AuthFI SCIM Provisioning

AuthFI supports both inbound SCIM (IdPs push users to AuthFI) and outbound SCIM (AuthFI pushes users to downstream systems).

Inbound SCIM

Your identity provider (Okta, Azure AD, etc.) pushes user create/update/delete to AuthFI.

Base URL

https://api.authfi.app/scim/v2/{tenant}/

Authentication

Bearer token — create a SCIM token in the console or via API.

Supported operations

User schema

{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "userName": "alice@acme.com",
  "name": { "givenName": "Alice", "familyName": "Chen" },
  "emails": [{ "value": "alice@acme.com", "primary": true }],
  "active": true,
  "externalId": "okta-user-id-123"
}

The externalId links the IdP user to the AuthFI user for future updates.

Outbound SCIM

AuthFI pushes user changes to downstream systems (Epic, Salesforce, custom apps).

Configure a target

POST /manage/v1/acme/scim-targets
{
  "name": "Salesforce",
  "endpoint_url": "https://salesforce.com/scim/v2",
  "auth_type": "bearer",
  "auth_token": "sf-token-...",
  "sync_users": true,
  "sync_groups": true
}

Event-driven sync

When a user is created, updated, deleted, or blocked in AuthFI:

1. Event triggers sync to all active SCIM targets
2. AuthFI calls the target’s SCIM endpoint (POST/PUT/PATCH/DELETE)
3. Success/failure is logged in scim_sync_log
4. Failed pushes are retried with exponential backoff

Sync log

GET /manage/v1/acme/scim-targets/{targetId}/logs

{
  "data": [
    { "action": "create_user", "user_id": "...", "status": "success", "timestamp": "..." },
    { "action": "update_user", "user_id": "...", "status": "failed", "error": "timeout", "retry_count": 2 }
  ]
}

Test connection

POST /manage/v1/acme/scim-targets/{targetId}/test

Verifies the endpoint is reachable and credentials are valid.

Plan availability