Setting Up SCIM Provisioning
Phaset supports SCIM 2.0 (System for Cross-domain Identity Management) for automated user provisioning and deprovisioning from your identity provider. This eliminates manual user management and ensures users are automatically created, updated, and removed as changes occur in your identity provider.
What is SCIM?
Section titled “What is SCIM?”SCIM automates user lifecycle management:
- New user assigned → Automatically created in Phaset
- User details updated → Changes sync to Phaset
- User disabled or unassigned → User deactivated in Phaset
- User deleted → User removed from Phaset
This ensures your Phaset user directory stays in sync with your identity provider without manual intervention.
Supported Identity Providers
Section titled “Supported Identity Providers”Phaset’s SCIM implementation follows the SCIM 2.0 specification and should work with any compliant provider. However, it’s been primarily validated with:
- Microsoft Azure Entra ID (formerly Azure Active Directory)
Other SCIM 2.0 providers should work but haven’t been officially validated. If you encounter issues with your provider, please contact support.
Prerequisites
Section titled “Prerequisites”Before setting up SCIM, ensure you have:
- Admin access to your identity provider
- A Phaset organization ID (visible in the Phaset UI)
- HTTPS enabled on your Phaset domain (required for secure token transmission)
SCIM Token Management
Section titled “SCIM Token Management”SCIM tokens authenticate your identity provider when syncing users to Phaset. You manage these tokens in the Phaset application UI.
Creating a SCIM Token
Section titled “Creating a SCIM Token”-
Log in to Phaset as an administrator
-
Navigate to Organization Settings → SCIM Tokens
-
Click “Create New Token”
Configure:
- Description:
Azure AD SCIMor similar identifier - Expiration: Choose a validity period (recommended: 365 days)
- Description:
-
Copy the token immediately
The token format is:
SCIM#{organizationId}#{token}
Managing SCIM Tokens
Section titled “Managing SCIM Tokens”You can manage tokens in Organization Settings → SCIM Tokens:
- Create tokens - Create a new token and update your identity provider before revoking the old one
- View active tokens - See all tokens with their descriptions and expiration dates
- Revoke tokens - Immediately invalidate a token (stops provisioning)
Azure Entra ID Setup
Section titled “Azure Entra ID Setup”-
Create SCIM Token in Phaset
Section titled “Create SCIM Token in Phaset”Follow the SCIM Token Management section above to create a token. Keep it ready for step 4.
-
Find Your Phaset Enterprise Application
Section titled “Find Your Phaset Enterprise Application”Go to the Azure Portal.
Navigate to Azure Active Directory → Enterprise Applications.
Find and select your Phaset application (the one you created for SSO).
-
Enable Provisioning
Section titled “Enable Provisioning”In your Phaset application, go to Provisioning in the left sidebar.
Click Get started.
-
Configure Provisioning Settings
Section titled “Configure Provisioning Settings”Set Provisioning Mode to Automatic.
Under Admin Credentials, enter:
- Tenant URL:
https://your-phaset-domain.com/scim/v2 - Secret Token: Your SCIM token from step 1
Click Test Connection.
Click Save.
- Tenant URL:
-
Configure Attribute Mappings
Section titled “Configure Attribute Mappings”Go to Mappings → Provision Azure Active Directory Users.
Verify these mappings exist (they should be present by default):
Azure AD Attribute Phaset SCIM Attribute Required userPrincipalNameuserNameYes mailemails[type eq "work"].valueYes Switch([IsSoftDeleted], , "False", "True", "True", "False")activeYes displayNamedisplayNameNo givenNamename.givenNameNo surnamename.familyNameNo Click Save.
-
Assign Users or Groups
Section titled “Assign Users or Groups”Go back to your Phaset application overview.
Click Users and groups in the left sidebar.
Click Add user/group and select users or groups to provision to Phaset.
Click Assign.
-
Start Provisioning
Section titled “Start Provisioning”Return to Provisioning settings.
Change Provisioning Status to On.
Click Save.
Initial sync starts automatically and typically completes within 20-40 minutes.
Monitoring Provisioning
Section titled “Monitoring Provisioning”You can monitor SCIM provisioning in Azure:
View Provisioning Status:
- Go to Provisioning → View provisioning logs
- See users being created, updated, or deactivated in real-time
Trigger Manual Sync:
- Go to Provisioning → Click Start provisioning (if stopped)
- Or click Restart provisioning to force an immediate sync
Provisioning Cycle:
- Azure syncs automatically every 40 minutes
- Initial sync processes all assigned users
- Incremental syncs only process changes
Combining SCIM with SSO
Section titled “Combining SCIM with SSO”SCIM and SSO work best together but can be used independently:
Benefits:
- Fully automated user management
- Streamlined login experience
- Users automatically provisioned before first login
Setup order:
- Configure SSO first
- Set up SCIM provisioning
- Assign users in identity provider
- Users can immediately sign in via SSO
Benefits:
- Automated user creation and updates
- Works without SSO infrastructure
Limitations:
- Users still receive email-based login links
- No single sign-on experience
Use case: Organizations wanting automated provisioning but not ready for SSO
Benefits:
- Streamlined login experience
- No SCIM integration needed
Limitations:
- Must manually create users before they can sign in
- No automatic deprovisioning
Use case: Small teams or organizations with infrequent user changes
Troubleshooting
Section titled “Troubleshooting””401 Unauthorized” When Testing Connection
Section titled “”401 Unauthorized” When Testing Connection”Cause: Invalid SCIM token or incorrect format.
Solution:
- Verify token format:
SCIM#{orgId}#{token} - Ensure no extra spaces or line breaks in token
- Check token hasn’t expired
- Verify organization ID is correct
- Try creating a new token
SCIM Connection Test Times Out
Section titled “SCIM Connection Test Times Out”Cause: Phaset server not reachable from identity provider.
Solution:
- Verify Phaset is running and accessible
- Check firewall rules allow inbound HTTPS traffic
- Confirm SCIM URL is correct:
https://your-domain.com/scim/v2 - Test URL accessibility from external network
Users Not Syncing from Azure
Section titled “Users Not Syncing from Azure”Cause: Provisioning not enabled or users not assigned.
Solution:
- Verify Provisioning Status is On in Azure
- Check users are assigned to Phaset application
- Review provisioning logs for errors
- Trigger manual sync: Restart provisioning
- Wait for initial sync cycle to complete (20-40 minutes)
User Created but Cannot Sign In
Section titled “User Created but Cannot Sign In”Cause: User exists but SSO isn’t configured, or email mismatch.
Solution:
- If using SSO: Verify SSO is set up
- Check email address matches between identity provider and Phaset
- Verify user status is ACTIVE (not INACTIVE)
- Review Phaset authentication logs
Changes Not Syncing After Initial Provisioning
Section titled “Changes Not Syncing After Initial Provisioning”Cause: Azure provisioning cycle hasn’t run yet.
Solution:
- Wait for next automatic sync cycle (~40 minutes)
- Or trigger manual sync in Azure: Restart provisioning
- Check provisioning logs for sync errors
Token Expired Error
Section titled “Token Expired Error”Cause: SCIM token exceeded its validity period.
Solution:
- Create a new token in Phaset
- Update token in identity provider
- Test connection
- Delete old token from Phaset
Next Steps
Section titled “Next Steps”- Set up Single Sign-On for streamlined authentication
- Configure Phaset for production deployment
- Learn about user management best practices