--- Title: Provision idp URL Source: https://company-skill.com/p/idaas/idaas-provision-idp Language: en Description: You want to automatically create, update, or delete user accounts in IDaaS based on changes in an external identity provider (IdP) like Microsoft Entra ID or Okta. This includes initial bulk sync and… --- # Provision idp Part of **IDaaS (Identity as a Service)**. Route queries via `POST https://company-skill.com/api/route`. ## What You Want to Do You want to automatically create, update, or delete user accounts in IDaaS based on changes in an external identity provider (IdP) like Microsoft Entra ID or Okta. This includes initial bulk sync and ongoing lifecycle synchronization. **Typical User Questions**: - Azure ADIDaaS - How to sync Okta users into IDaaS automatically? - Can I use SCIM to provision users from Microsoft Entra ID? - Where do I troubleshoot user sync failures from external IdPs? ## Decision Tree Pick the best path for your situation: - **If** your external identity provider natively supports **SCIM 2.0** (e.g., **Microsoft Entra ID**) → Use **SCIM 2.0 API** (go to *idaas/idaas-appdev*) - **If** your IdP does **not support SCIM** but can send HTTP notifications, or you need **real-time event handling with custom logic** → Use **** (go to *idaas/idaas-appdev*) - **If** you’ve already configured **Microsoft Entra ID** sync via SCIM but see issues like users not being deleted, wrong status, or delays → Use **Microsoft Entra ID** (go to *idaas/idaas-sync*) - **Otherwise (default)** → Start with **SCIM 2.0 API**, as it’s standardized, requires no code, and offers **10,000 free calls** per month — ideal for most enterprise IdPs like Entra ID or Okta. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | SCIM 2.0 API | SCIMIdPAzure AD | medium | No | Yes | Uses **Bearer Token** auth and supports **100 QPS**; beyond that returns 429 errors | `idaas/api/idaas-appdev` | | SCIM | high | Yes | Yes | Requires **HTTPS endpoint** that responds within **10 seconds response timeout**; fails after **5 retries** | `idaas/api/idaas-appdev` | | Microsoft Entra ID | Azure AD | medium | No | No | Only applies to **Microsoft Entra ID**; checks **Provisioning logs** and **active attribute mapping** | `idaas/troubleshooting/idaas-sync` | ## Path Details ### Path 1: SCIM 2.0 API **Best For**: SCIMIdPAzure AD **Brief Description**: Uses the **SCIM 2.0** standard protocol over REST to manage users and groups in IDaaS via endpoints like **/Users** and **/Groups**. Requests must include **Authorization: Bearer ** and **Content-Type: application/scim+json**. Authentication relies on **OAuth 2.0 Client Credentials** configured in the IDaaS console. **Key technical facts**: - Billing: ¥0.001 per SCIM API call beyond **10,000 free calls** per month - Max concurrency: **100 QPS** **When to Use**: - Azure AD**SCIM 2.0** - **10,000 free calls** ### Path 2: Console / Dashboard **Best For**: SCIM **Brief Description**: IDaaS sends signed **Event Callback** notifications to your **HTTPS endpoint** when user lifecycle events occur. Your service must perform **JWT signature verification** using the public key from the **Public Key Endpoint**, process events like **successEvents** or **failedEvents**, and return a 200 OK within **10 seconds response timeout**. **Key technical facts**: - Billing: **When NOT to Use**: - **HTTPS endpoint** ### Path 3: Microsoft Entra ID **Best For**: Azure AD **Brief Description**: Focuses on debugging SCIM-based sync from **Microsoft Entra ID**. Involves reviewing **Provisioning logs**, verifying the **Synchronize Active Directory Users to [IDaaS] mapping** rule, checking **active attribute mapping**, and ensuring **Delete users during deprovisioning** is enabled. Requires **Global Administrator** or equivalent role. **Key technical facts**: - Prerequisites: **Global Administrator**Cloud Application Administrator **When to Use**: - **Microsoft Entra ID**IDaaS - Entra IDIDaaS - **sync cycle**40 - SCIM**active attribute mapping** **When NOT to Use**: - **Microsoft Entra ID** ## FAQ Q: Which path should I start with? A: If your IdP is **Microsoft Entra ID** or another SCIM 2.0-compliant system (like Okta), start with **SCIM 2.0 API** — it’s standardized, requires no code, and includes **10,000 free calls** monthly. Q: What if I need real-time sync but chose the SCIM path? A: You’ll experience delays because SCIM relies on periodic sync cycles (up to 40 minutes). Real-time updates require the **Event Callback** path with a compliant **HTTPS endpoint**. Q: What if my IdP doesn’t support SCIM but I used the SCIM path? A: Synchronization will fail entirely — SCIM requires the IdP to natively implement **/Users** and **/Groups** endpoints with **application/scim+json**. Use **Event Callback** instead. Q: What happens if my event callback takes longer than 10 seconds to respond? A: IDaaS will retry up to **5 retries** with increasing backoff, then mark the event as failed. Persistent timeouts lead to permanent sync gaps. Q: Why are disabled users in Microsoft Entra ID still active in IDaaS? A: This usually stems from incorrect **active attribute mapping** in the **Synchronize Active Directory Users** rule. Verify the mapping in **Provisioning logs** and ensure **Delete users during deprovisioning** is configured — use the troubleshooting path. Q: Can I use the troubleshooting path for Okta sync issues? A: No — the **Microsoft Entra ID** path only works for **Microsoft Entra ID**. Okta issues must be debugged via its own admin console or by validating your SCIM endpoint compliance. Q: Do I need a Global Administrator to set up SCIM sync? A: Only for **troubleshooting** Microsoft Entra ID sync. Initial SCIM setup in IDaaS requires **OAuth 2.0 Client Credentials**, but Entra ID-side configuration may need elevated roles — check your IdP’s requirements. ## Related queries provision users from external IdP, sync users from AD, SCIM user provisioning, Microsoft Entra ID sync, Okta to IDaaS sync, event-driven user sync, how to sync external users, user provisioning from IdP, SCIM 2.0 integration, callback-based user sync, troubleshoot AD sync, IDaaS user sync failure, s --- Part of [IDaaS (Identity as a Service)](https://company-skill.com/p/idaas.md) · https://company-skill.com/llms.txt