SCIM provisioning
System for Cross-domain Identity Management (SCIM) is an open standard protocol that allows identity providers to synchronize user identity information with cloud applications and services. After configuring SCIM, user identities that you create, edit, or delete in the identity provider are automatically updated across all supported applications. This makes it easier for IT admins to onboard new users, update their groups and permissions, and revoke access in the event of an employee termination or security breach.
Cloudflare Access supports SCIM provisioning for all SAML and OIDC identity providers that use SCIM version 2.0.
Cloudflare Access can automatically deprovision users from Zero Trust after they are deactivated in the identity provider and display synchronized group names in the Access and Gateway policy builders. Cloudflare does not provision new users in Zero Trust when they are added to the identity provider -- users must first register a device with the Cloudflare One Client or authenticate to an Access application.
To set up SCIM for Zero Trust, refer to our SSO integration guides.
SCIM behavior depends on the identity provider configuration as well as Cloudflare.
Common issues include:
- Okta: User sync and group sync are separate. Make sure Push Groups is configured if you expect groups to appear in Zero Trust policies.
- Microsoft Entra ID: Group sync only occurs for groups included in the provisioning scope. The
userNameattribute should match the user's email address in Cloudflare One.
If users appear but groups do not, verify the IdP-side SCIM app first before troubleshooting Cloudflare policy behavior.