For large organizations or organizations with a lot of turnover, managing users at scale is often a challenge. As organizations evolve, adding and removing users manually or relying on LDAP synchronization alone may not always be enough. That’s where SCIM comes in.
With SCIM support, Passbolt Pro can now integrate seamlessly with modern cloud identity providers such as Microsoft Entra ID (Azure AD) and Okta. This means IT administrators can automate near real-time user provisioning, making onboarding and offboarding faster, more secure, and less error-prone.
What is SCIM?
SCIM (System for Cross-domain Identity Management) is an open standard designed to simplify identity management across different systems.
At its core, SCIM defines:
- A schema for representing users and groups in JSON (e.g. fields like userName, name.givenName, emails).
- API endpoints (/Users, /Groups) that identity providers (IdPs) can call to create, update, or delete identities in a target system.
- Standard messages for queries and responses, making it easy to know if a user exists, was created, or updated.
In practice, this means Microsoft Entra ID or Okta can send HTTP requests to Passbolt’s SCIM endpoints whenever there’s a change in your directory. Passbolt interprets those requests and keeps its own user records in sync.
How to get started with SCIM?
Passbolt Pro 5.5 introduces SCIM plugin support, tested with Microsoft Entra ID (Azure AD) and Okta. Both platforms can now act as the source of truth for your user directory.
Here’s the flow in practice:
1. Enable SCIM in Passbolt
Admins toggle SCIM in Passbolt’s settings to generate a SCIM endpoint URL and a secret token.
2. Configure the IdP
In Microsoft Entra ID or Okta, create a provisioning configuration. Provide the SCIM URL and token to authenticate.
3. Attribute mapping
Map the fields (first name, last name, email) that Passbolt requires.
4. Provisioning & De-provisionning
When a new user is added in Microsoft Entra ID/Okta, the IdP calls Passbolt API automatically. Sync cycles may vary. For example Azure runs provisioning cycles periodically while Okta may provision near real-time. Both also provide an “on-demand provisioning” option for testing.
What features are supported?
The initial SCIM release for Passbolt focuses on user provisioning. That includes:
- Creating users in Passbolt when they are added in Microsoft Entra ID or Okta.
- Updating user details such as names or activation status.
- Disabling or deleting users when they are removed from the IdP.
What features are not supported?
Username/Email changes
Please note that email (username) updates are not supported. Passbolt uses email as part of a user’s cryptographic identity. If an IdP tries to update an email, Passbolt will reject the request according to the SCIM specification.
Group Sync
While SCIM also supports syncing groups, this is not available yet in Passbolt.
Why? Because in Passbolt, adding a user to a group means sharing credentials. To preserve end-to-end encryption, only the user can decrypt and re-encrypt secrets with their private key. Neither the SCIM provider (Microsoft Entra ID/Okta) nor the Passbolt server has access to those keys.
Group synchronization may be considered in the future, but it will require careful design to respect Passbolt’s security model.
Try it today!
SCIM provisioning is currently available for testing in Passbolt Pro. Make sure you are running the latest version and check your admin workspace under SCIM settings to get started.
With SCIM, onboarding and offboarding users in Passbolt becomes simpler, safer, and automated, so administrators can focus on what matters most: securing credentials, not managing accounts.
We’d love to hear your feedback, test results, and requests for additional identity providers you’d like to see supported. Share them with us on the community forum or regular support channels to help shape the future of SCIM in Passbolt!
