SCIM Provisioning
System for Cross-domain Identity Management (SCIM) is an open standard that automates the creation, updating, and deactivation of user accounts across systems. Files.com uses SCIM to provision user accounts and groups from your identity provider.
Files.com SCIM provisioning works with SAML-based SSO providers. It is not available for OAuth or OpenID Connect (OIDC) integrations.
The identity providers Files.com integrates with using SCIM are Okta, Microsoft Entra ID, LDAP/Active Directory, OneLogin, Cisco Duo, JumpCloud, and SAML (any provider).
Automated User Provisioning
When a new user is added to the organization's identity provider (IdP), SCIM provisioning creates the user's account on Files.com without manual setup. Files.com provisions the standard user attributes: User Name, Name, Display Name, Email Address, and Company Name.
SCIM provisioning runs on a scheduled sync cycle from your IdP. Some IdPs also offer on-demand provisioning, which performs the action immediately without waiting for the next scheduled sync. Files.com supports both approaches, though on-demand support varies by IdP. Refer to your IdP's documentation for specific capabilities and configuration details.
User Account Updates
When a user's name, email address, company name, or group memberships change in the IdP, those changes synchronize to Files.com on the next sync.
Account Deactivation
When a user leaves the organization or their access needs to be revoked, the Site Administrator updates the user's status in the IdP. SCIM then deactivates the account in Files.com so former employees and external collaborators no longer have access.
Group Management
SCIM provisioning also covers groups. Files.com creates, updates, and removes groups based on changes made in the IdP. Files.com provisions the standard group attributes: Group Name and Group Members.
SCIM User and Group Management Scope
Files.com uses a managed SCIM provisioning model. Files.com manages users via SCIM when the identity provider provisions them through the SCIM integration, and when existing Files.com users are explicitly associated with the matching SSO provider through their authentication method.
SCIM does not automatically adopt users that already exist in Files.com, including local users or users that are not linked to the corresponding SSO provider. SCIM PATCH and PUT requests apply only to users that Files.com already manages through that SSO configuration.
If a user already exists in Files.com and you want SCIM to manage that user, first associate the user with the appropriate SSO provider in the user's authentication method. After you complete the association, SCIM manages updates and deactivation for that user.
SCIM manages groups only when they are provisioned through the SCIM integration. Files.com does not automatically adopt existing groups that were created locally unless they are explicitly provisioned through SCIM.
Requiring explicit association of existing users before SCIM management is intentional and aligns with a conservative security model followed by many SCIM-supporting vendors. Files.com is open to adding SCIM user adoption functionality in the future. Reach out to our support team if this capability is important for your use case.
Setting Up SCIM Provisioning
Files.com supports SCIM version 2.0 with both Basic authentication and Token-based authentication for integrating with your Identity Provider (IdP). SCIM covers standard user provisioning, deprovisioning, and group membership management. SCIM is designed to work with the SAML protocol, not OAuth.
Files.com follows the SCIM 2.0 standards outlined in RFC 7642, RFC 7643, and RFC 7644, covering schema, resource management, and protocols. No additional schema customization is required.
To integrate your IdP with Files.com SCIM provisioning, use the fields below within your IdP SCIM configuration:
| Field | Value |
|---|---|
| Files.com SCIM connector base URL | https://app.files.com/api/scim |
| Unique identifier field for users | email (it can be email address with some IdP providers) |
Files.com offers many configuration options for SCIM provisioning, detailed in the Configuration Options section. Refer to the Entra ID SSO SCIM, Okta SSO SCIM, JumpCloud SCIM, or OneLogin SSO SCIM pages for IdP-specific configuration details.
Provisioning Users
Once SCIM provisioning is enabled in Files.com, new users created in the identity provider after the integration, as well as users that are explicitly associated with the configured SSO provider, are managed and provisioned through SCIM. SCIM synchronizes user creation, updates, and deprovisioning between the identity provider and Files.com for these users.
