Enable automated user provisioning with SCIM
System for Cross-domain Identity Management (SCIM) allows you to automatically provision and manage users and groups in your DigiCert® account from your identity provider (IdP).
When SCIM is enabled:
New users are automatically created when provisioned by your IdP.
Existing users whose usernames match users in your IdP are converted to SCIM-managed users.
User roles can be assigned and updated through IdP group membership.
How user matching works
When DigiCert receives a provisioning event from your IdP:
Scenario in your IdP | Scenario in your DigiCert account | Result in DigiCert account |
|---|---|---|
Username exists | Same username does not exist in your DigiCert account | A new user is created. |
Username exists | Same username exists in a different DigiCert account | The provisioning request is rejected. |
Username exists | Same username exists in your DigiCert account | The user is converted to a SCIM-managed user and is managed by your IdP. |
重要
When you enable SCIM for an account with manually created users:
Any existing users whose usernames match users in your IdP will become managed by the Identity provider.
After conversion, user role management should be handled through IdP group assignments.
Prerequisites
Before configuring SCIM in DigiCert® account:
Have administrator access to your company's IdP service, such as Microsoft Entra, Okta, Google Workspace, or other user management service.
Have administrator user role in DigiCert® account.
Step 1: Enable SCIM provisioning in DigiCert® account
Before configuring your IdP, you must enable SCIM provisioning in DigiCert® account and generate the connection details required by your IdP.
DigiCert® account で、[アカウント]アイコンから[Sign-in methods]を選択します。
In the User lifecycle section, select Automated user provisioning with SCIM.
In the Enable users and group sync section, switch to enable SCIM provisioning.
Under SCIM base URL, select Copy.
Select Generate token.
Select how long the token should remain valid.
Select Generate token.
Under Token, select Copy.
Select Done.
ヒント
Keep the SCIM base URL and token available. You will use them when configuring SCIM in your IdP.
Step 2: Configure SCIM in your IdP
Configuration steps differ by IdP. For best results, follow the documentation for your provider:
If your IdP is not listed, select Provide feedback at the bottom of this page and tell us which provider you would like documented next.
Troubleshooting
The following issues may occur during automated user provisioning with SCIM:
Problem
IdP groups are not appearing in your DigiCert account.
Cause
Synchronization timing varies by provider:
Microsoft Entra runs on approximately a 40-minute sync cycle.
Okta syncs immediately.
Solution
If using Microsoft Entra, wait up to 40 minutes for changes to appear.
If using Okta and groups are still missing, contact your account manager or DigiCert Support.
Problem
Groups in your IdP do not match what appears in your DigiCert account.
Cause
Synchronization timing varies by provider:
Microsoft Entra runs on approximately a 40-minute sync cycle.
Okta syncs immediately.
Solution
If using Microsoft Entra, wait up to 40 minutes for changes to appear.
If using Okta and groups are still missing, contact your account manager or DigiCert Support.
Problem
A user has more roles than those defined by their SCIM group.
Cause
This can happen for two reasons:
The user existed before SCIM was enabled and already had roles assigned. When SCIM was enabled and the username matched in the IdP:
The user was converted to a SCIM-managed user.
SCIM group roles were added.
Previously assigned roles were not removed to avoid workflow disruption.
An account administrator manually assigned additional roles beyond those defined in the SCIM group.
Solution
Remove any manually assigned roles directly from the user if they are no longer needed.
Roles assigned through a SCIM group cannot be edited at the user level. To change those roles:
Update the SCIM group configuration in your IdP, or
Remove the user from the current SCIM group and assign them to a different group with the appropriate roles.