Use the System for Cross-domain Identity Management (SCIM) protocol to push accounts and groups from a third-party identity system into Identity as a Service (IDaaS). In this setup, IDaaS acts as the SCIM server, and your external system acts as the SCIM client. The SCIM protocol standardizes the API interface and data format between identity systems, enabling interoperability without custom integration code.
Prerequisites
Before you begin, ensure that you have:
An active IDaaS instance (EIAM Cloud Identity Service)
A third-party identity system that supports SCIM (for example, Okta or Microsoft Entra ID)
The SCIM configuration details required by your identity system
How it works
Create an application in IDaaS to represent the external identity system.
Set the provisioning scope to control which organizations and groups are in sync.
Generate a Bearer Token and retrieve the SCIM Base URL — your external system uses these credentials to authenticate and route SCIM requests to IDaaS.
Grant the application SCIM API permissions so IDaaS accepts incoming provisioning calls.
After you complete the configuration, your external identity system automatically calls the IDaaS SCIM API to create, update, and deactivate accounts. No manual API calls are required.
Step 1: Create an application
Log on to the Alibaba Cloud IDaaS console. In the left navigation pane, click EIAM. On the IDaaS tab, find the target instance and click Console in the Actions column.
In the left navigation pane, choose Application Management > Applications. On the Applications page, click Add Application.
Select Standard Protocols or Custom Applications, then click Add Application or Add Custom Application.
NoteOnly standard and custom applications support inbound synchronization to IDaaS.
Enter an Application Name and click Add. The application details page opens.
Step 2: Set the account synchronization scope
On the application details page, click the Provisioning tab and configure the Provisioning Scope.
In the Configure Synchronization Scope panel, select the target Organization and Group. The provisioning scope defines which organizations and groups in IDaaS are eligible to receive synced data. Only accounts and groups within this scope are affected by inbound SCIM operations.
Step 3: Configure inbound SCIM parameters
Basic settings
On the Provisioning tab, click the Synchronize Application to IDaaS sub-tab and configure the following settings.
Synchronization Scope
Select the organization where IDaaS automatically places imported accounts that do not already belong to an organization. The organization must be within the Provisioning Scope you configured in Step 2.
Bearer Token
Click Add Bearer Token. In the Specify Validity Period pane, set the Validity Period of Bearer Token. The validity period can range from 1 day to 3 years.
A Bearer Token is the credential your external identity system uses to authenticate SCIM requests to IDaaS. The token grants access to all SCIM operations you enable in the Configure SCIM operation permission step below. Keep the following constraints in mind:
| Constraint | Detail |
|---|---|
| Maximum count | 2 tokens per application |
| Status requirement | At least 1 token must be enabled at all times |
| Deletion | Disable the token before deleting it |
Copy the generated token and store it securely. You will provide it to your external identity system during its SCIM configuration.
SCIM Base URL
The SCIM Base URL is the endpoint your external system calls to send SCIM requests. Copy this URL — you will need it when configuring your external identity system.
Configure SCIM operation permission
Grant the application permission to call the IDaaS SCIM API:
Click Authorize to go to the IDaaS API page.
At the top of the page, click the
icon next to IDaaS API. In the Enable panel, click Enable.In the SCIM API Permissions section, select all Scenarios and click Save.
Advanced settings
Basic settings sync only the standard SCIM fields listed in Supported SCIM fields. To sync additional fields, map them to extension fields in IDaaS.
Click Show Advanced Settings and configure the following parameters.
Custom Field Namespace
Enter the namespace of your external system's custom attributes. The namespace must match the one configured in the external system.
| External system | Namespace |
|---|---|
| Okta | urn:ietf:params:scim:schemas:extension:customfield:2.0:User |
| Microsoft Entra ID (Azure AD) | urn:ietf:params:scim:schemas:extension:${CustomExtensionName}:2.0:User (replace ${CustomExtensionName} with your extension name) |
Sync Target Field
Select the IDaaS fields to receive the synced data. Only Extended Fields are supported, and you can select multiple fields. To create extension fields, see Create extension fields.
After configuring all settings, click Save.
Supported SCIM fields
Field mapping rules
Before reviewing the field tables, note these rules for how IDaaS handles SCIM data:
| Rule | Detail |
|---|---|
| Multi-value fields | For phoneNumbers and emails, only entries with type eq "work" are accepted. Only one value per field is stored. |
| Idempotence | Repeated submissions of the same user data are treated as updates, not new creations. |
| Deactivating users | When active is set to false, the account status in IDaaS changes to disabled. |
User fields
| SCIM field | IDaaS field | Description |
|---|---|---|
id | userId | Unique ID of the user |
userName | username | Username |
displayName | displayName | Display name |
phoneNumbers [type eq "work"] | phoneNumber | One phone number, type must be work. If the number includes an area code, prefix it with +. |
phoneRegion | phoneRegion | Area code of the mobile phone number. If omitted and the phone number includes an area code, IDaaS extracts it from the number. If omitted and no area code is present, defaults to 86. If provided and inconsistent with the area code in the phone number, an error is returned. |
emails [type eq "work"] | email | One email address, type must be work |
externalId | userExternalId | External ID |
active | status | true → enabled; false → disabled |
password | password | Plaintext password. If the format is invalid, an error is returned. |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User > organization > organizationId | — | Organization placement. If omitted, the account is placed in the Synchronization Scope organization. If provided, the account is placed in the specified organization. |
Group fields
| SCIM field | IDaaS field | Description |
|---|---|---|
id | groupId | Unique ID of the group |
displayName | groupName | Name of the group |
externalId | groupExternalId | External ID of the group |
members > type | — | Type of group member. Only User is supported. |
members > value | userId | Unique ID of the user |
members > $ref | — | Full URL of the member resource |
Best practices
Bearer Token management
Rotate Bearer Tokens regularly to limit the exposure window of any single credential. Because IDaaS supports two tokens simultaneously, you can issue a new token, update your external system to use it, and then disable and delete the old one — with no sync interruption.
Never delete the only enabled token. Doing so immediately stops all inbound SCIM synchronization.
Minimize the synchronization scope
Limit the provisioning scope to the organizations and groups that actually need to sync. A narrower scope reduces the risk of unintended account creation or modification.
Validate field data before syncing
Make sure the data sent by your external system meets IDaaS field requirements:
phoneNumbersandemailsentries must usetype: work.If phone numbers include an area code, the
+prefix is required.Passwords must be in valid plaintext format.
Sending invalid data causes the affected SCIM operation to fail.
Monitor synchronization
Monitor the API call frequency and review failure logs to detect abnormal behavior or sync failures early.
What's next
Configure your external identity system to connect to IDaaS using the SCIM Base URL and Bearer Token you generated:
Review the SCIM operations IDaaS supports: SCIM 2.0 operations supported by EIAM
Manage accounts synced to IDaaS: Account data synchronization
Build custom integrations using IDaaS APIs: Open application APIs