If users already exist in Files.com before SCIM provisioning is configured, SCIM does not automatically adopt those users. To manage an existing user through SCIM, first associate the user with the corresponding SSO provider in Files.com and assign the user to the Files.com application in your identity provider.
Provisioning Groups
Files.com supports group provisioning and membership management through SCIM for groups that are provisioned through the SCIM integration. SCIM can create, update, and remove groups in Files.com based on the group data sent by the identity provider.
To configure group provisioning, edit the settings for your SSO provider in Files.com. You can control how groups and memberships are provisioned and synchronized.
If groups are not synchronizing as expected, review your identity provider's provisioning configuration to confirm that group data is included in SCIM requests.
User and Group Management Control
When an SSO provider is configured, the settings Allow manual creation, editing, and deletion of users outside of SSO based provisioning and Allow manual creation, editing, and deletion of groups outside of SSO based provisioning control whether Site Administrators can manage users and groups directly in Files.com.
These settings remain enabled by default. The identity provider continues to manage users authenticated through SSO or provisioned through SCIM, while Site Administrators can create and manage users and groups that exist only in Files.com.
These locally managed accounts may include external collaborators, partner users, supplier accounts, service accounts, or other users that do not exist in the identity provider.
Disable these settings only when the identity provider provisions and manages all users and groups through SCIM and Site Administrators do not need to manage any users or groups directly in Files.com. When disabled, Site Administrators cannot create, edit, enable, disable, or delete users or groups in Files.com. All provisioning, updates, and deprovisioning originate in the identity provider and synchronize to Files.com through SCIM.
An environment where SCIM manages all users and groups represents a narrowly scoped deployment. Most environments include users that do not exist in the identity provider, so Site Administrators typically leave these settings enabled so they can manage those accounts directly in Files.com while the identity provider continues to manage SSO or SCIM-provisioned users.
When SCIM provisioning manages users and these settings are disabled, Files.com does not allow Site Administrators to override User lifecycle changes locally. For example, if a Files.com User Lifecycle Rule disables a SCIM-provisioned user in Files.com, Site Administrators cannot re-enable that account directly. The identity provider must send an updated active state through SCIM before Files.com restores access.
Configuration Options
The table below lists the SCIM options available for an SSO provider. These options are available via the API (including Terraform) and the web interface. In the web interface, they appear only for SSO providers that support SCIM provisioning.
| Configuration Option | Details |
|---|---|
| Enable automatic user provisioning via SCIM | Allows you to use the SCIM protocol for provisioning. Select Basic to create a SCIM username and password to use. Select Token to generate a SCIM token and specify an expiration date to use that token. |
| Automatically provision users on first login | Automatically triggers user provisioning upon their initial login attempt to Files.com. |
| Automatically de-provision users | Automatically initiates the de-provisioning of users if they cannot be located in your Identity Provider (IdP) during the next synchronization process. |
| Automatically provision group memberships | Automatically assigns users to groups based on their group membership settings within your Identity Provider (IdP). |
| Automatically de-provision group memberships | Automatically removes users from groups if they are no longer associated with the corresponding groups in your Identity Provider (IdP) during the next synchronization process. |
| Method used for de-provisioning users | Specifies whether de-provisioned users are deleted or disabled within Files.com. We recommend disabling users, rather than deleting, in case you need to audit their prior activity, history, and settings. |
| Provision company | Sets the "Company" attribute in the Files.com user profile of the provisioned user. |
| Add users to these default groups on first login | Automatically assigns provisioned users to specified Files.com Groups upon their initial login. |
| Only provision users in these groups | Restricts user provisioning to members of the specified IdP groups. Enter comma-separated names or wildcards. For example, to limit provisioning to users in the IT and Support groups, specify IT,Support. Your IdP must send group membership data in SCIM requests to use this configuration option. |
| Only provision these groups | Restricts group provisioning to the specified IdP groups (whitelist). Your IdP must send group membership data in SCIM requests to use this configuration option. |
