SimpleAMS
EN English BG Български
Get started
setup integrations sso

SCIM user provisioning from Okta or Azure AD

Automatic create / update / deactivate of SimpleAMS users from your IdP. Bearer-token authed, RFC 7644 SCIM 2.0 endpoint.

May 27, 2026 5 min read SimpleAMS

SCIM solves the "new hire / leaver" problem on top of SAML SSO: instead of provisioning SimpleAMS users by hand, your IdP pushes them automatically when you add or remove someone in the right group.

1. Generate the bearer token in SimpleAMS

  1. Go to Settings → Integrations → SCIM 2.0.
  2. Tick Enable this integration and save - SimpleAMS auto-generates a one-time bearer token.
  3. Copy:
    • SCIM endpoint URL: https://yourtenant.simpleams.co.uk/scim/v2
    • Bearer token: the auto-generated value shown on the card.

2. Wire up Okta

  1. In Okta admin, open the SimpleAMS SAML application you created during SSO setup.
  2. Open the Provisioning tab and click Configure API integration.
  3. Tick Enable API integration.
  4. Paste:
    • Base URL: the SCIM endpoint URL.
    • API token: the bearer token.
  5. Click Test API credentials. Should respond Verified successfully.
  6. Save. Under To App, enable Create Users, Update User Attributes, and Deactivate Users.
  7. Assign the app to a group (e.g. "All employees") and Okta will start pushing users.

3. Wire up Azure AD / Entra ID

  1. Open the SimpleAMS enterprise app.
  2. Open Provisioning → Get started.
  3. Set Provisioning Mode to Automatic.
  4. Paste the SCIM endpoint URL into Tenant URL, and the bearer token into Secret Token.
  5. Click Test Connection. On success, save.
  6. From Mappings, ensure the Email and DisplayName attributes are mapped (we use Email as the primary key).
  7. Turn Provisioning Status to On.

4. What gets synced

  • Create: new SCIM users appear in your /staff list with role staff by default.
  • Update: name, email, department changes propagate from the IdP.
  • Deactivate: setting active=false in the IdP soft-deactivates the user (keeps their checkout history intact). Re-enabling restores access.
  • Delete: hard delete from the IdP triggers a soft-deactivate, not a hard delete in SimpleAMS - your audit log stays intact.

5. Notes

  • SCIM is a Business-plan integration.
  • Initial sync of a large directory can take 30+ minutes - both Okta and Azure AD page slowly. Subsequent updates are real-time.
  • You typically pair SCIM with SAML SSO - SCIM creates the user record, SSO lets them sign in.
Share this article

Cookies on this site. We use strictly-necessary cookies to keep you signed in. With your permission we also use analytics and marketing cookies. You can change this any time. Cookie Policy.