Use the System for Cross-domain Identity Management (SCIM) protocol to provision user and group data from Alibaba Cloud IDaaS (EIAM) to downstream applications. SCIM synchronization is event-driven — when a subscribed change occurs in IDaaS, the system pushes the update to the application automatically.
Limits
Before you configure SCIM synchronization, review these constraints:
Organization sync is not supported. SCIM does not define a standard for organization synchronization. IDaaS (EIAM) can only sync users and groups. If you need to synchronize organization structure, use a different provisioning method.
Group sync depends on the target application. IDaaS supports syncing both groups and accounts, but the downstream application must support receiving groups. For example, Alibaba Cloud RAM accepts only account sync; Alibaba Cloud CloudSSO accepts both.
Account field values are converted to lowercase before sync. RAM is not case-sensitive. To prevent conflicts, IDaaS automatically converts all account field values to lowercase when syncing to RAM or CloudSSO via SCIM.
Configure SCIM synchronization
SCIM synchronization requires configuration in both IDaaS and the target application. This section covers the IDaaS side.
For applications with dedicated integration guides, use those guides alongside this topic:
| Application | Guide |
|---|---|
| Alibaba Cloud CloudSSO | Synchronize accounts to CloudSSO using SCIM |
In IDaaS (EIAM), go to the Application Management tab.
Under Account Synchronization, select SCIM as the synchronization method.
Configure the following parameters:
Parameter Description Outbound IP Add these IDaaS outbound IP addresses to your application's allowlist. If you skip this step, IDaaS requests cannot reach the application. SCIM Base URL The SCIM endpoint of the target application. For example, the SCIM Base URL for Alibaba Cloud RAM is fixed at https://scim.aliyun.com.Authorization The method used to authenticate SCIM requests. IDaaS supports OAuth Client Mode and Key Mode. Select the mode that matches your application's requirements. For example, Alibaba Cloud RAM uses OAuth Client Mode: 
Operations to Invoke The change events that trigger automatic synchronization. When a subscribed event occurs, IDaaS pushes the update to the application immediately. The selected operations apply to both incremental and full synchronization. 
Full Push Scope The data types to include when running a full synchronization. For example, select accounts only to skip groups. This setting applies only to full synchronization — it does not affect incremental sync. 
Field Mapping The mapping between IDaaS user attributes and the target application's fields. View and edit this mapping to control how user data is translated during sync. 
Save the configuration, then click Test Connectivity to verify that the configuration is correct.
Run a full synchronization
If needed, use the one-click push feature to synchronize all accounts within the scope to the application at once.
SCIM support by platform
The following table shows which SCIM capabilities each platform supports. Use this table to verify compatibility before configuring synchronization.
| Platform | SCIM support | Supports retrieving existing users | Supports modifying existing users | Existing users successfully associated |
|---|---|---|---|---|
| Alibaba Cloud RAM | Supported | Supported | Not supported | Not supported |
| Alibaba Cloud CloudSSO | Support | Not supported | Not supported | Supported (Implicitly supported through the CloudSSO overwrite logic for identical names) |
| Huawei Cloud IAM | Not supported | |||
| Huawei Cloud IAM Identity Center | Supported | Supported | Supported | Supported |
| Tencent Cloud CAM | Not supported | |||
| Tencent Cloud Group Management | Supported | Supported | Support | Supported (Username cannot be changed) |
| Volcengine IAM | Not supported | |||
| Volcengine Cloud Identity Center | Supported | Not supported | Not supported | Not supported |
| AWS/International Site IAM | Not supported | |||
| AWS/International Site IAM Identity Center | Supported | Supported | Supported | Supported |