Skip to main content

Enable automated user provisioning with SCIM

System for Cross-domain Identity Management (SCIM) allows you to automatically provision and manage users and groups in your DigiCert​​®​​ account from your identity provider (IdP).

When SCIM is enabled:

  • New users are automatically created when provisioned by your IdP.

  • Existing users whose usernames match users in your IdP are converted to SCIM-managed users.

  • User roles can be assigned and updated through IdP group membership.

How user matching works

When DigiCert receives a provisioning event from your IdP:

Scenario in your IdP

Scenario in your DigiCert account

Result in DigiCert account

Username exists

Same username does not exist in your DigiCert account

A new user is created.

Username exists

Same username exists in a different DigiCert account

The provisioning request is rejected.

Username exists

Same username exists in your DigiCert account

The user is converted to a SCIM-managed user and is managed by your IdP.

Importante

When you enable SCIM for an account with manually created users:

  • Any existing users whose usernames match users in your IdP will become managed by the Identity provider.

  • After conversion, user role management should be handled through IdP group assignments.

Prerequisites

Before configuring SCIM in DigiCert® account:

  • Have administrator access to your company's IdP service, such as Microsoft Entra, Okta, Google Workspace, or other user management service.

  • Have administrator user role in DigiCert​​®​​ account.

Step 1: Enable SCIM provisioning in DigiCert® account

Before configuring your IdP, you must enable SCIM provisioning in DigiCert​​®​​ account and generate the connection details required by your IdP.

  1. In DigiCert​​®​​ account, select Accounts () > Identity and access.

  2. In the User lifecycle section, select Automated user provisioning with SCIM.

  3. In the Enable users and group sync section, switch to enable SCIM provisioning.

  4. Under SCIM base URL, select Copy.

  5. Select Generate token.

    1. Select how long the token should remain valid.

    2. Select Generate token.

    3. Under Token, select Copy.

    4. Select Done.

Sugerencia

Keep the SCIM base URL and token available. You will use them when configuring SCIM in your IdP.

Step 2: Configure SCIM in your IdP

Configuration steps differ by IdP. For best results, follow the documentation for your provider:

If your IdP is not listed, select Provide feedback at the bottom of this page and tell us which provider you would like documented next.

Troubleshooting

The following issues may occur during automated user provisioning with SCIM:

IdP groups are not showing in DigiCert

Problem

IdP groups are not appearing in your DigiCert account.

Cause

Synchronization timing varies by provider:

  • Microsoft Entra runs on approximately a 40-minute sync cycle.

  • Okta syncs immediately.

Solution

  • If using Microsoft Entra, wait up to 40 minutes for changes to appear.

  • If using Okta and groups are still missing, contact your account manager or DigiCert Support.

IdP groups do not match groups in DigiCert

Problem

Groups in your IdP do not match what appears in your DigiCert account.

Cause

Synchronization timing varies by provider:

  • Microsoft Entra runs on approximately a 40-minute sync cycle.

  • Okta syncs immediately.

Solution

  • If using Microsoft Entra, wait up to 40 minutes for changes to appear.

  • If using Okta and groups are still missing, contact your account manager or DigiCert Support.

A user has more roles than assigned by their SCIM group

Problem

A user has more roles than those defined by their SCIM group.

Cause

This can happen for two reasons:

  1. The user existed before SCIM was enabled and already had roles assigned. When SCIM was enabled and the username matched in the IdP:

    1. The user was converted to a SCIM-managed user.

    2. SCIM group roles were added.

    3. Previously assigned roles were not removed to avoid workflow disruption.

  2. An account administrator manually assigned additional roles beyond those defined in the SCIM group.

Solution

  • Remove any manually assigned roles directly from the user if they are no longer needed.

  • Roles assigned through a SCIM group cannot be edited at the user level. To change those roles:

    • Update the SCIM group configuration in your IdP, or

    • Remove the user from the current SCIM group and assign them to a different group with the appropriate roles.

En esta sección: