SCIM Provisioning
Managing user accounts and access permissions across various systems and applications can be a complex and time-consuming task. System for Cross-domain Identity Management (SCIM) provides a standardized approach to user provisioning and simplifies the process of creating, updating, and deactivating user accounts.
Files.com integrates with several identity providers using SCIM provisioning. SCIM is an open standard that simplifies cloud identity management and allows user provisioning to be automated. The integration works seamlessly with many popular identity providers who support SCIM provisioning. Files.com SCIM provisioning is implemented only for SAML-based SSO providers. It is not available for OAuth or OpenID Connect (OIDC) integrations.
The identity providers Files.com integrates with using SCIM are Okta, Microsoft Entra ID, LDAP/Active Directory, OneLogin, Cisco Duo, JumpCloud, and SAML (any provider).
Automated User Provisioning
Files.com SCIM provisioning enables organizations to automate the process of creating user accounts. When a new user is added to the organization's identity provider (IdP), the SCIM provisioning feature automatically provisions the user's account on Files.com, eliminating the need for manual setup. We provision the standard user attributes such as the User Name, Name, Display Name, Email Address, and Company Name. This ensures that new users can quickly access the platform and start collaborating without delays.
SCIM provisioning automates user and group management tasks on a scheduled sync cycle from your IdP. Some IDPs also offer on-demand provisioning, allowing immediate provisioning actions without waiting for the next scheduled sync. Files.com supports both approaches; however, support for on-demand and SCIM provisioning may vary by identity provider (IDP). Refer to your IDP’s documentation for specific capabilities and configuration details.
User Account Updates
SCIM provisioning facilitates seamless updates to user accounts. When changes are made to user name, email address, company name or group memberships in the IdP, these modifications are automatically synchronized with Files.com. This ensures that user information remains consistent across different systems, reducing the risk of data discrepancies and administrative overhead.
Account Deactivation
When a user leaves the organization or their access needs to be revoked, Files.com SCIM provisioning simplifies the deactivation process. Administrators can update the user's status in the IdP, triggering automatic account deactivation in Files.com. This helps maintain data security by ensuring that former employees or external collaborators no longer have access to sensitive files.
Group Management
Files.com SCIM provisioning extends beyond individual user accounts to include group management. Organizations use SCIM to automatically create, update, and remove groups in Files.com based on changes made in the IdP. We provision the standard group attributes such as the Group Name and Group Members. This allows for efficient management of team collaborations and access control, ensuring that users have the appropriate permissions within Files.com.
SCIM User and Group Management Scope
Files.com uses a managed SCIM provisioning model. Files.com manages users via SCIM when the identity provider provisions them through the SCIM integration, and when existing Files.com users are explicitly associated with the matching SSO provider through their authentication method.
SCIM does not automatically adopt users that already exist in Files.com, including local users or users that are not linked to the corresponding SSO provider. SCIM PATCH and PUT requests apply only to users that Files.com already manages through that SSO configuration.
If a user already exists in Files.com and you want SCIM to manage that user, you must first associate the user with the appropriate SSO provider in the user’s authentication method. After you complete the association, SCIM manages updates and deactivation for that user.
SCIM manages groups only when they are provisioned through the SCIM integration. Files.com does not automatically adopt existing groups that were created locally unless they are explicitly provisioned through SCIM.
Requiring explicit association of existing users before SCIM management is intentional and aligns with a conservative security model followed by many SCIM supporting vendors. Files.com is open to adding SCIM user adoption functionality in the future. Reach out to our support team if this capability is important for your use case.
Setting Up SCIM Provisioning
Files.com supports SCIM version 2.0 with both Basic authentication and Token-based authentication for integrating with your Identity Provider (IdP). It enables standard user provisioning, deprovisioning, and automatic management of group memberships. SCIM is designed to work with the SAML protocol, not OAuth.
Files.com follows the SCIM 2.0 standards outlined in RFC 7642, RFC 7643, and RFC 7644, covering key elements of schema, resource management, and protocols for seamless integration. No additional schema customization is required.
To integrate your IdP with Files.com SCIM provisioning, use the below fields within your IdP SCIM configuration:
| Field | Value |
|---|---|
| Files.com SCIM connector base URL | https://app.files.com/api/scim |
| Unique identifier field for users | email (it can be email address with some IdP providers) |
Files.com offers numerous configuration options for SCIM provisioning, detailed in the Configuration Options section. Also, refer to the Entra ID SSO SCIM, Okta SSO SCIM, JumpCloud SCIM, or OneLogin SSO SCIM pages for more information on how you can configure SCIM with your chosen IdP.
Provisioning Users
Once SCIM provisioning is enabled in Files.com, any new users created in the identity provider after the integration, as well as users that are explicitly associated with the configured SSO provider, are managed and provisioned through SCIM. SCIM synchronizes user creation, updates, and deprovisioning between the identity provider and Files.com for these users.
If users already exist in Files.com before SCIM provisioning is configured, SCIM does not automatically adopt those users. To manage an existing user through SCIM, you must first associate the user with the corresponding SSO provider in Files.com and assign the user to the Files.com application in your identity provider.
Provisioning Groups
Files.com supports group provisioning and membership management through SCIM for groups that are provisioned through the SCIM integration. SCIM can create, update, and remove groups in Files.com based on the group data sent by the identity provider.
To configure group provisioning, edit the settings for your SSO provider in Files.com. You can control how groups and memberships are provisioned and synchronized.
If groups are not synchronizing as expected, review your identity provider’s provisioning configuration to confirm that group data is included in SCIM requests.
User and Group Management Control
When an SSO provider is configured, the settings Allow manual creation, editing, and deletion of users outside of SSO based provisioning and Allow manual creation, editing, and deletion of groups outside of SSO based provisioning control whether Site Administrators can manage users and groups directly in Files.com.
These settings remain enabled by default. The identity provider continues to manage users authenticated through SSO or provisioned through SCIM, while Site Administrators can create and manage users and groups that exist only in Files.com.
These locally managed accounts may include external collaborators, partner users, supplier accounts, service accounts, or other users that do not exist in the identity provider.
Disable these settings only when the identity provider provisions and manages all users and groups through SCIM and Site Administrators do not need to manage any users or groups directly in Files.com. When disabled, Site Administrators cannot create, edit, enable, disable, or delete users or groups in Files.com. All provisioning, updates, and deprovisioning originate in the identity provider and synchronize to Files.com through SCIM.
An environment where SCIM manages all users and groups represents a narrowly scoped deployment. Most environments include users that do not exist in the identity provider, so Site Administrators typically leave these settings enabled so they can manage those accounts directly in Files.com while the identity provider continues to manage SSO or SCIM-provisioned users.
When SCIM provisioning manages users and these settings are disabled, Files.com does not allow Site Administrators to override User lifecycle changes locally. For example, if a Files.com User Lifecycle Rule disables a SCIM-provisioned user in Files.com, Site Administrators cannot re-enable that account directly. The identity provider must send an updated active state through SCIM before Files.com restores access.
Configuration Options
The table below lists the SCIM options you can configure for an SSO provider. These options are available via the API (including Terraform) and the web interface. In the web interface, they appear only for SSO providers that support SCIM provisioning.
| Configuration Option | Details |
|---|---|
| Enable automatic user provisioning via SCIM | Allows you to use the SCIM protocol for provisioning. Select Basic to create a SCIM username and password to use. Select Token to generate a SCIM token and specify an expiration date to use that token. |
| Automatically provision users on first login | Automatically triggers user provisioning upon their initial login attempt to Files.com. |
| Automatically de-provision users | Automatically initiates the de-provisioning of users if they cannot be located in your Identity Provider (IdP) during the next synchronization process. |
| Automatically provision group memberships | Automatically assigns users to groups based on their group membership settings within your Identity Provider (IdP). |
| Automatically de-provision group memberships | Automatically removes users from groups if they are no longer associated with the corresponding groups in your Identity Provider (IdP) during the next synchronization process. |
| Method used for de-provisioning users | Specifies whether de-provisioned users should be deleted or disabled within Files.com. We recommend that users be disabled, rather than deleted, in case you need to audit their prior activity, history, and settings. |
| Provision company | Sets the "Company" attribute in the Files.com user profile of the provisioned user. |
| Add users to these default groups on first login | Automatically assigns provisioned users to specified Files.com Groups upon their initial login. |
| Only provision users in these groups | Restricts user provisioning to only those who are members of the specified IdP groups. Enter comma separated names or wildcards. For instance, to limit provisioning to users in the IT and Support groups, specify IT,Support. Your IdP must send group membership data in SCIM requests to use this configuration option. |
