LabsNinja SCIM is currently running in beta while we complete final production hardening.
Beta · SCIM 2.0 · RFC 7643/7644

Enterprise Identity
Provisioning at Scale

When people join, move, or leave, their accounts should follow automatically. LabsNinja SCIM connects your identity provider to your applications so user accounts are created, updated, and deactivated for you — no manual setup, no missed offboarding. Standards-based (SCIM 2.0, RFC 7643/7644), multi-tenant, and fully audited. Currently in beta while final production hardening is completed.

Explore the APIRead the Docs Start Free Trial →
SCIM 2.0
RFC 7643 / 7644
Beta
Free Trial Open
Multi-tenant
Full Isolation
Audited
Every Operation Logged

Everything you need for enterprise provisioning

Built on the SCIM 2.0 standard — reliable, secure, and auditable from day one.

SCIM 2.0 Compliant

Full RFC 7643/7644 implementation. Users, Groups, filtering, pagination, sorting, ServiceProviderConfig, Schemas, and ResourceTypes endpoints.

Multi-Tenant Architecture

Complete tenant isolation with per-tenant SCIM clients, credentials, and data segregation. Manage hundreds of tenants from a single control plane.

Hardened Authentication

Per-tenant credentials with full lifecycle control — create, rotate, and revoke access at any time.

Automated Consistency

Background automation keeps identity data consistent and lets you preview reconciliation changes before anything is applied.

Operational Visibility

Structured audit logs and built-in health monitoring give your team clear insight into provisioning activity.

Audit Trail

Immutable audit log for every admin and SCIM operation. Filter by tenant, operation type, actor, and timestamp range via the control plane API.

Flexible Configuration

Tune the platform to your environment without downtime or service restarts.

Admin Dashboard

Manage tenants, credentials, and configuration from a built-in dashboard, with APIs where your team needs them.

Operational Readiness

Ships with deployment checklists, operator procedures, and monitoring guidance for a safe, controlled rollout.

Full RFC 7643 / 7644 support

Every standard SCIM operation for Users and Groups, plus discovery endpoints for schema-driven integrations.

User Operations

GET/scim/v2/UsersList & filter
POST/scim/v2/UsersCreate user
GET/scim/v2/Users/{id}Get by ID
PUT/scim/v2/Users/{id}Full replace
PATCH/scim/v2/Users/{id}Partial update
DELETE/scim/v2/Users/{id}Deprovision

Group Operations

GET/scim/v2/GroupsList & filter
POST/scim/v2/GroupsCreate group
GET/scim/v2/Groups/{id}Get by ID
PUT/scim/v2/Groups/{id}Full replace
PATCH/scim/v2/Groups/{id}Partial update
DELETE/scim/v2/Groups/{id}Remove group

Discovery & Metadata

GET/scim/v2/ServiceProviderConfigSP config
GET/scim/v2/SchemasAll schemas
GET/scim/v2/Schemas/{id}Schema by ID
GET/scim/v2/ResourceTypesResource types

Query Capabilities

GET?filter=SCIM filter
GET?startIndex=Pagination
GET?count=Page size
GET?sortBy=Sorting
GET?attributes=Attribute select
GET?excludedAttributes=Attribute exclude

PATCH Operations

addPatchOp: addAdd values
replacePatchOp: replaceReplace values
removePatchOp: removeRemove values

Standards-based integration

Connect any SCIM 2.0-capable identity provider — Okta, Microsoft Entra ID, Google, and others. Standard endpoints, standard schemas, no proprietary lock-in. Your identity provider talks to LabsNinja SCIM exactly the way the RFCs describe. Change providers when you need to — point your new IdP at the same connection and your workspace and audit history stay with you. How provider portability works →

# Example: Create a user via SCIM

curl -X POST https://your-scim-host/scim/v2/Users \
  -H "Authorization: Bearer <tenant-token>" \
  -H "Content-Type: application/scim+json" \
  -d '{"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"userName":"jdoe@example.com","name":{"givenName":"Jane","familyName":"Doe"},"active":true}'

Consistency, handled for you

The platform continuously verifies that identity data stays consistent — and shows you what a fix would change before anything is written.

Preview Before Apply

Reconciliation runs as a dry run first — you see exactly what would change, and nothing is applied until you decide.

⚡ Dry-run · No surprises
Reliable
Automated tasks run exactly once, even under failure conditions
Fully Audited
Every automated action is recorded in the audit trail
Resilient
Automation recovers gracefully from interruptions — no manual cleanup
Scales With You
From one tenant to hundreds — the platform grows with your needs

Know what’s happening, always

Built-in monitoring and alerting keep your operations team informed about provisioning health — without extra tooling. Every operation is logged, every anomaly is surfaced, and operator guidance is included for the events that matter.

Built with security first

Authentication hardening, credential lifecycle management, and audit-everything approach.

Bearer Token Auth

Per-tenant SCIM client credentials. Tokens are hashed at rest. Full lifecycle: create, rotate, revoke.

Session Protection

Admin sessions expire automatically and can be revoked at any time — no dangling sessions.

Tenant Isolation

All SCIM resources are tenant-scoped at the data layer. Cross-tenant access is impossible by design, not just by convention.

Immutable Audit Log

Every create, update, delete, and authentication event is recorded with actor, timestamp, and full context. Non-repudiable.

Input Validation

Strict validation of every request before anything is written.

Runtime Config Guards

Configuration changes are validated, versioned, and audit-logged. No silent config mutations.

Current status

LabsNinja SCIM is operating in beta while final production hardening is completed.

Beta — Final Production Hardening in Progress

Core provisioning, multi-tenant isolation, audit logging, and operator runbooks are in place · See the capability matrix for current scope

SCIM 2.0 ✓Multi-tenant ✓Audit Logging ✓Runbooks ✓

Clear guides, start to finish

Everything your team needs to connect an identity provider and operate with confidence.

Quick Start

Connect your identity provider and provision your first users in minutes.

scim.labsninja.com/docs

SCIM 2.0 Reference

Standard endpoints, schemas, and examples — everything follows RFC 7643/7644.

Protocol documentation

Operator Guidance

Deployment checklists, operating procedures, and monitoring guidance ship with the platform.

Included with every plan

Plans

Start free. Scale when you're ready.

30-day free trial, no credit card required. Up to 50 users during trial. LabsNinja SCIM is currently in beta. See full plans & pricing →

Free Trial
$0/30 days
  • Up to 50 users provisioned
  • Full SCIM 2.0 RFC 7643/7644
  • 1 SCIM connector
  • Audit log access
  • Email support
Start Free Trial →