Open app
Moonborn — Developers

SCIM provisioning

Push user lifecycle changes from your IdP into Moonborn — RFC 7644 endpoints, attribute mapping, group-to-role binding.

SCIM 2.0 lets your IdP (Okta, Azure AD, Google Workspace, OneLogin) push user lifecycle changes — create, update, deactivate — into Moonborn automatically.

Endpoints (RFC 7644)

MethodPath
GET/v1/auth/scim/v2/Users
POST/v1/auth/scim/v2/Users
GET/v1/auth/scim/v2/Users/{id}
PATCH/v1/auth/scim/v2/Users/{id}
DELETE/v1/auth/scim/v2/Users/{id}
GET/v1/auth/scim/v2/Groups
POST/v1/auth/scim/v2/Groups

1. Issue a SCIM bearer token

In Settings → SSO → SCIM click Generate token. The token is shown once.

2. Configure your IdP

Okta: Applications → Moonborn → Provisioning → Configure API Integration. Paste the bearer token. Test connection.

Azure AD: Enterprise Applications → Moonborn → Provisioning → Tenant URL = https://api.moonborn.co/v1/auth/scim/v2. Paste token.

Google Workspace: Apps → Web and mobile → Moonborn → Automatic provisioning. Same shape.

3. Map attributes

Moonborn reads the standard SCIM 2.0 user schema:

SCIM attributeMoonborn field
userNamesign-in email
name.givenName / name.familyNamedisplay name
emails[primary=true].valuecontact email
activeenable / disable

4. Group → role binding

SCIM groups map onto Moonborn roles. Map by name:

IdP groupMoonborn role
moonborn-adminadmin
moonborn-editoreditor
moonborn-viewerviewer
moonborn-billingbilling
moonborn-auditorauditor

Configure the mapping in Settings → SSO → SCIM → Group bindings.

Lifecycle behavior

  • Create in IdP → user provisioned in Moonborn, sent welcome email.
  • Update in IdP → user record updated; role re-evaluated.
  • Deactivate in IdP → user signed out; sessions revoked; data retained.
  • Delete in IdP → soft-delete in Moonborn (30-day grace).

What SCIM doesn't sync

  • API keys (per-user, not synced back).
  • Personal preferences (UI settings).
  • Workspace memberships outside SCIM's scope (manual invite still works).

Tier

Enterprise.

Related