SCIM Provisioning
Table of Contents
Overview
SCIM (System for Cross-domain Identity Management) lets your identity provider (IdP) automatically manage Ghost Inspector membership. When you add someone to the Ghost Inspector application in your IdP, they are provisioned in Ghost Inspector; when you remove them, their access is revoked — without anyone manually inviting or removing members.
SCIM works alongside single sign-on. SSO governs how members log in; SCIM governs who exists in your organization and keeps that list in sync with your IdP automatically.
Why use SCIM
Without SCIM, members are still created automatically the first time they sign in through SSO (just-in-time provisioning). SCIM adds two important capabilities on top of that:
- Provision in advance — members appear in your organization as soon as you assign them in your IdP, before they ever log in.
- Automatic deprovisioning — when you remove or deactivate a user in your IdP, their Ghost Inspector access is revoked automatically. This is the key benefit for security and offboarding: access is removed the moment HR or IT disables the account upstream.
What SCIM keeps in sync
Ghost Inspector supports the standard SCIM 2.0 protocol. Depending on your IdP's configuration, the following operations are supported:
- Create user — adds a member to your organization.
- Update user — keeps profile details (such as name and email) in sync.
- Deactivate / delete user — removes the member's access to your organization.
Prerequisites
- An enterprise plan with SSO and SCIM enabled for your organization.
- An identity provider that supports SCIM 2.0 provisioning (for example, Okta or Microsoft Entra ID).
- Administrator access to your IdP.
- The verified email domain(s) for your organization.
What you'll need from Ghost Inspector
To connect your IdP, Ghost Inspector provides two values:
- A SCIM Base URL — the endpoint your IdP sends provisioning requests to.
- A bearer token — a secret used to authenticate those requests.
Setting up SCIM
The general flow is the same across providers:
- Make sure SSO is already configured for your organization.
- Obtain the SCIM Base URL and bearer token from Ghost Inspector.
- In your IdP's Ghost Inspector application, enable provisioning and enter the base URL and token.
- Map the user attributes (email and name) your IdP will send.
- Assign users or groups and let your IdP perform the initial sync.
Okta
Okta only shows the Provisioning tab after SCIM provisioning is turned on for the application, so enable it first.
- In the Okta Admin Console, go to Applications → Applications and select your Ghost Inspector application.
- On the General tab, find the Provisioning section and change Provisioning Mode from None to SCIM, then save.
- Open the now-available Provisioning tab and select Integration.
- Click Configure API Integration and check Enable API integration.
- Enter the SCIM Base URL as the Base URL and the bearer token as the API token.
- Set the Unique identifier field for users to
userNameand the Authentication Mode toHTTP Header. - Click Test Connector Configuration, then Save once the test passes.
- Under To App, click Edit and enable Create Users, Update User Attributes, and Deactivate Users.
- Confirm the attribute mappings (at minimum, the user's email).
- Assign people or groups; Okta will provision them to Ghost Inspector.
Microsoft Entra ID (Azure AD)
- Open your Ghost Inspector enterprise application and go to Provisioning.
- Set Provisioning Mode to Automatic.
- Under Admin Credentials, enter the SCIM Base URL as the Tenant URL and the bearer token as the Secret Token, then test the connection.
- Review the Mappings for users to confirm email and name attributes are sent.
- Set provisioning Scope and turn Provisioning Status On.
- Assign users and groups; Entra ID will sync them on its provisioning cycle.
How SCIM and SSO work together
- SCIM decides who is a member of your organization.
- SSO decides how those members authenticate when they log in.
- Just-in-time provisioning still applies: even with SCIM, a member who logs in via SSO is created if they don't already exist. SCIM simply lets you manage that list proactively and remove access automatically.
Troubleshooting
- Users aren't being created — confirm the bearer token is correct and that provisioning (Create Users) is enabled and assigned to the right users or groups in your IdP.
- Deactivations aren't taking effect — ensure Deactivate Users (Okta) or the equivalent sync action (Entra ID) is enabled, and that the user is unassigned or disabled in your IdP.
- Attribute errors — verify the email attribute is mapped and matches the address used for SSO login.
If issues persist, contact support.
Related
- Single sign-on (SSO) — how members authenticate through your IdP.
- Login IP allowlist — restrict access to trusted networks.
- Access events (audit log) — review provisioning and sign-in activity.
- Organizations — how organizations and membership work.