| Only provision these groups | To include or whitelist specific IdP groups for provisioning. Your IdP must send group membership data in SCIM requests to use this configuration option. |
| Exclude these groups from provisioning | To exclude or blacklist specific IdP groups from being provisioned. Your IdP must send group membership data in SCIM requests to use this configuration option. |
| Provision users in these groups to be site admins | Automatically assigns Site Administrator privileges within Files.com to users within the specified groups. Enter comma separated names or wildcards. For example, by specifying Administrators,Domain Admin, users in these groups from the IdP will be granted Site Administrator privileges in Files.com. |
| Provision users in these groups to be read-only site admins | Automatically assigns Read-only Administrator privileges within Files.com to users within the specified groups. Enter comma separated names or wildcards. For example, by specifying Support Admins,ReadOnly Admins, users in these groups from the IdP will be granted Read-only Administrator privileges in Files.com. |
| Provision users in these groups to be group admins | Automatically assigns Group Administrator privileges within Files.com to users within the specified groups. Enter comma separated names or wildcards. For example, by specifying Managers,Associate Directors, users in these groups from the IdP will be granted Group Administrator privileges in Files.com. |
| Provision users in these groups to manage their password via Files.com | Provisions users from the specified groups without requiring Single Sign-On (SSO). Their passwords will be stored in Files.com, independent of the IdP password. |
| Provision users with 2FA | Specifies how two-factor authentication (2FA) is applied to provisioned users. You can choose to follow the site-wide 2FA policy or override it for SCIM provisioned users, opting to always require 2FA or never require it. For example, if your site-wide 2FA policy mandates Always required for all users, but you need to exempt SCIM provisioned users from this requirement, select Never require 2FA. |
| Auto-provisioned users with WebDAV permissions | Specifies whether the provisioned users have permission to use the WebDAV protocol to connect to Files.com. |
| Auto-provisioned users with FTP permissions | Specifies whether the provisioned users have permission to use the FTP and FTPS protocols to connect to Files.com. |
| Auto-provisioned users with SFTP permissions | Specifies whether the provisioned users have permission to use the SFTP protocol to connect to Files.com. |
| Default time zone for auto provisioned users | Specifies the time zone attribute in the Files.com user profile of the provisioned user. |
Provisioning Based on Group Membership
Use Group-Based Provisioning to limit which users from your SSO Provider should be provisioned in your Files.com site.
SCIM Options for Group-Based Provisioning
The SCIM configuration options Only provision users in these groups, Only provision these groups, and Exclude these groups from provisioning let you choose which users and groups are created by SCIM, so that you can limit exactly which of your SSO provider users are provisioned in your Files.com site.
Only provision users in these groups and Only provision these groups serve as whitelist filters, which limit what gets created in your Files.com site. Exclude these groups from provisioning blocks the creation of specific groups in your site by blacklisting groups.
These options require the identity provider to include group membership data in SCIM requests.
Microsoft Entra ID Limitations
Microsoft Entra ID does not include group memberships in its SCIM provisioning requests. This means the settings Only provision users in these groups, Only provision these groups, and Exclude these groups from provisioning can't be used with an Entra ID SSO Provider.
To limit which users are provisioned within Files.com, use Entra’s scoping filters based on a custom extension property. This property acts as a designated provisioning attribute, allowing only users with the attribute to be provisioned into Files.com. Group mappings still apply, so provisioned users are automatically added to their assigned groups. For details, refer to Microsoft’s documentation on defining scoping filters and customizing application attributes.
SCIM Activity Logging
Files.com records all SCIM-related requests and responses in JSON format under SCIM Logs. These logs provide detailed visibility into provisioning activity, including user and group creation, updates, and deletions, along with request methods, API paths, HTTP response codes, and timestamps. Reviewing the JSON data helps administrators analyze SCIM transactions, verify successful communication, and identify issues such as failed provisioning attempts, duplicate user conflicts, or attribute mismatches.
Files.com also logs SCIM-related events under History Logs using the Interface SCIM. These entries summarize key provisioning actions and outcomes for users and groups.
If you encounter an error and do not see related details in SCIM Logs, it’s possible the issue originated from your identity provider (IdP). In such cases, check your IdP’s logs for more detailed information and to troubleshoot further.
Get The File Orchestration Platform Today
4,000+ organizations trust Files.com for mission-critical file operations. Start your free trial now and build your first flow in 60 seconds.
No credit card required • 7-day free trial • Setup in minutes