SCIM Provisioning

Table of Contents

  • Overview

  • Why use SCIM

  • What SCIM keeps in sync

  • Prerequisites

  • What you'll need from Ghost Inspector

  • Setting up SCIM

  • How SCIM and SSO work together

  • Troubleshooting

  • Related

Overview

SCIM (System for Cross-domain Identity Management) lets your identity provider (IdP) automatically manage Ghost Inspector membership. When you add someone to the Ghost Inspector application in your IdP, they are provisioned in Ghost Inspector; when you remove them, their access is revoked — without anyone manually inviting or removing members.

SCIM works alongside single sign-on. SSO governs how members log in; SCIM governs who exists in your organization and keeps that list in sync with your IdP automatically.

SCIM provisioning is an enterprise feature and is set up together with SSO. Contact your Ghost Inspector account representative or support to enable it.

Why use SCIM

Without SCIM, members are still created automatically the first time they sign in through SSO (just-in-time provisioning). SCIM adds two important capabilities on top of that:

  • Provision in advance — members appear in your organization as soon as you assign them in your IdP, before they ever log in.
  • Automatic deprovisioning — when you remove or deactivate a user in your IdP, their Ghost Inspector access is revoked automatically. This is the key benefit for security and offboarding: access is removed the moment HR or IT disables the account upstream.

What SCIM keeps in sync

Ghost Inspector supports the standard SCIM 2.0 protocol. Depending on your IdP's configuration, the following operations are supported:

  • Create user — adds a member to your organization.
  • Update user — keeps profile details (such as name and email) in sync.
  • Deactivate / delete user — removes the member's access to your organization.

Prerequisites

  • An enterprise plan with SSO and SCIM enabled for your organization.
  • An identity provider that supports SCIM 2.0 provisioning (for example, Okta or Microsoft Entra ID).
  • Administrator access to your IdP.
  • The verified email domain(s) for your organization.

What you'll need from Ghost Inspector

To connect your IdP, Ghost Inspector provides two values:

  • A SCIM Base URL — the endpoint your IdP sends provisioning requests to.
  • A bearer token — a secret used to authenticate those requests.
The SCIM bearer token grants the ability to manage your organization's membership. Treat it like a password: store it securely in your IdP's provisioning configuration and never share it. If it is ever exposed, contact Ghost Inspector to have it regenerated.

Setting up SCIM

The general flow is the same across providers:

  1. Make sure SSO is already configured for your organization.
  2. Obtain the SCIM Base URL and bearer token from Ghost Inspector.
  3. In your IdP's Ghost Inspector application, enable provisioning and enter the base URL and token.
  4. Map the user attributes (email and name) your IdP will send.
  5. Assign users or groups and let your IdP perform the initial sync.

Okta

Okta only shows the Provisioning tab after SCIM provisioning is turned on for the application, so enable it first.

  1. In the Okta Admin Console, go to Applications → Applications and select your Ghost Inspector application.
  2. On the General tab, find the Provisioning section and change Provisioning Mode from None to SCIM, then save.
  3. Open the now-available Provisioning tab and select Integration.
  4. Click Configure API Integration and check Enable API integration.
  5. Enter the SCIM Base URL as the Base URL and the bearer token as the API token.
  6. Set the Unique identifier field for users to userName and the Authentication Mode to HTTP Header.
  7. Click Test Connector Configuration, then Save once the test passes.
  8. Under To App, click Edit and enable Create Users, Update User Attributes, and Deactivate Users.
  9. Confirm the attribute mappings (at minimum, the user's email).
  10. Assign people or groups; Okta will provision them to Ghost Inspector.

Microsoft Entra ID (Azure AD)

  1. Open your Ghost Inspector enterprise application and go to Provisioning.
  2. Set Provisioning Mode to Automatic.
  3. Under Admin Credentials, enter the SCIM Base URL as the Tenant URL and the bearer token as the Secret Token, then test the connection.
  4. Review the Mappings for users to confirm email and name attributes are sent.
  5. Set provisioning Scope and turn Provisioning Status On.
  6. Assign users and groups; Entra ID will sync them on its provisioning cycle.

How SCIM and SSO work together

  • SCIM decides who is a member of your organization.
  • SSO decides how those members authenticate when they log in.
  • Just-in-time provisioning still applies: even with SCIM, a member who logs in via SSO is created if they don't already exist. SCIM simply lets you manage that list proactively and remove access automatically.
For a smooth offboarding process, deactivate users in your identity provider. SCIM will revoke their Ghost Inspector access, and SSO will prevent them from logging back in.

Troubleshooting

  • Users aren't being created — confirm the bearer token is correct and that provisioning (Create Users) is enabled and assigned to the right users or groups in your IdP.
  • Deactivations aren't taking effect — ensure Deactivate Users (Okta) or the equivalent sync action (Entra ID) is enabled, and that the user is unassigned or disabled in your IdP.
  • Attribute errors — verify the email attribute is mapped and matches the address used for SSO login.

If issues persist, contact support.