SCIM 2.0 Provisioning

NodeLoom implements SCIM 2.0 (System for Cross-domain Identity Management) for automated user and group provisioning. SCIM lets your identity provider manage the full lifecycle of NodeLoom accounts, including creation, updates, deactivation, and role assignment.

Overview

SCIM 2.0 is an open standard defined by RFC 7643 (Core Schema) and RFC 7644 (Protocol) for automating the exchange of user identity information between identity domains. When configured, your identity provider pushes user and group changes to NodeLoom in real time.

Identity Provider	Compatibility
Okta	Fully compatible. Native SCIM 2.0 provisioning app available.
Azure AD	Fully compatible. Supports Azure AD automatic provisioning with SCIM 2.0.
OneLogin	Fully compatible. Use the SCIM Provisioner with SAML (SCIM v2.0) connector.
Other SCIM 2.0 providers	Compatible via standard SCIM 2.0 endpoints. Any provider that supports RFC 7644 will work.

Prerequisites

Before configuring SCIM provisioning, ensure the following requirements are met:

Requirement	Details
Plan	SCIM provisioning is available on Business and Enterprise plans.
Role	You must have the Admin role in your NodeLoom team to configure SCIM.
Identity Provider	A compatible identity provider with SCIM 2.0 provisioning support (Okta, Azure AD, OneLogin, or any RFC 7644-compliant provider).

SSO recommended

While SCIM can be configured independently, it is strongly recommended to configure SSO first. This ensures that provisioned users can authenticate seamlessly through your identity provider.

Setting Up SCIM

Follow these steps to enable SCIM provisioning for your team.

Generate a SCIM token in NodeLoom

Navigate to Settings → SCIM and click Generate Token. Copy the token immediately as it is only displayed once.

Token shown only once

The SCIM bearer token is displayed only at the time of creation. It is stored as a SHA-256 hash and cannot be retrieved later. If you lose the token, you must revoke it and generate a new one.

Configure the SCIM app in your identity provider

Create a SCIM provisioning application in your IdP and enter the following values:

Field	Value
Base URL (SCIM Connector URL)	`https://your-domain.com/api/scim/v2`
Authentication	HTTP Header: Bearer token (use the token from step 1)
Content-Type	`application/scim+json`

Test the connection

Most identity providers include a Test Connection button. Click it to verify that the IdP can reach the NodeLoom SCIM endpoints. A successful test confirms that the base URL and token are correctly configured.

Token Management

SCIM tokens authenticate your identity provider's requests to NodeLoom. Each team can have up to 10 active SCIM tokens, allowing for token rotation without downtime.

Feature	Details
Maximum tokens	10 active tokens per team. Revoke unused tokens to free slots.
Token storage	Tokens are stored as SHA-256 hashes. The plaintext value is shown only once at creation time.
IP allowlisting	Restrict token usage to specific IP addresses or CIDR ranges (/24 to /32). Requests from non-allowed IPs are rejected with 403.
Revoking tokens	Revoked tokens are immediately invalidated. Your IdP will receive 401 errors until a new token is configured.

Creating a SCIM token with IP allowlist

{
  "name": "Okta SCIM Provisioning",
  "allowedIPs": [
    "52.18.0.0/24",
    "54.76.120.0/24"
  ],
  "expiresAt": "2027-01-01T00:00:00Z"
}

IP allowlisting for production

In production environments, always configure IP allowlisting to restrict SCIM token usage to your IdP's known egress IP addresses. Check your IdP's documentation for their outbound IP ranges.

User Provisioning

When your identity provider creates a user through SCIM, NodeLoom automatically provisions a new account. SCIM-managed users are distinguished from manually created users and have specific behaviors.

Behavior	Details
Account creation	Users created via SCIM are automatically email-verified with a random secure password. They should authenticate via SSO.
Synced attributes	email, firstName, lastName, displayName, and active status are synced from the IdP on every SCIM update.
Deactivation	Setting a user's active status to false disables their account. They cannot log in but their data is preserved.
Deletion	DELETE requests permanently remove the user account and unassign them from all workflows and teams.
Read-only profiles	SCIM-provisioned users cannot edit their name or email in the NodeLoom UI. Changes must be made in the IdP.

Profile edit protection

SCIM-provisioned users see a badge on their profile page indicating that their account is managed by an external identity provider. The name and email fields are locked and display a message directing them to contact their IT administrator for changes.

SCIM user creation request

{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "userName": "[email protected]",
  "name": {
    "givenName": "Jane",
    "familyName": "Doe"
  },
  "emails": [
    {
      "primary": true,
      "value": "[email protected]",
      "type": "work"
    }
  ],
  "displayName": "Jane Doe",
  "active": true
}

Group Provisioning

SCIM groups from your identity provider map to NodeLoom roles. When a user is added to or removed from a group in your IdP, their NodeLoom role is automatically updated.

IdP Group Name	NodeLoom Role	Description
`Admins`	ADMIN	Full workspace access including user management, billing, and security settings.
`Builders`	BUILDER	Can create, edit, and delete workflows and manage credentials.
`Operators`	OPERATOR	Can execute workflows and view execution history.
`Viewers`	VIEWER	Read-only access to workflows, executions, and dashboards.

Group names are matched case-insensitively. You can customize the group-to-role mapping in Settings → SCIM → Group Mapping. Users who belong to multiple groups receive the highest-privilege role.

