# SCIM provisioning

> SCIM provisioning - Configure SCIM to enable automated user provisioning and deprovisioning in
> DataRobot through your Identity Provider.

This Markdown file sits beside the HTML page at the same path (with a `.md` suffix). It summarizes the topic and lists links for tools and LLM context.

Companion generated at `2026-07-08T13:08:31.984442+00:00` (UTC).

## Primary page

- [SCIM provisioning](https://docs.datarobot.com/en/docs/platform/admin/scim.html.md): Full documentation for this topic (Markdown sidecar).

## Sections on this page

- [Authentication](https://docs.datarobot.com/en/docs/platform/admin/scim.html.md#authentication): In-page section heading.
- [Prerequisites](https://docs.datarobot.com/en/docs/platform/admin/scim.html.md#prerequisites): In-page section heading.
- [DataRobot configuration](https://docs.datarobot.com/en/docs/platform/admin/scim.html.md#datarobot-configuration): In-page section heading.
- [Enable and configure SCIM](https://docs.datarobot.com/en/docs/platform/admin/scim.html.md#enable-and-configure-scim): In-page section heading.
- [Create a SCIM API key](https://docs.datarobot.com/en/docs/platform/admin/scim.html.md#create-a-scim-api-key): In-page section heading.
- [Configure the IdP](https://docs.datarobot.com/en/docs/platform/admin/scim.html.md#configure-the-idp): In-page section heading.
- [Validation](https://docs.datarobot.com/en/docs/platform/admin/scim.html.md#validation): In-page section heading.
- [Verify SCIM connectivity](https://docs.datarobot.com/en/docs/platform/admin/scim.html.md#verify-scim-connectivity): In-page section heading.
- [Verify org configuration](https://docs.datarobot.com/en/docs/platform/admin/scim.html.md#verify-org-configuration): In-page section heading.
- [Test user provisioning](https://docs.datarobot.com/en/docs/platform/admin/scim.html.md#test-user-provisioning): In-page section heading.

## Related documentation

- [Account management](https://docs.datarobot.com/en/docs/platform/index.html.md): Linked from this page.
- [Administrator's guide](https://docs.datarobot.com/en/docs/platform/admin/index.html.md): Linked from this page.
- [SAML single sign-on](https://docs.datarobot.com/en/docs/platform/admin/sso-ref.html.md): Linked from this page.
- [seat license](https://docs.datarobot.com/en/docs/platform/admin/manage-entities/manage-users.html.md#assign-seat-licenses-to-users): Linked from this page.

## Documentation content

System for Cross-domain Identity Management (SCIM) automates user provisioning and deprovisioning in DataRobot through your identity provider (IdP). With SCIM configured, the IdP manages user lifecycle events, so IT administrators are no longer required to manually add, move, or remove an employee in DataRobot. IT admins still retain full control over what groups are synced with DataRobot—only explicitly selected groups are provisioned, not the entire directory.

**Why use SCIM?**

- Realtime visibility into who has access to DataRobot.
- Automatically provisions new users joining the company and removes users leaving the company, reducing security risks.
- Scales as organizations grow.
- Takes the burden off IT and security teams to manually manage user accounts and groups.
- Reduces the potenial for over-provisioning and under-provisioning.

The basic workflow for configuring SCIM is as follows:

1. Review and complete the prerequisites.
2. Enable SCIM and configure SCIM for the organization.
3. Create a SCIM API key.
4. Configure your identity provider (IdP).
5. Validate the integration.

## Authentication

SCIM uses OAuth Bearer Token authentication ( [RFC 6750](https://datatracker.ietf.org/doc/html/rfc6750)). Include the SCIM API key in every request as:

```
Authorization: Bearer <scim-api-key>
```

Store the SCIM key in your IdP's SCIM connector as the API token or bearer token.

**Key properties of SCIM keys**

- SCIM keys do not expire.
- A SCIM key is organization-scoped, meaning it authenticates SCIM operations for one specific organization.
- The key provides access to all SCIM resource endpoints ( /api/v2/scim/<orgId>/Users , /api/v2/scim/<orgId>/Groups , etc.).
- The key does not have access to the SCIM configuration endpoint ( /api/v2/scim/<orgId>/configuration/ ); that endpoint requires organization admin authentication via a standard DataRobot API key.

## Prerequisites

Before configuring SCIM, SAML SSO must be enabled for the organization. To configure SSO, see [SAML single sign-on](https://docs.datarobot.com/en/docs/platform/admin/sso-ref.html.md).

Attempting to enable SCIM without SSO configured returns:

```
400 Bad Request: SSO must be enabled for the organization before configuring SCIM
```

## DataRobot configuration

Complete the following sections in order.

### Enable and configure SCIM

To enable and configure SCIM for the organization:

1. In Admin settings , go to your organization, and click SCIM .
2. Toggle onEnable SCIM.
3. Configure the following fields: FieldDescriptionExternal IdP typeThe identity provider (Okta or Microsoft Entra ID).Default seat licenseTheseat licenseautomatically assigned to new SCIM-provisioned users. Only licenses allocated to the cluster are listed. To opt out of auto-assignment, leave this field blank.

### Create a SCIM API key

> [!NOTE] Note
> Only a system or organization administrator can create a SCIM API key for the target organization.

To create a SCIM API key:

1. OpenUser settings > API keys and tools. Click theSCIM API keystab.
2. Click+ Create new key. Enter a name and target organization, then clickCreate.

The generated key is used as the Bearer token in the IdP's SCIM connector. DataRobot recommends having only one SCIM key per organization.

### Configure the IdP

Provide the following to your IdP's SCIM connector:

| Setting | Value |
| --- | --- |
| SCIM base URL | The integration endpoint from the SCIM configuration page (i.e, https://app.datarobot.com/api/v2/scim/6a2beff693648a4c1f6e2927/). |
| Authentication type | OAuth Bearer Token |
| Bearer token | The SCIM API key an admin created for the organization. |
| SCIM version | 2.0 |

For IdP-specific setup steps, refer to your provider's documentation:

- Okta: Configure SCIM provisioning.
- Microsoft Entra ID: SCIM provisioning.

## Validation

The following sections test if the SCIM integration is configured correctly and performing as expected:

### Verify SCIM connectivity

Use the SCIM API key to call the `ServiceProviderConfig` discovery endpoint:

```
curl -o /dev/null -s -w "%{http_code}\n" \
  -H "Authorization: Bearer <scim-api-key>" \
  https://<dr-host>/api/v2/scim/<orgId>/ServiceProviderConfig
```

Expected result: `200`

| Status | Meaning |
| --- | --- |
| 200 | SCIM is enabled and the key is valid. |
| 401 | Invalid or missing SCIM key. |
| 404 | SCIM is not enabled for this organization. |

### Verify org configuration

Use an organization administrator token to confirm the current SCIM configuration:

```
curl -s \
  -H "Authorization: Bearer <org-admin-token>" \
  https://<dr-host>/api/v2/scim/<orgId>/configuration/
```

The response must contain:

```
{
  "scimEnabled": true,
  "idpType": "<okta|entra_id>"
}
```

If `scimEnabled` is `false` or `idpType` is `null`, return to the section on enabling SCIM(#enable-and-configure-scim).

### Test user provisioning

Trigger a test provisioning event from the IdP. For example, assign a test user to the SCIM application in Okta or Entra ID. Check the IdP's provisioning logs to confirm the event was sent and received a `201 Created` response.
