SCIM 2.0 (System for Cross-domain Identity Management) is an industry-standard protocol for automating user provisioning between identity providers and applications. By enabling SCIM in Flip, you can:

• Automatically create users in Flip from your identity provider
• Keep user profile information in sync
• Lock users in Flip when they are deactivated in your identity provider

Full SCIM API Documentation.

Setup Steps

Step 1: Generate Token

1. Admin Console → Access & Security → SCIM
2. Enable SCIM
3. Copy and securely store the token
4. Copy the SCIM base URL

Step 2: Configure Identity Provider

For Entra ID:

Connect Entra via SCIM

1. Create a custom Enterprise Application
2. In the created Enterprise Application, click Provisioning
3. Set Provisioning Mode to "Automatic"
4. Enter the SCIM URL and Token under “Admin Credentials”
5. Test the connection
6. Click Save

Configure Attribute Mapping

1. In the Enterprise Application under Provisioning, click Attribute Mapping (Users)
2. Modify or remove specific mappings (Flip Attribute Mapping)
3. Create additional attribute mappings
   1. Click "Show advanced options" and then "Edit attribute list for customappsso"
   2. Add the desired Flip SCIM Extension.
      1. Predefined attribute example (technical name location):
         urn:ietf:params:scim:schemas:extension:flip:location:2.0:User:value
         Note: use :value and not .value at the end.
      2. Custom attribute example (technical name soccer_team):
         urn:ietf:params:scim:schemas:extension:flip:custom:2.0:User:attributes[technicalName eq "soccer_team"].value
         Note: use .value and not :value at the end.

   3. Important: Custom Attributes during initial provisioning (Entra workaround)
      
      Microsoft Entra does not reliably send complex attributes (e.g. ...:custom:2.0:User:attributes[...]) during the initial user creation (Microsoft Source). To address this limitation, Flip provides an additional JSON-based extension. 
      
      Schema URN:
      urn:ietf:params:scim:schemas:extension:flip:customJson:2.0:User:value 
      
      Important: The target attribute must end exactly with :value. If :value is missing, the mapping will not work. 
      
      Steps:

      1. Add the following attribute (Type: String) to the attribute list:
         urn:ietf:params:scim:schemas:extension:flip:customJson:2.0:User:value
      2. Create a new mapping with:
         Mapping type: Expression
         Target attribute:
         urn:ietf:params:scim:schemas:extension:flip:customJson:2.0:User:value

      
      Example expression:

      Join(
        "",
        "{\"attributes\":[{\"technicalName\":\"custom_team\",\"value\":\"",
        [department],
        "\"},{\"technicalName\":\"custom_location\",\"value\":\"",
        [city],
        "\"}]}"
      )

      
      The rendered result must look like:

      {"attributes":[{"technicalName":"custom_team","value":"Engineering"},{"technicalName":"custom_location","value":"Berlin"}]}

      
      For subsequent updates, the standard custom extension (...:custom:2.0:User:attributes[...] .value) can continue to be used.

   4. Click "Save"
   5. Click "Add New Mapping"
   6. Select the source and corresponding target attribute
   7. Click "Ok"
4. Click "Save"

Select Users or Groups

1. In the Enterprise Application under Provisioning, go to Users and Groups
2. Click "Add user/group"
3. Select the individual users or groups that should be provisioned

Start Provisioning

1. In the Enterprise Application under Provisioning, go to Overview
2. Click "Start provisioning"

For Okta:

Enable SCIM in the Okta App

1. Create a new App Integration of type SAML 2.0.
2. Configure SAML Single Sign-On (SSO) as described in this article:
   SAML SSO Configuration in Flip
3. After successfully setting up SSO, go to the General tab.
4. Under App Settings, click Edit.
5. Under Provisioning, select SCIM and save the changes.
6. A new tab called Provisioning will appear.

Configure SCIM Connection

1. Open the Provisioning tab.
2. Click Edit and enter the SCIM URL.
3. For Unique identifier field for users, use: userName
4. Enable the following options under Supported provisioning actions:
   • Push New Users
   • Push Profile Updates
5. Set Authentication Mode to HTTP Header.
6. Paste the SCIM Token into the Authorization field.
7. Test the connection via Test API Credentials and save.
8. In Provisioning → To App, enable the following actions:
   • Create Users
   • Update User Attributes
   • Deactivate Users

Configure Attribute Mapping

1. Navigate to Provisioning → To App → Attribute Mappings.
2. Edit or remove existing attribute mappings (see Flip Attribute Mapping).
3. To add custom attributes:
   1. Go to the Profile Editor.
   2. Click Add Attribute.
   3. Set a Display Name and Variable Name.
   4. Set the External Name to value.
   5. For External Namespace, use (see Flip SCIM Extensions), e.g.:
      urn:ietf:params:scim:schemas:extension:flip:location:2.0:User
   6. Click Save.
   7. The new attribute will now appear under Provisioning → To App → Attribute Mappings and can be mapped there.

Assign Users or Groups

1. Go to the Assignments tab.
2. Click Assign → Assign to People or Assign to Groups.
3. Select the users or groups you want to provision.

Start Provisioning

1. Go to Provisioning → To App again.
2. Enable the following options:
   • Create Users
   • Update User Attributes
   • Deactivate Users
3. Make sure all required attributes are mapped correctly.
4. Provisioning will automatically start for all assigned users and groups.

For OneLogin:

1. Use “SCIM Provisioner (SCIM v2 Enterprise) - No Params”
2. Enter SCIM JSON, URL & Token in the “Configuration” tab
3. Map attributes in the “Parameters” tab
4. Enable provisioning

Troubleshooting

Best Practices

• Start with a few test users
• Use externalId for unique identification
• Regularly check provisioning logs
• Plan and document attribute mappings early
• Document any custom attributes in use

If you run into issues, please contact Flip support and include:

• Your Flip Tenant ID
• Error messages and API request/response examples