Complete SSO using OIDC before setting up SCIM. SCIM provisioning runs alongside your OIDC integration — it does not replace it.
Step 1: Enable SCIM in Bifrost
Open your OIDC provider
In your Bifrost dashboard, go to Governance → User Provisioning and open your configured Generic OIDC provider.
Enable SCIM provisioning
Click the settings icon to open Provider Configuration.Toggle on Enable SCIM Provisioning and click Verify & Next.
Step 2: Configure your IdP to push SCIM to Bifrost
The exact steps vary by provider. Most SCIM-capable IdPs follow this general pattern:Find the SCIM or provisioning settings
In your IdP admin console, look for:
- Provisioning tab on your application
- SCIM settings in the application integration
- Outbound provisioning or User sync settings
Enter the Bifrost SCIM endpoint and token
| Setting | Value |
|---|---|
| SCIM Base URL / Tenant URL | The SCIM Endpoint URL from Step 1 — no trailing slash |
| Bearer Token / Secret Token | The Provisioning Token from Step 1 |
Test the connection
Most IdPs provide a Test Connection or Verify Credentials button. Click it to confirm Bifrost is reachable and the token is valid.
Enable provisioning operations
Enable the following operations if available:
- Create Users — provision new users when added in the IdP
- Update User Attributes — sync profile changes to Bifrost
- Deactivate Users — suspend users when deactivated or deleted in the IdP
- Push Groups — sync group memberships so Bifrost team mappings stay current
Step 3: Assign users and groups
Assign users or groups to the application
In your IdP, assign the users or groups you want to provision into Bifrost. Only users within the provisioning scope are pushed.Changes — new assignments, deactivations, group membership updates — will reflect in Bifrost within the next provisioning cycle. Most IdPs offer an on-demand sync option for immediate provisioning.
Step 4: Verify in Bifrost
Once provisioning is active, confirm everything is syncing correctly:- Governance → Users — provisioned users and their assigned roles
- Governance → Teams — teams populated from pushed groups
- Governance → Business Units — business units resolved from group or attribute mappings
Bifrost SCIM API reference
| Method | Endpoint | Description |
|---|---|---|
GET | /scim/v2/Users | List users |
GET | /scim/v2/Users/{id} | Get a user |
POST | /scim/v2/Users | Provision a new user |
PUT | /scim/v2/Users/{id} | Replace a user |
PATCH | /scim/v2/Users/{id} | Update user attributes or status |
DELETE | /scim/v2/Users/{id} | Deprovision a user |
GET | /scim/v2/Groups | List groups |
GET | /scim/v2/Groups/{id} | Get a group |
POST | /scim/v2/Groups | Create a group |
PUT | /scim/v2/Groups/{id} | Replace a group |
PATCH | /scim/v2/Groups/{id} | Update group members |
DELETE | /scim/v2/Groups/{id} | Delete a group |
Authorization: Bearer <token> header using the Provisioning Token.
How sync works
Real-time push — your IdP pushes user and group changes to Bifrost immediately when they occur. OIDC session refresh — every 15 minutes, Bifrost refreshes active OIDC sessions. If a user has been deactivated, their Bifrost session is terminated.Troubleshooting
Test Connection fails — verify the SCIM Base URL has no trailing slash and the token matches exactly what Bifrost generated. Rotate the token in Bifrost and update your IdP. Users are provisioned but have no role — SCIM provisions the user record; role assignment comes from attribute mappings in the OIDC provider. Confirm your Attribute-to-Role mappings are set and the relevant claims appear in the JWT at login time. Groups are not syncing — confirm group push is enabled in your IdP’s provisioning settings. Some IdPs require groups to be enabled separately from user sync.401 Unauthorized from Bifrost SCIM endpoint — the provisioning token is incorrect or has been rotated. Generate a new token in Bifrost (Provider Configuration → Rotate Token) and update your IdP.
409 Conflict when provisioning a user — the user already exists in Bifrost (provisioned via OIDC login). Bifrost will merge the records on the next PATCH request from your IdP.