User Provisioning (SCIM)
SCIM (System for Cross-domain Identity Management) is the standard protocol for pushing user accounts from an identity provider into a downstream application on a schedule.
TraffiTech implements inbound SCIM 2.0: your IdP (such as Microsoft Entra ID) is the source of truth, and it proactively creates, updates, and deactivates user accounts in TraffiTech.
Why SCIM if I already have SSO?
SSO and SCIM solve related but distinct problems:
- SSO creates or updates a user account when they log in. If someone hasn't logged in, or has just been offboarded, SSO alone can't help.
- SCIM keeps the user list in sync proactively. New hires show up in TraffiTech on their first day (not on their first login). Leavers are deactivated the moment HR flags them in the directory.
Most customers want both: SSO for sign-in, SCIM to keep the roster clean.
How it works
Your IdP periodically sends SCIM requests to TraffiTech's SCIM endpoint:
POST /scim/v2/enterprise-idps/{provider_id}/users- create a userGET /scim/v2/enterprise-idps/{provider_id}/users- list / filter usersPATCH /scim/v2/enterprise-idps/{provider_id}/users/{id}- update attributes or activate / deactivateDELETE /scim/v2/enterprise-idps/{provider_id}/users/{id}- hard-delete
All requests carry a bearer token issued by TraffiTech for that specific IdP.
Prerequisites
Before you can configure SCIM in your IdP you need these values from your TraffiTech administrator:
- The SCIM Tenant URL - the full
https://oidc.traffitech.com/scim/v2/enterprise-idps/{provider_id}URL for your IdP - A Secret Token - the bearer token your IdP will use to authenticate
Your administrator generates these after the IdP has been registered in TraffiTech.
Guides
SCIM operations TraffiTech supports
| Operation | Method + path | Notes |
|---|---|---|
| Create user | POST /users | Creates or links a user based on externalId |
| Read user | GET /users/{id} | |
| List / filter users | GET /users?filter=... | Used by IdPs during initial and incremental cycles |
| Update attributes | PATCH /users/{id} | IdPs prefer PATCH over PUT |
| Deactivate | PATCH /users/{id} with active: false | Soft-delete |
| Reactivate | PATCH /users/{id} with active: true | |
| Hard-delete | DELETE /users/{id} | Only for users permanently removed from the directory |