Integrate with a SCIM 2.0 provider
Follow this step-by-step guide to allow SlashID to monitor and protect identities from any system that exposes a SCIM 2.0 API. This integration enables SlashID to track users and groups from any SCIM-compliant identity provider, HR system, or directory service.
Before starting
Before starting, ensure you have:
- The base URL of your SCIM 2.0 endpoint (e.g.
https://api.example.com/scim/v2) - Authentication credentials for the SCIM endpoint (bearer token, OAuth2 client credentials, or username/password)
- Network access from SlashID's backend to the SCIM endpoint
If your endpoint or tenant restricts traffic by source IP, allow connections from SlashID's egress IPs published at https://cdn.slashid.com/egress.json. The list is global and stable; the syncToken field changes whenever the IPs change, so you can use it to detect drift.
The file follows the JAFAR draft format (A JSON-Based Format for Publishing IP Ranges of Automated HTTP Clients), the same convention major cloud providers use to publish their IP ranges.
Step 1: Obtain your SCIM credentials
SlashID supports three authentication methods. Choose the one your SCIM provider requires:
Bearer token
Obtain a long-lived API token or personal access token from your provider. This token is sent as an Authorization: Bearer <token> header on every request.
OAuth2 client credentials
Obtain an OAuth2 client ID and client secret, along with the provider's token URL (the endpoint SlashID uses to request access tokens). SlashID automatically refreshes the access token before it expires.
HTTP Basic auth
Obtain a username and password for HTTP Basic authentication. These are sent as an Authorization: Basic <base64> header on every request.
Step 2: Create the SCIM connection in SlashID
Go to the SlashID Console > Identity Protection > Configuration > Integrations. Click Add integration.
Select SCIM from the list of providers.
Enter your connection details:
| Field | Description | Example |
|---|---|---|
| Name | Arbitrary name for this connection | HubSpot SCIM |
| SCIM endpoint base URL | The root URL of the SCIM 2.0 API | https://api.hubspot.com/scim/v2 |
| Authentication method | How SlashID authenticates to your SCIM endpoint | bearer, oauth2, or basic |
| Authoritative status | Whether SCIM identities are the primary source of truth when reconciling across providers | Primary or Secondary |
- Fill in the fields for your chosen authentication method:
Bearer token:
| Field | Description |
|---|---|
| Bearer token | The API token for your SCIM endpoint |
OAuth2 client credentials:
| Field | Description |
|---|---|
| Client ID | Your OAuth2 application's client ID |
| Client secret | Your OAuth2 application's client secret |
| Token URL | The OAuth2 token endpoint (e.g. https://auth.example.com/oauth/token) |
Basic auth:
| Field | Description |
|---|---|
| Username | Username for HTTP Basic authentication |
| Password | Password for HTTP Basic authentication |
- Click Connect to test the connection and complete the integration.
What SlashID syncs
SlashID reads from the /Users and /Groups SCIM endpoints:
| Entity type | Source | Key attributes |
|---|---|---|
| SCIM User | GET /Users | userName, displayName, active, emails |
| SCIM Group | GET /Groups | displayName, members |
Group memberships are modeled as edges in the identity graph, enabling you to see which users belong to which groups and trace access paths.
Verification
After successful integration, SlashID will:
- Sync users: Import all SCIM users with their display name, username, and active status
- Sync groups: Import all SCIM groups and their member relationships
It may take a few minutes for the initial data sync, after which you can start exploring security events in the Identity Protection Dashboard.
Troubleshooting
"401 Unauthorized"
- Verify your credentials are correct and have not expired.
- For bearer tokens, ensure the token has read access to the
/Usersand/Groupsendpoints. - For OAuth2, verify the client ID, secret, and token URL are correct.
"403 Forbidden"
- Ensure the credentials used have permission to list users and groups via the SCIM API.
- Some providers require specific scopes (e.g.
scim:read) — check your provider's documentation.
No users or groups appearing
- Confirm the base URL is correct and includes the SCIM path prefix (e.g.
/scim/v2). - Test the endpoint manually:
curl -H "Authorization: Bearer <token>" <base_url>/Users
Connection test fails
- Ensure the SCIM endpoint is reachable from SlashID's infrastructure (check firewall rules or IP allowlists if your provider restricts access by IP).