Skip to content

website/docs: additional scim provider docs #22135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dewi-tik wants to merge 2 commits into
base: main
Choose a base branch
from
+87 −14
Open

website/docs: additional scim provider docs #22135

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3bcb263
Add create scim provider doc, add info about oauth interactive mode, …
dewi-tik May 7, 2026
6a221f5
Spelling
dewi-tik May 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 71 additions & 0 deletions website/docs/add-secure-apps/providers/scim/create-scim-provider.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
---
title: Create a SCIM provider
---

## Create a SCIM provider with token authentication

To create a provider along with a corresponding application, navigate to **Applications** > **Applications** and click **New Application**. We recommend this combined approach for most common use cases. Alternatively, you can use the legacy method to solely create the provider by navigating to **Applications** > **Providers** and clicking **New Provider**.

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **New Application** to create an application and provider pair.
3. On the **Application** page, define the application settings, and then click **Next**.
4. Select **SCIM** as the **Provider Type**, and then click **Next**.
5. On the **Configure Provider** page, provide the configuration settings, and then click **Next**.
6. On the **Configure Bindings** page, click **Next**.
7. Click **Create** to create both the application and the provider.

### Set the SCIM provider as a backchannel provider for the application

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click the edit icon of the new SCIM application.
3. Click the plus icon (+) next to **Backchannel providers**.
4. Select the new SCIM provider, and then click **Confirm**.
5. Click **Save changes**.

## Create a SCIM provider with OAuth authentication

There are 3 required steps to creating a SCIM provider:

1. [Create an OAuth source](#create-an-oauth-source)
2. [Create a SCIM application and provider](#create-a-scim-application-and-provider)
3. [Set the SCIM provider as a backchannel provider for the application](#set-the-scim-provider-as-a-backchannel-provider-for-the-application)

If using OAuth (Interactive) mode, you will also need to:

4. [Provide admin authorization](#provide-admin-authorization-oauth-interactive-mode-only)

### Create an OAuth source

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Directory** > **Federation and Social login** and click **New Source**.
3. Select **OpenID OAuth Source** as the **Source type**.
4. On the **OpenID OAuth Source Details** page, provide the configuration settings provided by the SCIM endpoint that you are provisioning to, and then click **Create**.

### Create a SCIM application and provider

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **New Application** to create an application and provider pair.
3. On the **Application** page, define the application settings, and then click **Next**.
4. Select **SCIM** as the **Provider Type**, and then click **Next**.
5. On the **Configure Provider** page, configure the required settings. Set **Authentication mode** to the desired OAuth option, select the **OAuth source** you created in the previous section, and then click **Next**.
6. On the **Configure Bindings** page, click **Next**.
7. Click **Create** to create both the application and the provider.

### Set the SCIM provider as a backchannel provider for the application

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click the edit icon of the new SCIM application.
3. Click the plus icon (+) next to **Backchannel providers**.
4. Select the new SCIM provider, and then click **Confirm**.
5. Click **Save changes**.

### Provide admin authorization (OAuth Interactive mode only)

If you selected **OAuth (Interactive)** as the **Authentication mode** for the SCIM provider, you will need to authorize the initial OAuth connection.

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers** and click the name of the new SCIM provider.
3. Next to **OAuth Status**, click **(Re-)Authenticate**.
4. You should be redirected to the SCIM endpoint that you are provisioning to for authentication.
5. Once authenticated, you should be redirected back to authentik. If successful, **OAuth Status** should now show as **Authenticated**.
This step is only required when initially configuring the SCIM provider; subsequent authentications will be automatic.
20 changes: 7 additions & 13 deletions website/docs/add-secure-apps/providers/scim/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,7 @@ A SCIM provider requires a SCIM base URL for the endpoint and an authentication

SCIM providers in authentik always serve as [backchannel providers](../../applications/manage_apps.mdx#backchannel-providers), which are used in addition to the main provider that supplies SSO authentication. A backchannel provider is used for an application that requires backend authentication, directory synchronization, or other additional authentication needs.

## Set up a SCIM provider

Many applications use SCIM together with another SSO protocol such as OAuth/OIDC or SAML. For example, you can create an application and provider pair for Slack by using SAML for authentication and SCIM for provisioning. For this setup, use the following workflow:

1. [Create](../../applications/manage_apps.mdx#create-an-application-and-provider-pair) the application and provider pair.
2. [Create](../../applications/manage_apps.mdx#backchannel-providers) the SCIM backchannel provider.
3. Edit the application, and in the **Backchannel Providers** field add the SCIM provider that you created.
For instructions on creating a SCIM provider, refer to the [Create a SCIM provider](./create-scim-provider.md) documentation.

## Authentication modes

Expand All @@ -23,12 +17,6 @@ In authentik, there are two ways to authenticate SCIM requests:
- **Static token** provided by the application. This is the default authentication mode.
- **OAuth token** that authentik retrieves from a specified source and uses for authentication.

When you create a new SCIM provider, select the **Authentication Mode** that the application supports.

![Creating a SCIM provider](./scim_oauth.png)

For either mode, enter the SCIM base **URL** for the endpoint.

### Static token

When the authentication mode is set to **Static token**, authentik sends the token provided by the application with outgoing SCIM requests to authenticate each request.
Expand All @@ -37,6 +25,12 @@ When the authentication mode is set to **Static token**, authentik sends the tok

When you configure a SCIM provider to use OAuth for authentication, authentik generates short-lived tokens through an OAuth flow and sends them to the SCIM endpoint. This offers improved security and control compared with a static token.

authentik supports two types of SCIM OAuth authentication:

- **Silent OAuth** – The system obtains or refreshes access tokens automatically, without any administrator interaction. This is the typical approach used for ongoing SCIM provisioning.
Copy link
Copy Markdown
Member

@dominic-r dominic-r May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this an official name, or one you chose


- **Interactive OAuth** – During setup, an administrator is required to authorize the connection before the SCIM integration can obtain its initial token. authentik then stores a refresh token, and provisioning then runs in the background without further admin interaction.

You can also add additional token request parameters such as `grant_type`, `subject_token`, or `client_assertion`.

**Example**:
Expand Down
10 changes: 9 additions & 1 deletion website/docs/sidebar.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -253,7 +253,15 @@ const items = [
"add-secure-apps/providers/saml/saml_single_logout",
],
},
"add-secure-apps/providers/scim/index",
{
type: "category",
label: "SCIM Provider",
link: {
type: "doc",
id: "add-secure-apps/providers/scim/index",
},
items: ["add-secure-apps/providers/scim/create-scim-provider"],
},
{
type: "category",
label: "SSF Provider",
Expand Down
Loading