SCIM
      Back to home
      1. Kandji Support
      2. Integrations
      3. SCIM

      SCIM Directory Integration

      Learn how to configure a SCIM user directory integration.

      Overview

      To configure a SCIM integration between your Identity Provider (IdP) and Kandji, you will need to:

      • Create a new SCIM Directory Integration in Kandji
      • Obtain the SCIM API URL and API token from Kandji to use with your IdP.
      • Access your IdP to create an app integration and map SCIM attributes.

      After completing the steps in this article, refer to the IdP-specific article for information on how to configure SCIM within your IdP.

      SCIM Directory Integration - Okta

      SCIM Directory Integration - Azure Active Directory

      Create a New SCIM Directory Integration

      1. Navigate to Integrations in the left-hand navigation bar.
      2. Click Discover integrations in the upper-right of the Integrations page. 
      3. On the SCIM tile, click Add and configure. 

        1 Add new SCIM Integrations@2x edited
      4. Click Get started.

        2 SCIM integration@2x edited
      5. Enter a unique name for the SCIM integration.
      6. Click Generate token. The SCIM user directory integration uses an HTTP authorization header with a Bearer Token as the authentication method.

        3 SCIM Name@2x edited
      7. Click Copy token.
      8. Confirm that you have copied the token and that you know you will need to change it if you want to see the token details again.
      9. Click Done. You will return to the Integrations page.

        4 SCIM Copy Token@2x edited

      Obtain the SCIM API URL 

      Your SCIM API URL will be in the format of https://subdomain.clients.us-1.kandji.io/api/v1/scim.

      1. Click the ellipse on the SCIM directory integration you just created.
      2. Select View Details.
      3. Copy the SCIM API URL; your identity provider will require this.
      4. Click Close.

        5 View SCIM inegration details@2x numbered

      SCIM schema and supported attributes

      Kandji supports the following SCIM attributes. Refer to these attributes when mapping your SCIM application in your IdP. 

      • userName

        • Unique identifier for the user, used to authenticate to the service provider. 

        • This attribute is required.

      • name.formatted

        • The user's full name (for example, "John Doe").
        • This attribute or the displayName attribute is required 
      • displayName
        • The user's full name (for example, "John Doe").
        • This attribute or the name.formatted attribute is required. 

      • active

        • The user's status within the identity provider.
        • Kandji moves soft-deleted and inactive users to the Archived Users section of Kandji.

      • emails.value

        • The user's email address as a subattribute of emails.
        • Kandji only stores the first email in the list.

      When using SCIM to sync users from a directory, the SCIM app automatically sends new information to Kandji, so there is no need for a Sync Now button that you'd see when using the native Azure Active Directory or Google Workspace directory integrations.