Skip to main content

SCIM Provisioning

SCIM (System for Cross-domain Identity Management) automates user and group lifecycle management between your identity provider and Willow. When configured, your IdP creates, updates, and deprovisions users and groups in Willow automatically, with no manual admin work required.

What SCIM does in Willow

When a user is assigned to the Willow app in your IdP:

  • Willow creates the user account automatically
  • User attributes (name, email) stay in sync when changed in the IdP
  • When the user is unassigned or deprovisioned in the IdP, Willow deactivates their account

Group push syncs IdP groups to Willow, enabling group-based access control.

Prerequisites

  • SSO must already be configured in Willow (SCIM uses a separate API token, not the SSO credentials)
  • You need admin access in both Willow and your IdP

SCIM base URL and authentication

All SCIM endpoints are under /scim/v2.

  • SaaS: https://app.withwillow.ai/scim/v2
  • On-Premise: {your-app-url}/scim/v2

Authentication uses an API token in the Authorization header:

Authorization: Bearer <YOUR_API_TOKEN>

Generate a SCIM API token

  1. In Willow, go to Admin → API Tokens
  2. Select Generate Token
  3. Enter a descriptive Token Name (e.g. "Okta SCIM Integration")
  4. Under Permissions, select the SCIM scope ("SCIM user and group provisioning")
  5. Select Generate
  6. Copy the token immediately; it is shown only once

Select a provider

Willow supports SCIM provisioning through Okta and JumpCloud. Select your provider to continue:

For the complete SCIM API reference (endpoints, request and response examples, error codes), see the SCIM API reference.

Monitor SCIM logs

Willow logs all SCIM provisioning operations from your IdP. To access them, go to Admin → Logs, select the options menu (three-dot button at the top right), and choose SCIM Logs. On SaaS, you can open the page directly at app.withwillow.ai/monitor/scim-logs.

Steps to access SCIM Logs: Admin sidebar, Logs page, options menu, SCIM Logs option
SCIM Logs page showing an empty state before any provisioning operations have occurred

What is logged

  • User operations: create, update, deactivate
  • Group operations: create, update, delete membership
  • Configuration queries: ServiceProviderConfig, Schemas, ResourceTypes
  • Request and response details: full payloads for debugging

Filter logs

Filter by Date Range, HTTP Method (GET, POST, PATCH, PUT, DELETE), Resource Type (User, Group, Config, Schema), or Status Code (2xx, 4xx, 5xx).

Export logs

Select Export CSV to download all filtered logs for offline analysis or compliance reporting.

Troubleshoot

Connection test fails

  • Verify the API token is correct and copied without extra whitespace
  • Ensure the SCIM base URL is reachable from your IdP's network
  • Confirm URLs were entered without a trailing slash (Okta OIN)

Users not syncing

  • Confirm users are assigned to the Willow app (directly or via an assigned group)
  • Check that Create Users is enabled under Provisioning → To App
  • Review your IdP's provisioning logs for error messages

Group sync issues

  • Groups must be both assigned and pushed (Okta) or covered by the Identity Management config (JumpCloud)
  • Verify groups have members before syncing
  • Check provisioning logs for group operation errors