Automatic SCIM Provisioning

The Admin Portal requires these elements for provisioning:

  • SCIM Service URL: Sometimes referred to as SCIM Base URL. Base URL for the SCIM server. Ensure the URL is HTTPS and reachable by the CyberArk Identity service.

  • One of the supported authentication methods:
    - OAuth 2.0
    - Bearer token
    - Basic authentication (i.e., username/password)
    - Direct specification of Authentication header value

App Configuration in the Admin Portal

To using SCIM provisioning, configure your app in the Admin Portal.

  1. Click the Provisioning tab.

  2. Select Enable provisioning for this application.

  1. Ensure your application supports SCIM, and click Yes in the SCIM Provisioning window.

  2. Select Preview Mode or Live Mode.

Preview ModeLive Mode
Use when testing application provisioning or making configuration changes.

The identity platform applies a test provisioning run of the changes, but changes aren’t saved.
Use when applying provisioning in your production system.

The identity platform applies the provisioning run and saves the changes to both the identity platform and the application’s account information.
  1. Enter the SCIM Service URL.



SCIM does not enforce specific methods of authentication with the Application provider, but an acceptable SCIM URL and access token are required.

Retrieve the access token and SCIM URL:

  • From the application’s admin console
  • By contacting your application's support team
  • By creating an access token using OAuth2.0
  1. Select an Authorization Type.



The Authorization Type determines what information is required and where to find the information.

If you need assistance locating this information, contact support for the company that makes the app you are configuring.

OAuth 2.0Authorization Header
This Authorization Type uses a workflow to authorize access. The Authorization Header directly provides credentials.Requires choosing a Header Type.
  1. Fill in the Authorization Type selection details.

OAuth 2.0

  • Authorize URL: Copy the URL the admin will use to authorize access to the application, and paste it here.
  • Access Token URL: Copy the URL where the admin can get an access token for the app after authorization, and paste it here.
  • Client ID: Copy the ID generated when you create the client app entry, and paste it here.
  • Client Secret: Copy the password or access token generated when you create the client app entry, and paste it here.
  • Scope: Copy the statement of permissions to be granted to CyberArk Identity and paste it here. To enable provisioning, CyberArk Identity needs read and write permission to users and groups.

Authorization Header

Selecting Authorization Header requires you to choose a Header Type.

  • Select Bearer Token if your app requires the header in the format: Bearer <your_access_token>.
  • Select Basic if your app requires authentication in the format: HTTP BASIC.
  • Select Direct if your app uses some other format.

If you select Bearer Token, fill in the "Bearer Token" field.


If you select Basic, fill in these fields:

  • Admin Name: Copy the login name for the admin and paste it here.
  • Admin Password: Copy the login password for the admin and paste it here.

If you select Direct, fill in the "Header Value" field:

  1. Click Verify to allow CyberArk Identity to verify the connection, and save the provisioning details.

    • When making changes to the fields in the Admin Portal's Provisioning page, verification options are available:
Verify CredentialsVerify and re-detect settings
Only checks the fields above the Sync Options section.The entire page is refreshed. Overwrites any changes you have made to the Sync options, Deprovisioning options, and Provisioning Script.
  1. Continue Provisioning users for your app based on roles.