SCIM Outbound Provisioning Overview

This topic describes CyberArk Identity outbound SCIM provisioning implementation (SCIM client)

SCIM Overview

SCIM (System for Cross-domain Identity Management) is an open standard for automating the exchange of user identity information between identity domains, or IT systems.

Use SCIM to automatically provision and de-provision user accounts in external systems such as SAML apps. For more information about SCIM, see

Outbound provisioning provisions users and groups from CyberArk Identity to other applications.

CyberArk Identity Outbound SCIM Provisioning

CyberArk Identity supports provisioning to some applications through their proprietary API. For example, provisioning to Office 365 is done using API from Microsoft. Other apps (e.g., custom SAML apps) can only be provisioned if the app supports SCIM.

A SCIM server is only required for outbound provisioning, so users and groups can be provisioned from CyberArk Identity to your application. The CyberArk Identity outbound provisioning feature supports SCIM 1.1 and 2.0.

If your SAML application supports SCIM, you can enable provisioning by entering the Access Token and SCIM URL.

CyberArk Identity Provisioning Requirements

Before configuring your application for provisioning, you must:

  • Install, configure, and deploy the app
  • Give Manage Accounts and Manage Groups permissions to the app
  • Get an Access Token for the app



When you create the app, the Access Token is only displayed once and it never expires. It is important to store the Access Token in a secure location.

More Info