Security

SCIM Identity Provisioning

Znuny-SCIM turns Znuny into a standards-compliant SCIM 2.0 server, so agents, groups, and customer users can be provisioned and kept in sync automatically from any compatible identity provider.

SCIM Identity Provisioning

Creating accounts by hand, disabling them when someone leaves, and keeping group memberships in sync does not scale once an organization manages identities centrally. This add-on turns Znuny into a standards-compliant SCIM 2.0 server, so any SCIM-capable identity provider can create, update, and deactivate agents, agent groups, customer users, and customer groups automatically, the moment they change upstream.

Works with Any SCIM 2.0 Identity Provider

All SCIM logic runs entirely through Znuny's Generic Interface, exposed as two ready-to-use web services — one for agent and agent group provisioning, one for customer users and customer groups. Both implement the discovery endpoints ServiceProviderConfig, Schemas, and ResourceTypes, so identity providers with fixed SCIM connectors, such as Microsoft Entra ID, configure themselves automatically. Okta, Keycloak, and any other RFC 7644-compliant provider are equally supported.

Agents, Groups, Customer Users, and Customer Groups

Full SCIM CRUD — list, get, create, replace, patch, and delete — is available for Znuny agents and customer users alike. SCIM groups map to Znuny roles for agents and to Znuny groups for customer users, keeping permission structures in sync alongside the accounts themselves. Which SCIM attributes land on which Znuny fields is configurable, so the mapping can be adapted to fields already in use rather than forcing a fixed schema.

SCIM Configuration overview showing agent and customer user field mapping alongside group rules
SCIM Configuration Overview

Standards-Compliant Filtering and Bulk Operations

Every list endpoint supports SCIM filtering as defined in RFC 7644, including eq, ne, co, sw, ew, pr, ordering comparisons, and the logical combinators and, or, and not with parentheses. Common lookups such as filtering by username or email resolve through fast database queries. For high-volume synchronization jobs, both web services also support the SCIM Bulk operation, so an identity provider can push many creates, updates, and deletes in a single request instead of one call per user.

Secure by Design: Scoped Tokens and Full Audit Trail

Every request authenticates with a bearer token managed under Admin → SCIM Tokens, with a separate token recommended for each identity provider or integration. Tokens can optionally be locked to a single customer company, so a partner or subsidiary's identity provider can only ever see and manage its own customer users — cross-company access is rejected outright. Every successful create, update, patch, or delete is written to the Znuny system log with a dedicated SCIM::Audit prefix, giving administrators a complete, searchable trail of everything provisioned through the interface.

Add New Token form with the Customer Company scoping dropdown
Add New Token form with the Customer Company scoping dropdown
Token Created reveal screen showing the one-time token value
Token Created reveal screen showing the one-time token value
SCIM Tokens overview listing labels, customer company scope, owning user, validity, and creation date
SCIM Token Overview

Sign Up For Our Newsletter

Stay ahead with expert tips, updates, and insights on service management and Znuny—straight to your inbox!

We use rapidmail to send our newsletter. When you subscribe, you consent to the entered data being forwarded to rapidmail. Please also see the GTC and data privacy statement.