Auth
SCIM provisioning introduction
SCIM (System for Cross-domain Identity Management) is an open standard that allows Identity Providers like Microsoft Entra ID to automatically create, update, and deactivate user accounts in 21RISK. Instead of manually adding or removing users, SCIM keeps your Identity Provider and 21RISK in sync — so when someone joins your organization or leaves, their 21RISK access is handled automatically.
Why is SCIM Important Why is SCIM Important
Automated User Lifecycle
- Automatic Provisioning: When a new employee is added in your Identity Provider, they are automatically provisioned in 21RISK — no manual setup needed.
- Automatic Deprovisioning: When someone leaves your organization, their 21RISK access is revoked as soon as they're deactivated in the Identity Provider.
- Fewer Errors: Eliminates the risk of forgotten accounts or typos that come with manual user management.
Improved Security & Compliance
- No Orphaned Accounts: Departed employees won't retain access to 21RISK, reducing security risks.
- Centralized Control: IT manages all user access from one place — the Identity Provider.
- Audit Trail: Provisioning and deprovisioning events are tracked, simplifying compliance audits.
Reduced IT Overhead
- Less Manual Work: IT no longer needs to manually create or remove users across multiple applications.
- Consistent Data: User information (name, email, group memberships) stays consistent between systems.
- Scale with Confidence: Whether you have 50 or 50,000 users, SCIM handles provisioning the same way.
How SCIM works at 21RISK How SCIM works at 21RISK
21RISK implements SCIM 2.0 (RFC 7644 / RFC 7643). Your Identity Provider communicates with 21RISK's SCIM API using a Bearer token for authentication.
- Connection: An IT admin creates a SCIM connection in 21RISK and generates a Bearer token.
- Configuration: The IT admin configures their Identity Provider (e.g., Microsoft Entra ID) with 21RISK's Tenant URL and the Bearer token.
- Provisioning: The Identity Provider starts pushing user and group data to 21RISK via the SCIM API.
- Shadow Tables: 21RISK stores the incoming SCIM data in shadow tables, keeping it separate from core user data.
- Sync: A sync process reconciles the SCIM data with 21RISK user accounts — creating, updating, or deactivating users as needed.
Sync cadence Sync cadence
21RISK automatically syncs SCIM users to real 21RISK accounts every hour between 06:00 and 18:00 UTC, Monday to Friday . Deactivated users are synced on the same schedule at a separate interval.
You can also trigger a sync manually from the SCIM connection page at any time by clicking Sync to 21RISK .
Prerequisite: SCIM provisioning is available on the Enterprise plan. You must also have SSO configured before setting up SCIM. See the SSO introduction to get started with SSO.
Supported Identity Providers Supported Identity Providers
21RISK's SCIM implementation follows the open standard, so it is compatible with any Identity Provider that supports SCIM 2.0. We provide a step-by-step guide for the most common provider:
- Microsoft Entra ID (formerly Azure Active Directory)
If you use a different Identity Provider and need help, reach out to support@21risk.com .
What SCIM manages What SCIM manages
| Resource | Supported operations |
|---|---|
| Users | Create, update, deactivate, delete |
| Groups | Create, update, delete, manage membership |
When a user is deactivated in the Identity Provider (SCIM active set to false ), their 21RISK sessions are terminated and their tenant access is revoked.
Coming up Coming up
SCIM User Groups — We are working on integrating SCIM user groups into 21RISK. This will allow you to assign permissions, site access, and board visibility based on the groups managed in your Identity Provider, so you won't need to maintain group memberships in two places. Stay tuned for updates.