Configure inbound SCIM provisioning

Time: ~15 min · Prereqs:

Admin access to your Kevra Identity tenant in the Kevra console
Admin access to your IdP (Okta, Entra ID, or Google Workspace)
Permission to create a SCIM application in your IdP

What you'll set up

Your IdP pushes user accounts into your Kevra Identity realm over SCIM 2.0. New users in the IdP appear in your realm within seconds. Profile updates and deactivations propagate automatically. You stop maintaining users in two places.

Before you begin

Sign in to the Kevra console at app.kevra.io and confirm you can open your Identity tenant.
Sign in to your IdP's admin console.
Decide which group of users to start with. SCIM pushes only the users assigned to the SCIM application in your IdP, so start with a small test group and widen later.

Step 1: Enable inbound SCIM in the Kevra console

In the Kevra console, open your Identity tenant detail page (Deployments, then click your tenant).
Scroll to the Identity sync (SCIM 2.0) section.
In the Inbound SCIM panel, click Enable inbound SCIM.
A token reveal box appears with your bearer token. Copy it now and store it in your IdP and a password manager. It will not be shown again. If you lose it, click Rotate token to generate a new one (the previous token stops working immediately).
Above the buttons, copy the SCIM base URL. It looks like one of:
With a custom domain: https://your-domain.example.com/realms/your-realm/scim/v2
Without a custom domain: https://identity-0.kevra.app/realms/your-realm/scim/v2

The status badge changes to Enabled.

Step 2: Configure your IdP to push to the SCIM endpoint

OktaEntra IDGoogle Workspace

In the Okta admin console, go to Applications, then Browse App Catalog, and add SCIM 2.0 Test App (Header Auth). (The exact integration name varies; any "SCIM 2.0, Header Auth" template works.)
On the General tab, paste your SCIM base URL into SCIM connector base URL.
Set Unique identifier field for users to userName.
Under Supported provisioning actions, enable Push New Users, Push Profile Updates, and Push User Deactivation.
Authentication mode: HTTP Header. Configure:
- Base URL: your SCIM base URL from Step 1
- API Token: Bearer YOUR_TOKEN (the literal word Bearer, a space, then the plaintext token from Step 1)
Click Test Connector Configuration. All checks should be green.
Save.
On the Provisioning tab, click To App, then enable Create Users, Update User Attributes, and Deactivate Users.
On the Assignments tab, assign your test group or test users.
Click Provisioning, then Push Users, then Push Now to send the initial batch.

In the Entra admin center, go to Enterprise applications, then New application, then Create your own application, and pick Integrate any other application you don't find in the gallery (Non-gallery).
Open the new app, go to Provisioning, and switch Provisioning Mode to Automatic.
Set Tenant URL to your SCIM base URL from Step 1.
Set Secret Token to your plaintext token from Step 1 (no Bearer prefix; Entra adds it automatically).
Click Test Connection. You should see a success banner.
Save, then under Mappings confirm Provision Azure Active Directory Users is enabled. Leave the default attribute mappings unless you have specific needs.
Under Settings, set Scope to Sync only assigned users and groups for a controlled rollout.
Assign test users from the Users and groups tab.
Set Provisioning Status to On and save. The first cycle runs within ~40 minutes; force it sooner with Provision on demand.

Google Workspace does not natively push SCIM. Use one of:

A SCIM connector marketplace app, configured with the SCIM base URL and bearer token as above.
A workflow tool (Workato, Tray.io, Okta Workflows) that reads Google Workspace events and POSTs to the SCIM endpoint.

Configure your chosen connector with:

Base URL: your SCIM base URL from Step 1
API Token: Bearer YOUR_TOKEN (literal Bearer prefix included)
Unique identifier: userName

Step 3: Verify users appear in your realm

From the tenant detail page, click Open Admin Console (top right) to open the Keycloak realm admin console for your tenant.
Go to Users in the left nav.
Refresh after the IdP's first provisioning cycle completes. Test users from your IdP assignment should appear.
Click a user. Confirm email, firstName, and lastName match your IdP record. The user should also have the scim-managed realm role on the Role mappings tab.
To verify deactivation: disable a test user in your IdP, wait for the next provisioning cycle, and confirm the user is shown as Disabled in your realm.

Rotating or disabling SCIM

In the Kevra console, on the same tenant detail page:

Rotate token: click Rotate token in the Inbound SCIM panel. A modal asks you to confirm; on confirm, a fresh token appears (one-time reveal). Update your IdP with the new value before its next provisioning cycle. The previous token stops working immediately.
Disable: click Disable. The realm stops accepting SCIM requests. Your IdP will see 401 on every push until you re-enable.

Troubleshooting

Test Connection fails with 401 Unauthorized The token in your IdP does not match what is stored on the realm. Re-paste the token, ensuring you include the Bearer prefix in Okta's API Token field (Entra does not need it). If unsure, click Rotate token in the Kevra console to issue a fresh token and update the IdP.

Test Connection succeeds but users do not appear Users are not assigned to the SCIM app in your IdP. Okta and Entra only push assigned users. In Okta, also confirm provisioning To App is enabled.

Users push but show missing fields in Kevra Attribute mappings on your IdP do not include the field. Email and userName are required; first name and last name are commonly mapped. Add them in the IdP's SCIM mapping UI.

Deactivation in IdP does not disable the user in Kevra Your IdP is configured to push deactivation, not just unassignment. In Okta, Push User Deactivation must be enabled. In Entra, the user must be soft-deleted or unassigned with Deprovisioning mappings active.

Next steps

Push users from Kevra to a downstream app (outbound SCIM)