Your IdP provisions. Gateco enforces.
SCIM v2 inbound provisioning syncs user and group lifecycle events from any SCIM-compliant identity provider directly into Gateco's principal model — so access changes take effect within seconds of an IdP update.
SCIM v2 provisioning requires an Enterprise plan.
User lifecycle
SCIM CREATE maps directly to principal creation. If an inactive principal with the same externalId exists (a previously offboarded user who is being re-hired), SCIM CREATE re-activates the existing record in place rather than creating a duplicate. This supports standard IdP re-provisioning flows without accumulating orphan records.
SCIM DELETE sets the principal status to inactive — it does not hard-delete the record. This preserves the audit trail and policy binding history. An inactive principal cannot perform retrievals but their historical retrieval events remain queryable.
Group lifecycle
SCIM Group CRUD maps to PrincipalGroup records. Group membership is maintained as a string array on each Principal — SCIM Group member operations add and remove group names from this array. Group rename propagates automatically to all member principals' groups arrays, keeping policy conditions referencing the group name consistent without manual updates.
SCIM Group DELETE hard-deletes the group record and removes it from all member principals' groups arrays. Unlike user deactivation, group deletion is permanent. Make sure any ABAC policies referencing the group name are updated before deleting the group.
Token management
SCIM bearer tokens are generated per identity provider from the identity providers page: Settings → Identity Providers → Generate SCIM Token. The plaintext is shown exactly once on generation — store it immediately. Generating a new token automatically revokes the previous one.
Tokens are bcrypt-hashed at rest. Authentication uses a fast prefix lookup (first 8 characters stored in clear) followed by bcrypt verification. SCIM endpoints are authenticated via bearer token — not JWT. Never add JWT middleware to /api/scim/v2 routes.
# Okta SCIM configuration # Base URL: https://api.gateco.ai/api/scim/v2 # Authentication: Bearer <your-scim-token> # Supported operations: Users (CRUD), Groups (CRUD) # Attribute mapping: # userName -> email # externalId -> external_id # groups -> groups array
Frequently asked questions
Which identity providers support SCIM with Gateco?
Any SCIM 2.0-compliant identity provider. Okta, Azure Entra ID, and JumpCloud are the most commonly configured. Gateco also supports direct IDP adapters (with scheduled sync) for Okta, Azure Entra ID, AWS IAM Identity Center, and GCP Cloud Identity — available on Growth and above without SCIM.
What happens if a SCIM CREATE arrives for an already-active user?
If an active principal with the same externalId already exists, SCIM CREATE returns 422 (conflict). Only inactive principals are re-activated by a CREATE request.
Can I use SCIM and the IDP adapter simultaneously?
Yes, but it is not recommended for the same identity provider — you would get duplicate sync paths that could conflict. Use SCIM for IdPs that support it natively. Use the IDP adapter for scheduled sync when SCIM is not available.