Setting Up SCIM Provisioning

Phaset supports SCIM 2.0 (System for Cross-domain Identity Management) for automated user provisioning and deprovisioning from your identity provider. This eliminates manual user management and ensures users are automatically created, updated, and removed as changes occur in your identity provider.

Caution

Please know that SCIM, even in Azure Entra ID, is beholden to bugs, quirks, settings, and other things that does impact the extent to which Entra is SCIM-compatible.

What is SCIM?

SCIM automates user lifecycle management:

• New user assigned → Automatically created in Phaset
• User details updated → Changes sync to Phaset
• User disabled or unassigned → User deactivated in Phaset
• User deleted → User removed from Phaset

This ensures your Phaset user directory stays in sync with your identity provider without manual intervention.

Supported Identity Providers

Phaset’s SCIM implementation follows the SCIM 2.0 specification and should work with any compliant provider. However, it’s been primarily validated with:

• Microsoft Azure Entra ID (formerly Azure Active Directory)

Other SCIM 2.0 providers should work but haven’t been officially validated. If you encounter issues with your provider, please contact support.

Google Workspace

Google Workspace doesn’t provide built-in SCIM provisioning. You can use third-party bridges (like Okta or Auth0) or manually provision users instead.

Prerequisites

Before setting up SCIM, ensure you have:

• Admin access to your identity provider
• A Phaset organization ID (visible in the Phaset UI)
• HTTPS enabled on your Phaset domain (required for secure token transmission)

SCIM Token Management

SCIM tokens authenticate your identity provider when syncing users to Phaset. You manage these tokens in the Phaset application UI.

Creating a SCIM Token

1. Log in to Phaset as an administrator

2. Navigate to Organization Settings → SCIM Tokens

3. Click “Create New Token”

   Configure:

   • Description: Azure AD SCIM or similar identifier
   • Expiration: Choose a validity period (recommended: 365 days)

4. Copy the token immediately

   The token format is: SCIM#{organizationId}#{token}

   Caution

   Store this token securely. You won’t be able to see it again after leaving this page.

Managing SCIM Tokens

You can manage tokens in Organization Settings → SCIM Tokens:

• Create tokens - Create a new token and update your identity provider before revoking the old one
• View active tokens - See all tokens with their descriptions and expiration dates
• Revoke tokens - Immediately invalidate a token (stops provisioning)

Token Rotation Best Practice

For security, rotate SCIM tokens regularly:

1. Create a new token in Phaset
2. Update your identity provider with the new token
3. Test provisioning with the new token
4. Revoke the old token

Azure Entra ID Setup

1. Create SCIM Token in Phaset

   Follow the SCIM Token Management section above to create a token. Keep it ready for step 4.

2. Find Your Phaset Enterprise Application

   Go to the Azure Portal.

   Navigate to Azure Active Directory → Enterprise Applications.

   Find and select your Phaset application (the one you created for SSO).

   Note

   If you haven’t set up SSO yet, you’ll need to register Phaset as an application first. See the SSO Setup Guide.

3. Enable Provisioning

   In your Phaset application, go to Provisioning in the left sidebar.

   Click Get started.

4. Configure Provisioning Settings

   Set Provisioning Mode to Automatic.

   Under Admin Credentials, enter:

   • Tenant URL: https://your-phaset-domain.com/scim/v2
   • Secret Token: Your SCIM token from step 1

   Click Test Connection.

   Tip

   A successful test shows “The supplied credentials are authorized to enable provisioning”. If it fails, verify your token and URL are correct.

   Click Save.

5. Configure Attribute Mappings

   Go to Mappings → Provision Azure Active Directory Users.

   Verify these mappings exist (they should be present by default):

   Azure AD Attribute	Phaset SCIM Attribute	Required
   userPrincipalName	userName	Yes
   mail	emails[type eq "work"].value	Yes
   Switch([IsSoftDeleted], , "False", "True", "True", "False")	active	Yes
   displayName	displayName	No
   givenName	name.givenName	No
   surname	name.familyName	No

   Note

   You can customize these mappings if needed, but the required fields (userName, emails, active) must be mapped.

   Click Save.

6. Assign Users or Groups

   Go back to your Phaset application overview.

   Click Users and groups in the left sidebar.

   Click Add user/group and select users or groups to provision to Phaset.

   Click Assign.

7. Start Provisioning

   Return to Provisioning settings.

   Change Provisioning Status to On.

   Click Save.

   Initial sync starts automatically and typically completes within 20-40 minutes.

Monitoring Provisioning

You can monitor SCIM provisioning in Azure:

View Provisioning Status:

• Go to Provisioning → View provisioning logs
• See users being created, updated, or deactivated in real-time

Trigger Manual Sync:

• Go to Provisioning → Click Start provisioning (if stopped)
• Or click Restart provisioning to force an immediate sync

Provisioning Cycle:

• Azure syncs automatically every 40 minutes
• Initial sync processes all assigned users
• Incremental syncs only process changes

Combining SCIM with SSO

SCIM and SSO work best together but can be used independently:

SCIM + SSO (Recommended)

Benefits:

• Fully automated user management
• Streamlined login experience
• Users automatically provisioned before first login

Setup order:

1. Configure SSO first
2. Set up SCIM provisioning
3. Assign users in identity provider
4. Users can immediately sign in via SSO

SCIM Only

Benefits:

• Automated user creation and updates
• Works without SSO infrastructure

Limitations:

• Users still receive email-based login links
• No single sign-on experience

Use case: Organizations wanting automated provisioning but not ready for SSO

SSO Only

Benefits:

• Streamlined login experience
• No SCIM integration needed

Limitations:

• Must manually create users before they can sign in
• No automatic deprovisioning

Use case: Small teams or organizations with infrequent user changes

Troubleshooting

”401 Unauthorized” When Testing Connection

Cause: Invalid SCIM token or incorrect format.

Solution:

• Verify token format: SCIM#{orgId}#{token}
• Ensure no extra spaces or line breaks in token
• Check token hasn’t expired
• Verify organization ID is correct
• Try creating a new token

SCIM Connection Test Times Out

Cause: Phaset server not reachable from identity provider.

Solution:

• Verify Phaset is running and accessible
• Check firewall rules allow inbound HTTPS traffic
• Confirm SCIM URL is correct: https://your-domain.com/scim/v2
• Test URL accessibility from external network

Users Not Syncing from Azure

Cause: Provisioning not enabled or users not assigned.

Solution:

• Verify Provisioning Status is On in Azure
• Check users are assigned to Phaset application
• Review provisioning logs for errors
• Trigger manual sync: Restart provisioning
• Wait for initial sync cycle to complete (20-40 minutes)

User Created but Cannot Sign In

Cause: User exists but SSO isn’t configured, or email mismatch.

Solution:

• If using SSO: Verify SSO is set up
• Check email address matches between identity provider and Phaset
• Verify user status is ACTIVE (not INACTIVE)
• Review Phaset authentication logs

Changes Not Syncing After Initial Provisioning

Cause: Azure provisioning cycle hasn’t run yet.

Solution:

• Wait for next automatic sync cycle (~40 minutes)
• Or trigger manual sync in Azure: Restart provisioning
• Check provisioning logs for sync errors

Token Expired Error

Cause: SCIM token exceeded its validity period.

Solution:

• Create a new token in Phaset
• Update token in identity provider
• Test connection
• Delete old token from Phaset

Next Steps

• Set up Single Sign-On for streamlined authentication
• Configure Phaset for production deployment
• Learn about user management best practices