What is SCIM?
SCIM(Read Skim) stands for "System for Cross-domain Identity Management." It is an open standard protocol designed to simplify the management of user identities and resources across different systems and domains. SCIM is commonly used in identity and access management (IAM) solutions, allowing organizations to automate the provisioning and deprovisioning of user accounts, as well as managing user attributes and group memberships.
Why It Matters
As organization scale, managing user access manually becomes inefficient and risky. SCIM helps you Automates user provisioning for Archer by securely syncing user and group data from the customer’s identity provider (IdP). Updates in the IdP are reflected in Archer in real time, including new users, changes, and de-provisioning. It Helps in
- Automate onboarding and offboarding
- Keep user data consistent across systems
- Reduce security gaps from delayed access removal
- Strengthen compliance and audit readiness
About Archer SCIM
Standards-Based and RFC Compliant
Archer’s SCIM implementation is fully aligned with industry standards:
- Compliant with RFC 7643 (Core Schema)
- Compliant with RFC 7644 (Protocol)
This ensures Archer works reliably with standard Identity Providers and behaves in a predictable way during provisioning and updates.
How It Works
Archer integrates directly with leading Identity Providers such as Microsoft Entra ID and OneLogin.
- Users are created or updated in your Identity Provider
- SCIM securely transmits changes
- Archer automatically provisions or updates access
No manual intervention required.
Enabling SCIM
SCIM is an Opt-in Service, i.e.; it is not enabled by default on your SaaS. As a paid offering it is sold either as part of "Archer Evolv" or stand alone service. Talk to your account executive for pricing details. After the purchase whenever your organization is ready to adopt SCIM as the preferred method for User Provisioning in Archer you can raise a SCIM service activation request via Archer Technical Support. You'll need to share following information :
- Customer Account name
- Instance ID(s)
- Type of instance(s), i.e.; non-production/production environment
- URL to connect Archer SaaS Instance
- Name of the Identity Provider service(IDP) you'll use to connect to the SCIM provisioner
- Contact person, preferably an IT Administration staff who would be responsible for setting up the SCIM connector. Their name, Email ID, contact number(optional).
After the support case is logged Archer
- Archer will securely share : SCIM Base URL and an API Key to configure in SCIM integration with the designated contact person.
- Customers’ IT Administration staff downloads SCIM in their IDP system and configures it to talk to Archer. Documentation to configure SCIM with OneLogin and Azure is attached on this blog. You could use either as reference for connecting SCIM Service with any other IDP.
- For any issue resolution during the onboarding process, log an Archer support ticket.
N.B :
- SCIM does not support “Nested Group” provisioning (i.e., group hierarchies) and creation of groups with duplicate names. Nested Group support is a planned for future release.
- SCIM is Generally available as on 31st December, 2024.
⚠️ SCIM Configuration Warning
- Use one SCIM application per Archer instance
- Do not reuse the same SCIM application across environments or instances
- If target Archer instance changes, create a new SCIM application
- For DB refresh stop SCIM provisioning and re-register before resuming
- For DB migration (On-Prem to SaaS), enable SCIM only after the database is stable and no further changes are being made
SCIM configuration is a shared responsibility, and it is the clients responsibility to ensure that SCIM application within their Identity Provider (IdP) is configured and managed correctly.
Failure to follow these guidelines may lead to incorrect user mapping, user swapping, unauthorized access, and data inconsistencies, potentially impacting security, access control, and overall data integrity.
Best Practices
To get the most from SCIM:
- Manage provisioning through SCIM
- Use SSO for authentication
- Keep user identifiers consistent across systems
- Avoid manual user deletion—use inactive status instead
- Archer timezone format is not directly supported by Okta; use static mapping for uniform setups or expressions to align Okta time zones with Archer-supported values.
Archer provides detailed documentation and support for integrating SCIM with your Identity Provider. Archer help Center, SCIM API Spec
Whether you use Microsoft Entra ID, OneLogin, or another SCIM-compliant IDP, you can quickly enable automated identity management. Reference for SCIM Protocol can be found here.
Resources:
- SCIM Specifications for Archer SaaS
- Azure SCIM Application Configuration
- Okta SCIM Application Configuration
Comments
0 comments
Please sign in to leave a comment.