# SCIM SCIM (System for Cross-domain Identity Management) enables automatic user provisioning, deprovisioning, and role synchronization between your identity provider and Scanner. This ensures that user accounts and permissions stay synchronized with your enterprise directory. Scanner supports SCIM integration with most major identity providers, including: * Okta * Microsoft Entra ID (Azure AD) * Google Workspace * Most other SCIM 2.0-compliant providers ## Setting up SCIM SCIM configuration requires the same permissions as SSO. If you haven't already configured SSO, contact the Scanner support team to enable these permissions for your account. Once permissions are configured: 1. In Scanner, navigate to **Settings** > **SCIM**. 2. Click **Create**. 3. Select your identity provider from the list. 4. Enter a name for your connection. 5. Click **Create**. 6. Follow the on-screen instructions to complete the setup in your identity provider. ## Role synchronization After configuring your SCIM connection, you can set up automatic role synchronization between your identity provider and Scanner. To enable role synchronization: 1. In your identity provider, identify the roles you want to sync to Scanner. 2. In Scanner, create matching roles with the `scim:` prefix. For example, to sync an identity provider role called `scanner_analyst`, create a role named `scim:scanner_analyst` in Scanner. 3. Configure the appropriate permissions for each Scanner role. Once configured, Scanner will automatically assign the Scanner role to users who have the corresponding role in your identity provider, and remove it from users who no longer have that role. This ensures user permissions remain synchronized with your enterprise directory. Note: Role updates in your identity provider may take up to 5 minutes to appear in Scanner. Scanner uses **Stytch** for SCIM provisioning. For more information on Stytch's SCIM capabilities, see the [Stytch SCIM documentation](https://stytch.com/docs/multi-tenant-auth/enterprise-ready/scim/overview). If you encounter any issues during setup, contact the Scanner support team for assistance. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/administration/authentication-and-sso/scim.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.