Skip to main content
SCIM (System for Cross-domain Identity Management) automates user provisioning. Your identity provider can automatically create, update, and deactivate users in Cedar.
This page covers creating SCIM mappings in the Admin Portal. For technical setup in your identity provider, see the SCIM Setup Guide.
SCIM mappings list with create action

What SCIM does

Auto-create users

New employees are added to Cedar automatically

Sync changes

User details stay in sync with your IdP

Auto-deactivate

Departing employees lose access automatically

When to use SCIM

  • Your organization uses an identity provider (Azure AD, Okta, etc.)
  • You have many users to manage
  • You want automatic provisioning/deprovisioning
  • You need to ensure timely access revocation

Create a SCIM mapping

Get your tenant ID

In your identity provider (Azure AD, Okta, etc.), find the SCIM tenant ID that will be used for provisioning.

Click New Mapping

From the SCIM page, click New mapping.

Enter the tenant ID

Paste the SCIM tenant ID from your identity provider.

Select the target

Choose where users should be provisioned:
  • Organization — users can access all carriers in the organization
  • Carrier — users are limited to a specific carrier
Choose carefully. This determines the scope of access for all users provisioned through this mapping.

Save and configure your IdP

Save the mapping, then configure your identity provider to use the provided client ID and secret.
Associate Tenant dialog with tenant ID and organization/carrier selection

Dialog fields explained

FieldRequiredDescription
Tenant IDYesThe unique identifier from your identity provider
OrganizationOne requiredSelect if users should have access across all carriers
CarrierOne requiredSelect if users should be limited to a specific carrier
You must select either an organization or a carrier — not both. This determines the scope of access for all users provisioned through this mapping.

SCIM mapping details

SCIM mapping details
The detail view shows:
  • Tenant ID — the identifier from your IdP
  • Organization/Carrier — where users are provisioned
  • Client ID — used by your IdP to authenticate
  • Client Secret — keep this secure (click to copy)
  • Metadata — creation and update timestamps

Include deleted mappings

Toggle Include deleted to see mappings that were removed or deactivated. This is useful for:
  • Auditing previous configurations
  • Understanding historical setup
  • Restoring accidentally deleted mappings

Best practices

Secure your credentials

The client secret is only shown once. Copy it immediately and store it securely in your identity provider.
Before enabling SCIM for your entire organization, test with a small group of users to ensure provisioning works as expected.
After setting up SCIM, monitor the Users page to ensure users are being created correctly.
SCIM creates users, but you still need to add them to groups and create bindings for access. Consider using your IdP’s group sync features.
After creating a mapping here, you’ll need to configure your identity provider. Use these guides:

SCIM Technical Overview

Supported SCIM features and protocol details

Azure AD / Entra ID Setup

Step-by-step Azure configuration

Users

View provisioned users

User Groups

Organize provisioned users into teams

Bindings

Grant access to provisioned users

Activity Log

Monitor provisioning activity