performed on the user directory of the Identity Provider

<Message type="important">
This feature is in the **Early Access** phase and is only available to some Organizations.
</Message>

<Message type="important">
Only SCIM user-related actions are currently supported by Scaleway. Group auto-provisioning is planned for availability in the coming months.
</Message>

<Requirements />

- A Scaleway account logged into the [console](https://console.scaleway.com)
- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization

## How to enable SCIM

1. Click the **Settings** button in the upper-right corner of the Organization Dashboard. The [Organization Settings](https://console.scaleway.com/settings) page displays.
Alternatively, click the avatar icon in the upper-right corner of the header navigation, then select **Settings** on the drop-down menu.
2. Click **Automatic user provisioning (SCIM)**, under **Organization security**, on the left navigation menu. The SCIM section displays.
3. Click the **Enable** button. A pop-up displays, informing you that a token creation is required to enable SCIM.
4. Click the **Enable SCIM and create token** button. SCIM is now enabled for the Organization, and two fields are displayed and must be copied:
- A **SCIM token**, which is used by the Identity Provider to authenticate to Scaleway and perform the necessary actions. This token is **sensitive** and should not be shared with anyone.
- A **base URL**, which is used by the Identity Provider to locate the Scaleway account to which connect.

<Message type="important">
Both the SCIM token and the base URL are important pieces of information that are only displayed once. Copy and safely store them before closing the pop-up. **You will need them to set up SCIM with your Identity Provider.**
</Message>

5. Click **Close**.
The configuration is complete on the Scaleway side, but you now need to carry out the SCIM setup on your Identity provider.

<Message type="note">
To ensure the correct SCIM configuration, you can perform actions such as changing a name or creating a user directly on your Identity Provider. You should then see:
- The impacts reflected on your Scaleway [users](https://console.scaleway.com/iam/users)
- The update events listed in the Paris region of your [Audit Trail dashboard](https://console.scaleway.com/audit-trail/fr-par/events)
</Message>

<Message type="important">
By default, SCIM manages users only if their usernames match between the Identity Provider and Scaleway. The federation **compares users from both sources**, and users not found in the Identity Provider are not impacted by SCIM configuration.
If you wish to manage not-found users via SCIM, you must re-create them on the Identity Provider or change settings on the Identity Provider side.
</Message>

Depending on the provider, changes might take from a few seconds to up to 30 minutes to be synchronized. This delay cannot be modified by Scaleway.

## How to rotate a SCIM token

You can have up to two active SCIM tokens at a time. To create a second token:

1. Click the **Settings** button in the upper-right corner of the Organization Dashboard. The [Organization Settings](https://console.scaleway.com/settings) page displays.
2. Click **Automatic user provisioning (SCIM)**, under **Organization security**, on the left navigation menu. The SCIM section displays.
3. Click **Generate token**. A pop-up displays.
4. Follow the same steps for [first enabling SCIM](/iam/how-to/manage-users-with-scim/#how-to-enable-scim).

<Message type="important">
Ensure to replace the previous SCIM token with the new one on your Identity Provider.
</Message>

5. Check if the SCIM configuration is still working.

Optionally, you can delete the previous token if no longer necessary.

<Message type="note">
SCIM tokens have a time-to-live of 1 year. When a token expires, it can no longer be used to provision users, and a new token must be created to keep SCIM synchronization working.
</Message>

## How to disable SCIM

1. Click the **Settings** button in the upper-right corner of the Organization Dashboard. The [Organization Settings](https://console.scaleway.com/settings) page displays.
2. Click **Automatic user provisioning (SCIM)**, under **Organization security**, on the left navigation menu. The SCIM section displays.
3. Click the **Disable** button.
4. Type **Disable** to confirm.
<Message type="important">
If SCIM is disabled on Scaleway, your Identity Provider will no longer be able to perform any actions on users, even if the configuration is correctly done on this side.
</Message>
6 changes: 5 additions & 1 deletion pages/iam/menu.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,11 @@ export const iamMenu = {
label: 'Set up SSO with Authentik',
slug: 'set-up-sso-with-authentik'
},
{
{
label: 'Set up automatic user provisioning with SCIM',
slug: 'manage-users-with-scim'
},
{
label: 'Set and manage credential maximum duration',
slug: 'set-credentials-maximum-duration'
},
Expand Down
Loading