SCIM group PATCH (add member)

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [
    {
      "op": "add",
      "path": "members",
      "value": [
        {
          "value": "user-uuid-here",
          "display": "[email protected]"
        }
      ]
    }
  ]
}

Supported Operations

NodeLoom implements the full SCIM 2.0 protocol as defined in RFC 7644. The following table lists all supported operations by resource type.

Resource	Operation	Method	Description
Users	List	GET /Users	List all SCIM-provisioned users with pagination and filtering.
Users	Create	POST /Users	Provision a new user account.
Users	Read	GET /Users/{id}	Retrieve a specific user by their SCIM ID.
Users	Replace	PUT /Users/{id}	Full replacement of a user resource.
Users	Update	PATCH /Users/{id}	Partial update of specific user attributes.
Users	Delete	DELETE /Users/{id}	Permanently remove a user account.
Groups	List	GET /Groups	List all SCIM groups with pagination and filtering.
Groups	Create	POST /Groups	Create a new group with role mapping.
Groups	Read	GET /Groups/{id}	Retrieve a specific group by its SCIM ID.
Groups	Replace	PUT /Groups/{id}	Full replacement of a group resource.
Groups	Update	PATCH /Groups/{id}	Partial update (add/remove members, rename).
Groups	Delete	DELETE /Groups/{id}	Remove a group and its role mappings.
Discovery	ServiceProviderConfig	GET /ServiceProviderConfig	Returns supported SCIM features and capabilities.
Discovery	Schemas	GET /Schemas	Returns the SCIM schemas supported by NodeLoom.
Discovery	ResourceTypes	GET /ResourceTypes	Returns the resource types (User, Group) and their endpoints.

Rate Limiting

SCIM endpoints are rate-limited to prevent abuse and ensure consistent performance. Rate limits apply per team and are tracked using a sliding window.

Header	Description
`X-RateLimit-Limit`	Maximum number of requests allowed per window (default: 60).
`X-RateLimit-Remaining`	Number of requests remaining in the current window.
`X-RateLimit-Reset`	Unix timestamp when the rate limit window resets.

The default rate limit is 60 requests per minute per team. Enterprise customers can request higher limits through their account manager. When the rate limit is exceeded, the API returns a 429 Too Many Requests response with a Retry-After header.

Rate limit exceeded response

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
  "status": "429",
  "detail": "Rate limit exceeded. Retry after 32 seconds."
}

Filtering

SCIM list endpoints support filtering using the standard SCIM filter syntax. Filters are passed as a filter query parameter.

Operator	Description	Example
`eq`	Equal	`userName eq "[email protected]"`
`ne`	Not equal	`active ne false`
`co`	Contains	`displayName co "Jane"`
`sw`	Starts with	`userName sw "jane"`
`ew`	Ends with	`userName ew "@example.com"`
`pr`	Present (has value)	`displayName pr`

Example: filter users by email

curl -H "Authorization: Bearer scim_token_here" \
  "https://your-domain.com/api/scim/v2/Users?filter=userName%20eq%20%22jane%40example.com%22"

API Endpoints

All SCIM endpoints are authenticated with a SCIM bearer token and prefixed with /api/scim/v2. Requests must include the Authorization: Bearer header.

User Endpoints

GET

/api/scim/v2/Users

List all SCIM-provisioned users. Supports pagination (startIndex, count) and filtering.

POST

/api/scim/v2/Users

Create a new user. The user is auto-verified and assigned the default role unless a group mapping applies.

GET

/api/scim/v2/Users/{id}

Retrieve a specific user by their SCIM resource ID.

PATCH

/api/scim/v2/Users/{id}

Partially update a user. Commonly used for activating/deactivating accounts or updating attributes.

DELETE

/api/scim/v2/Users/{id}

Permanently delete a user account and remove all team and workflow associations.

Group Endpoints

GET

/api/scim/v2/Groups

List all SCIM groups. Supports pagination and filtering.

POST

/api/scim/v2/Groups

Create a new group with a display name and optional member list. Maps to a NodeLoom role.

PATCH

/api/scim/v2/Groups/{id}

Update a group. Commonly used for adding or removing members via PatchOp operations.

DELETE

/api/scim/v2/Groups/{id}

Delete a group and remove its role mapping. Members are not deleted but lose their group-assigned role.

Audit Logging

All SCIM operations are recorded in the NodeLoom audit log. Each entry includes the operation type, affected resource, requesting IP address, and the SCIM token used. Audit entries are immutable and tamper-evident.

Event	Description
`scim.user.created`	A new user account was provisioned via SCIM.
`scim.user.updated`	A user's attributes were updated via SCIM.
`scim.user.deactivated`	A user's account was deactivated (active set to false).
`scim.user.deleted`	A user account was permanently deleted via SCIM.
`scim.group.created`	A new group was created via SCIM.
`scim.group.members_updated`	Members were added to or removed from a group.
`scim.group.deleted`	A group was deleted via SCIM.
`scim.token.created`	A new SCIM bearer token was generated.
`scim.token.revoked`	A SCIM bearer token was revoked.

Example audit log entry

{
  "id": "audit_3a2b1c0d",
  "timestamp": "2026-03-15T09:22:00Z",
  "event": "scim.user.created",
  "actor": "scim-token:okta-provisioner",
  "resource": {
    "type": "user",
    "id": "usr_abc123",
    "email": "[email protected]"
  },
  "sourceIP": "52.18.44.100",
  "teamId": "team_xyz789"
}

SSO

Anomaly Detection