--- title: SCIM Provisioner description: The SCIM Provisioner allows PingFederate to integrate with a wide range of services that support the System for Cross-domain Identity Management (SCIM) for user provisioning and single sign-on (SSO). component: scim page_id: scim::pf_scim_connector canonical_url: https://docs.pingidentity.com/integrations/scim/pf_scim_connector.html revdate: June 25, 2024 section_ids: features: Features specifications: Specifications components: Components intended-audience: Intended audience system-requirements: System requirements --- # SCIM Provisioner The SCIM Provisioner allows PingFederate to integrate with a wide range of services that support the System for Cross-domain Identity Management (SCIM) *(tooltip: \
\

An application-level, HTTP-based protocol for provisioning and managing user identity information. SCIM supplies a common schema for representing users and groups and provides a REST API.\

\
)* for user provisioning and single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)*. ## Features * Manages users in the target service based on changes in an external datastore that is attached to PingFederate: * Creates, updates, disables, and deletes users * Allows you to enable the create, update, disable, and delete capabilities independently * Allows you to choose whether to disable or delete users when deprovisioning * Allows you to provision disabled users * Manages groups in the target service based on changes in an external datastore that is attached to PingFederate: * Creates, updates, and deletes groups * Updates group memberships * Enables browser-based SSO initiated by the service provider (SP) *(tooltip: \
\

In SAML, an entity that receives and accepts an authentication assertion issued by an IdP, typically for the purpose of allowing access to a protected resource.\

\
)* or identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)*. ## Specifications The SCIM Connector implements the official specifications provided from [simplecloud.info](http://www.simplecloud.info/). > **Collapse: The following table provides a brief summary:** > > | Feature | Outbound provisioning | > | ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | SCIM specification | 1.1, 2.0 | > | Data format | JavaScript Object Notation (JSON) *(tooltip: \
\

An open, lightweight data-interchange format that uses human-readable text to store and transmit data.\

\
)* | > | User and group CRUD operations | Yes | > | Custom schema support | * Users > > Yes > > * Groups > > No | > | Filtering support | - Users > > Yes > > - Groups > > The connector allows group filtering by retrieving all groups and finding a match. | > | PATCH | * Users > > No > > * Groups > > Yes. Learn more in the [SCIM provisioner settings reference](setup/pf_scim_connector_scim_connector_settings_reference.html). | > | Authentication method | HTTP Basic Authentication, OAuth *(tooltip: \
\

A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.\

\
)* bearer token and OAuth client *(tooltip: \
\

The application in an OAuth framework that requests access to resources. If the request is approved by the authorization server, the client is issued an access token for the resources.\

\
)* credentials | > | Source data stores | Active Directory and other LDAPv3-compliant directory servers | ## Components The SCIM provisioning and SSO connector: * Allows PingFederate to manage users in the service based on changes in an external user data store * (Optional configuration) Allows PingFederate to create an SSO connection to the service * Includes a quick-connection template that pre-populates some configuration settings ## Intended audience This document is intended for PingFederate administrators. If you need help during the setup process, see the following resources: * PingFederate documentation: * [SP connection management](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_sp_connect_management.html) * [Identity provider SSO configuration](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_ident_provid_sso_config.html) * [Managing digital signing certificates and decryption keys](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_certmanagementtasklet_dsigsigningcert_certmanagementstate.html) * [Datastores](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_datastores.html) * [Configuring outbound provisioning](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_spconnectionconfigtasklet_saasprovisioningstate.html) * [Configuring outbound provisioning settings](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_protocolsettingstasklet_saasglobalprovisioningsettingsstate.html) * [The SCIM 1.1 Developer Guide](https://www.pingidentity.com/developer/en/resources/scim-1-1-developers-guide.html#overview) on the Ping Identity Developer site * [The SCIM specification](http://www.simplecloud.info/#Specification) on simplecloud.info ## System requirements * PingFederate 9.0 or later. * To allow PingFederate to make outbound connections, you might need to allow SCIM endpoints in your firewall.