Skip to main content

SCIM Provisioning Overview

SCIM 2.0 for automated user provisioning and deprovisioning

Updated today

BetaTesting supports SCIM 2.0 (System for Cross-domain Identity Management) for automated user provisioning and deprovisioning. When paired with SSO, SCIM gives your IT team full lifecycle control over BetaTesting user accounts directly from your identity provider.

What is SCIM?

SCIM is an open standard that allows identity providers to automatically manage user accounts in third-party applications. Instead of manually creating or removing BetaTesting accounts, your identity provider handles it automatically when you assign or unassign users.

What SCIM Enables

Capability

What Happens

Create Users

When you assign a user to the BetaTesting app in your IdP, a BetaTesting account is created automatically

Update User Profiles

Changes to user attributes (name, email) in your IdP are synced to BetaTesting

Deactivate Users

When you unassign a user or set them to inactive, their BetaTesting account is deactivated and they can no longer log in via SSO

Reactivate Users

Re-assigning a previously deprovisioned user restores their access

Push Groups

IdP groups are synced to BetaTesting, enabling automatic role assignment based on group membership

Manage Group Membership

Adding or removing users from IdP groups automatically updates their BetaTesting role

SSO Without SCIM vs. SSO With SCIM

SSO Only (no SCIM)

SSO + SCIM

Account creation

On first login (just-in-time)

Pre-provisioned from your IdP before the user ever logs in

Account removal

Manual -- contact BetaTesting

Automatic when you unassign the user in your IdP

Role assignment

Based on group claims in the SAML assertion (token-based)

Based on SCIM group memberships pushed from your IdP

Unprovisioned user login

Allowed -- account is created on the fly

Blocked -- only SCIM-provisioned users can log in

IT control

Moderate

Full lifecycle control

Key difference: When SCIM is enabled, users who are not provisioned through SCIM will be blocked from logging in via SSO, even if they have valid credentials. This gives your IT team strict control over who has access.

How It Works

  1. You configure SCIM in your identity provider, pointing it at BetaTesting's SCIM endpoint with a secure bearer token

  2. You push groups from your IdP to BetaTesting - these groups are used for role mapping

  3. You assign users to the BetaTesting app in your IdP (individually or via groups)

  4. Your IdP provisions users by calling BetaTesting's SCIM API, creating their accounts automatically

  5. Ongoing sync - any changes to user attributes, group memberships, or assignment status are automatically reflected in BetaTesting

SCIM Endpoint Details

BetaTesting's SCIM 2.0 API supports the following endpoints:

Discovery:

  • GET /ServiceProviderConfig -- Returns SCIM capabilities

  • GET /Schemas -- Lists supported schemas (User, Group)

  • GET /ResourceTypes -- Lists available resource types

User Operations:

  • GET /Users -- List provisioned users (with filtering and pagination)

  • POST /Users -- Create a new user

  • GET /Users/{id} -- Get a specific user

  • PUT /Users/{id} -- Replace/update a user

  • PATCH /Users/{id} -- Partially update a user (e.g., deactivate)

  • DELETE /Users/{id} -- Deactivate a user

Group Operations:

  • GET /Groups -- List provisioned groups

  • POST /Groups -- Create a group

  • GET /Groups/{id} -- Get a specific group

  • PUT /Groups/{id} -- Replace a group

  • PATCH /Groups/{id} -- Update group membership (add/remove members)

  • DELETE /Groups/{id} -- Delete a group

Supported User Attributes

SCIM Attribute

BetaTesting Field

Notes

userName

Email address

Used as the unique identifier

name.givenName

First name

name.familyName

Last name

displayName

Display name

emails[primary]

Email address

active

Account status

false deactivates the account

Authentication

SCIM requests are authenticated using a Bearer token provided by BetaTesting during setup. Your identity provider includes this token in the Authorization header of every SCIM request.

Prerequisites

Before setting up SCIM, you must:

  1. Complete SSO setup first - SCIM requires an active SAML-based SSO connection. See Set Up SSO with Okta or Set Up SSO with Any SAML Provider

  2. Have administrator access to your identity provider

  3. Contact your BetaTesting account manager to enable SCIM on your connection and receive:

    • The SCIM base URL

    • A secure Bearer token for API authentication

Supported Identity Providers

SCIM provisioning works with any IdP that supports the SCIM 2.0 standard, including:

  • Okta (see dedicated guide: Set Up SCIM with Okta)

  • Microsoft Entra ID (Azure AD)

  • OneLogin

  • JumpCloud

  • Ping Identity

Getting Started

Contact your BetaTesting account manager to enable SCIM for your SSO connection. They will provide:

  1. Your SCIM base URL (e.g., https://betatesting.com/api/scim/v2)

  2. A Bearer token for authenticating SCIM requests

  3. Guidance on configuring your specific identity provider

For Okta-specific instructions, see: Set Up SCIM with Okta.

Related Articles
Single Sign-On (SSO) Overview
Set Up SAML SSO with Okta
Set Up SAML SSO with Any Identity Provider
Set Up SCIM with Okta
SSO/SCIM FAQ & Troubleshooting
Did this answer your question?