| Exclude these groups from provisioning | Blocks provisioning for the specified IdP groups (blacklist). Your IdP must send group membership data in SCIM requests to use this configuration option. |
| Provision users in these groups to be site admins | Assigns Site Administrator privileges in Files.com to users in the specified groups. Enter comma-separated names or wildcards. For example, specifying Administrators,Domain Admin grants Site Administrator privileges to users in those IdP groups. |
| Provision users in these groups to be read-only site admins | Assigns Read-only Administrator privileges in Files.com to users in the specified groups. Enter comma-separated names or wildcards. For example, specifying Support Admins,ReadOnly Admins grants Read-only Administrator privileges to users in those IdP groups. |
| Provision users in these groups to be group admins | Assigns Group Administrator privileges in Files.com to users in the specified groups. Enter comma-separated names or wildcards. For example, specifying Managers,Associate Directors grants Group Administrator privileges to users in those IdP groups. |
| Provision users in these groups to manage their password via Files.com | Provisions users from the specified groups without requiring Single Sign-On (SSO). Their passwords are stored in Files.com, independent of the IdP password. |
| Provision users with 2FA | Specifies how two-factor authentication (2FA) is applied to provisioned users. You can follow the site-wide 2FA policy or override it for SCIM-provisioned users to always require 2FA or never require it. For example, if your site-wide 2FA policy is Always required for all users but you need to exempt SCIM-provisioned users, select Never require 2FA. |
| Auto-provisioned users with WebDAV permissions | Specifies whether the provisioned users have permission to use the WebDAV protocol to connect to Files.com. |
| Auto-provisioned users with FTP permissions | Specifies whether the provisioned users have permission to use the FTP and FTPS protocols to connect to Files.com. |
| Auto-provisioned users with SFTP permissions | Specifies whether the provisioned users have permission to use the SFTP protocol to connect to Files.com. |
| Default time zone for auto provisioned users | Specifies the time zone attribute in the Files.com user profile of the provisioned user. |
Provisioning Based on Group Membership
Group-Based Provisioning limits which users from your SSO Provider are provisioned in your Files.com site.
SCIM Options for Group-Based Provisioning
The SCIM configuration options Only provision users in these groups, Only provision these groups, and Exclude these groups from provisioning control which users and groups are created by SCIM, letting you limit which of your SSO provider users are provisioned in your Files.com site.
Only provision users in these groups and Only provision these groups act as whitelist filters that limit what is created in your Files.com site. Exclude these groups from provisioning blocks the creation of specific groups in your site by blacklisting them.
These options require the identity provider to include group membership data in SCIM requests.
Microsoft Entra ID Limitations
Microsoft Entra ID does not include group memberships in its SCIM provisioning requests. The settings Only provision users in these groups, Only provision these groups, and Exclude these groups from provisioning cannot be used with an Entra ID SSO Provider.
To limit which users are provisioned within Files.com, use Entra's scoping filters based on a custom extension property. This property acts as a designated provisioning attribute, so only users with the attribute are provisioned into Files.com. Group mappings still apply, so provisioned users are automatically added to their assigned groups. For details, refer to Microsoft's documentation on defining scoping filters and customizing application attributes.
SCIM Activity Logging
Files.com records all SCIM-related requests and responses in JSON format under SCIM Logs. These logs capture provisioning activity, including user and group creation, updates, and deletions, along with request methods, API paths, HTTP response codes, and timestamps. Site Administrators use the JSON data to analyze SCIM transactions, verify communication, and identify issues such as failed provisioning attempts, duplicate user conflicts, or attribute mismatches.
Files.com also logs SCIM-related events under History Logs using the Interface SCIM. These entries summarize provisioning actions and outcomes for users and groups.
If you encounter an error and do not see related details in SCIM Logs, the issue may have originated from your identity provider (IdP). Check your IdP's logs for more detailed information.
Get The File Orchestration Platform Today
4,000+ organizations trust Files.com for mission-critical file operations. Start your free trial now and build your first flow in 60 seconds.
No credit card required • 7-day free trial • Setup in minutes