Knogin
[Developers]

Identity: SCIM 2.0 Automated Provisioning

A hospital network onboards two hundred nurses after a staffing agency contract is signed. Under a manual provisioning model, the IT desk would spend a week creating accounts, assigning roles, and verifying access before

Back to All Modules
Category: ModulesLast Updated: Mar 25, 2026
modulescompliancegeospatial

Overview#

A hospital network onboards two hundred nurses after a staffing agency contract is signed. Under a manual provisioning model, the IT desk would spend a week creating accounts, assigning roles, and verifying access before a single nurse can log in. SCIM Automated Provisioning eliminates that backlog: when HR marks employees active in the authoritative identity provider, accounts appear in the platform within minutes, with roles derived from the group memberships already defined in the directory.

The same speed works in reverse. When a contractor's engagement ends, their access is revoked automatically as soon as the identity provider reflects the change. Government agencies, healthcare networks, and financial institutions operating at scale need this kind of lifecycle discipline because manual off-boarding creates compliance exposure that auditors and regulators treat seriously.

Key Features#

  • Provisioning Connection Management: Administer the active SCIM connections that drive user lifecycle across the organisation. Connection credentials are stored with tenant-level encryption and never shared across tenants.
  • Automated User Lifecycle: Create, update, suspend, and remove user access in line with authoritative identity changes. The system treats the identity provider as the single source of truth for account state.
  • Group-to-Role Mapping: Translate external group structure into governed local entitlements through explicit mapping controls. Changes to the mapping table take effect on the next provisioning event without requiring manual account updates.
  • Connection Health Monitoring: Detect stalled or degraded provisioning paths before identity drift becomes an access problem. Health dashboards show last sync time, error rates, and pending operations for each active connection.
  • Multi-Tenant Provisioning Discipline: Keep each organisation's provisioning boundaries and credentials separated cleanly. organization_id scoping is enforced on all provisioning operations and audit records.
  • Onboarding and Off-boarding Support: Treat workforce change as an operational process with automation and human-readable review surfaces rather than opaque background jobs.
  • Administrative Review Surface: Give identity teams an operational workspace for monitoring and maintaining provisioning quality, including exception handling for failed operations.

Use Cases#

  • Enterprise User Onboarding: Provision users automatically when they enter the authoritative identity system, eliminating the manual queue that delays access for new starters.
  • Entitlement Governance: Keep local role assignments aligned with the external group model used by the organisation, reducing permission creep over time.
  • Contractor and Workforce Off-boarding: Remove or reduce access quickly when people leave, transfer, or change role, meeting the timelines required by security policy and regulatory frameworks.
  • Provisioning Health Assurance: Detect and correct silent provisioning failures before identity drift spreads across the tenant and reaches an audit finding.

Integration#

  • Identity Administration Workspace and enterprise authentication services
  • Keycloak, Zitadel, SAML, OIDC, and tenant-governance workflows
  • Role, permission, and access-review systems backed by PostgreSQL
  • Workforce lifecycle, invitations, and onboarding processes with full RBAC enforcement

Open Standards#

  • SCIM 2.0 (RFC 7643 / RFC 7644): The core protocol implemented by this capability; RFC 7643 defines the User and Group resource schemas and RFC 7644 defines the REST API operations (POST, PATCH, DELETE on /Users and /Groups) used for full identity lifecycle management.
  • OAuth 2.0 Bearer Token (RFC 6750): All outbound calls to SCIM provider endpoints are authenticated using Bearer tokens carried in the HTTP Authorization header, as defined by this specification.
  • OpenID Connect (OIDC) 1.0: The capability integrates with OIDC-compliant identity providers such as Keycloak and Zitadel as the authoritative source of user and group state that drives provisioning events.
  • SAML 2.0 (OASIS): Enterprise identity providers using SAML 2.0 federation are supported as upstream sources, with group memberships asserted via SAML attributes translated into local role assignments through the mapping engine.
  • GraphQL (June 2018 Specification): The provisioning management surface, including connection queries and sync mutations, is exposed through a typed GraphQL schema with field-level authentication enforcement.
  • JSON (RFC 8259): All data exchanged between the SCIM endpoint, identity providers, and the internal API is serialised as JSON; the SCIM media type application/scim+json is a direct extension of this format.

Last Reviewed: 2026-03-25 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.