All Products
Search

This Product

    Identity as a Service:Synchronize accounts to CloudSSO from Alibaba Cloud IDaaS by using SCIM

    Document Center

    Identity as a Service:Synchronize accounts to CloudSSO from Alibaba Cloud IDaaS by using SCIM

    Last Updated:Dec 02, 2025

    This topic describes how to synchronize accounts and groups from Alibaba Cloud IDaaS to CloudSSO using the System for Cross-domain Identity Management (SCIM) protocol to automate identity management.

    Step 1: Enable SCIM-based synchronization in the CloudSSO console

    1. Log on to the CloudSSO console using your Alibaba Cloud account.

    2. In the navigation pane on the left, click Settings.

    3. On the User Settings tab, turn on the switch under SCIM-based User Synchronization Configuration to enable SCIM-based synchronization. Copy and save the SCIM Endpoint for later use.

      image

    4. Click Generate New SCIM Credential.

      The key is displayed only once. Copy and save the key for later use.

    image

    Step 2: Configure SCIM-based synchronization in IDaaS

    1. Log on to the IDaaS console. In the navigation pane on the left, click EIAM. In the instance list, find the target instance and click Manage in the Actions column to go to the instance console.

    2. In the navigation pane on the left of the instance console, choose Application Management > Applications to go to the Applications page. Then, click Add Application to go to the Marketplace. Select Alibaba Cloud - CloudSSO and click Add Application.

      image

    3. In the Add Application panel that appears, enter an Application Name and click Add. After the application is added, you are redirected to the application details page.

    4. On the application details page, click the Provisioning tab. Choose Configure Provisioning Scope > Configuration. Select the Organization and Group to synchronize and click Save.

      image

    5. Turn on the Provision IDaaS Accounts to Application switch. In the confirmation dialog box, click Enable.

      image

    6. In the Basic Configurations section, enter the SCIM Server URL that you previously obtained into the SCIM Server URL field. Enter the SCIM key that you previously generated into the Bearer Token Key Mode field.

      image

    7. Configure Operation, Full Scope, and Field Mapping.

      1. Operation: You can subscribe to specific change events to receive real-time push notifications. When a change occurs to a user within the IDaaS synchronization scope, a synchronization is automatically triggered to push the change to the application in real time.

      2. Full Scope: Specifies the data scope for a Push Now operation. You must specify at least one item to perform a Push Now operation.

      3. Field Mapping: Displays the field mapping relationships for SCIM-based synchronization. You can edit the mappings as needed.

    8. Test the connection.

      After you complete the configuration, click Save at the bottom of the page, and then click Test Connectivity to verify the configuration. If needed, you can use the Push Now feature to push all accounts within the synchronization scope to CloudSSO.

    Step 3: Synchronize data

    After you click Push Now, the accounts within the synchronization scope are synchronized to CloudSSO. After the push is successful, a success message is displayed. You can go to Log > Provisioning > Tasks to view the logs.