Skip to main content

Create a SCIM integration

Follow these steps to set up a SCIM integration between your Identity Provider (IdP) and your NetFoundry network. This allows you to automate the provisioning and de-provisioning of identities.

Optional setup

By default, SCIM integrations can use the Default Auth Policy. However, if you have specific security requirements, you can optionally configure:

  • A JWT signer if you intend to use OIDC for identity authentication.
  • A custom auth policy to restrict or define specific authentication flows.

Part 1: Initialize the integration

  1. Navigate to Access Management > Integrations.
  2. Click (+).
  3. Enter a unique Integration Name.
  4. Click Next.

Part 2: Configure identity mapping

Define how fields from your IdP map to your NetFoundry identities.

  1. Identity Name: Select the field used for the identity name (Username, Display Name, Formatted Name, or Nickname).

  2. Auth Policy: Select an authentication policy.

    note

    Most users should select the Default policy, which automatically attempts to authenticate users against all available JWT signers in the system.

  3. External ID: Choose the field used to match JWT claims—None, User Name, Primary Email, or a Custom Mapping.

  4. Click Next to proceed.

Part 3: Generate authentication and URL

  1. Copy the Integration URL displayed in the console; you'll need this for your IdP configuration.
  2. Click Generate Token.
  3. Copy the token immediately. For security reasons, it won't be displayed again once you leave this screen.

Part 4: Finalize in your IdP

  1. Sign in to your IdP (e.g., Okta, Azure AD) and navigate to the SCIM or provisioning settings.
  2. Paste the Integration URL and Authentication Token to establish the handshake.

Maintenance and lifecycle

Token rotation

Authentication tokens are valid for one year. To rotate a token, edit the integration and click Generate Token.

warning

Generating a new token immediately invalidates the previous one. Ensure you're ready to update your IdP settings immediately to avoid syncing interruptions.

Update mappings

If you modify the SCIM mapping configuration, the changes are applied retroactively to all synced users as well as all future users.