SCIM

An RFC 7644 subset is supported:

GET/POST /scim/v2/Users
GET/DELETE /scim/v2/Users/:id
GET/POST /scim/v2/Groups
PATCH /scim/v2/Groups/:id (add/remove members, replace displayName)

Creating a token

/app/security → SCIM tokens → Create. The plaintext (scim_*) is shown once.

Group → role mapping

/app/security → SCIM group → role. When the IdP adds a user to a group with this displayName, they get the specified role. At a group intersection the highest one wins (owner > admin > developer > viewer).

SCIM-managed memberships

A user added via SCIM has scim_managed=TRUE. The cabinet won't let you delete them — otherwise the IdP re-provisions on the next sync. Deletion only via SCIM (DELETE) or by revoking the token.

← ← Previous

Passkeys (WebAuthn)

Audit log