We use cookies on our website to analyze website usage and to help secure the website against misuse. Advertising and functional cookies are not used in our site or our web application products.
By clicking “Accept Essential Cookies Only”, you consent to us placing these cookies.
SCIM provisioning allows employee data to flow from your Identity Provider such as Microsoft Entra into other applications like xAssets. xAssets supports this protocol for both Custodian records and for User records.
xAssets supports SCIM from version 7.3.56. Many identity providers (IdPs) support SCIM including Entra ID, Okta, OneLogin, and DUO. These IdPs can now push users and groups into xAssets directly. There is now no need for a daily directory integration. Custodian records appear automatically when people join, are deactivated when they leave, and group memberships stay in sync as they change in the directory.
This article covers actions including creating a token, providing the identity provider with an xAssets API endpoint link, choosing the provisioning frequency, and viewing the actual results. The documentation for the process can be found in the SCIM Provisioning configuration guide.
Most xAssets customers already have user auto-provisioning. xAssets SSO auto-provisioning creates a Custodian and UserOptions row the moment a permitted user signs in for the first time, and the daily integration keeps department and manager fields in sync. SCIM is not really a replacement for these, instead it covers these specifics:
SSO auto-provision already creates users when they first login, so SCIM isn't needed for granting users access to your xAssets instance via SSO. Instead, SCIM covers the lifecycle from joining to leaving and de-provisioning. When a SCIM-provisioned user later signs in via SSO, the SSO path finds the Custodian (matched by email or UPN) and creates the User record linked to it. There is no conflict between these processes, so customers can run all three paths — SSO auto-provision, directory integration, and SCIM, at the same time.
SCIM tokens are bearer tokens scoped to /scim/v2/. They cannot be used against the standard
API endpoints, and standard API tokens cannot be used against SCIM.
To revoke a token:
Before changing the identity provider, test that the endpoint responds using CURL:
curl -sS https://customername.domain.xassets.net/scim/v2/ServiceProviderConfig
-H "Authorization: Bearer <your-token>"
-H "Accept: application/scim+json"
| Result Code | Meaning |
| 200 | Everything is working |
| 401 | Token is wrong or revoked |
| 403 | Token is valid but not a SCIM token (wrong user or wrong scope) |
The setup is similar across all identity providers — paste the SCIM URL, paste the token, assign users and groups, and then switch provisioning on. The Microsoft Entra ID flow is the most common and looks like this:
https://customername.domain.xassets.net/scim/v2Entra will run the integration within a few minutes, and then repeat on a schedule at approximately every 40 minutes.
Within a few minutes of switching provisioning on, Custodian rows appear in xAssets. Each row is populated from the SCIM resource:
department (the department row is auto-created if it does not exist)
When the identity provider deactivates a user (Entra sets active = false, or sends a SCIM DELETE),
xAssets sets the custodian status to "Left" and user's "Disabled" flag to true.
This means that historical assignments and audit history are retained.
xAssets stores SCIM groups in one of two tables depending on the displayName, which keeps a tenant with hundreds of Entra groups from polluting the xAssets user group tables.
A user in two permission groups (ADMINS, SAMMGRS) and two informational groups (VG-47, VG-103) ends up with Custodian.UserGroups = "ADMINS,SAMMGRS,VG-47,VG-103", and the alphabetically-first permission code (ADMINS) becomes their effective UserOptions.UserGroup.
By default, a SCIM POST creates a Custodian row only — not a UserOptions login account. The existing SSO logon process creates the User record on first login and links it to the Custodian by matching the email address.
For deployments where SCIM is the primary identity feed and users must have a usable login account before their
first sign-in — set the xAssets "SCIMCreateMode" option to value Both.
With Both set, a SCIM POST creates the Custodian and a paired User record in one operation. The systen maps
UserID from userName, FullName from displayName,
the password is auto-generated, and the DisabledFlag field in xAssets mirrors the SCIM "active" flag. The user can then login with SSO.
Every SCIM action is tracked into an audit trail. The system complies with SOC 2 and ISO 27001 evidence for granting and removing access. For example, a leaver removed in Entra at 09:00 has a corresponding "active set to false" entry in the xAssets audit log, with the timestamp and SCIM token's username attached. This provides auditors with a chain of events, from the initial directory event through to the xAssets custodian/user record update.
SCIM endpoints accept curl or Postman queries directly using the bearer token. A test can typically create a user, list users with a filter,
patch the user to active = false, or confirm the Custodian status flipped to "Left".
For documentation on testing SCIM provisioning without an identity provider, the
SCIM Provisioning covers using CURL and Postman to test.
SCIM provisioning accommodates provisioning users who do not login to xAssets, deactivating leavers in instantly, keeping group memberships in sync between sessions, and producing the audit trail for compliance. It also makes your xAssets instance a source-of-truth for employee data. Setup is simple and removes (or makes optional) the need to sync users with Entra or other identity providers.
Your identity provider knows when someone joins, leaves, changes role or moves between groups. SCIM is the protocol that lets the IdP push those changes into xAssets over HTTPS.
xAssets exposes a SCIM endpoint at /scim/v2/, the IdP authenticates with a bearer token,
and writes happen as the events occur in the directory. There is no polling and no scheduled job
to maintain on the xAssets side.
SSO auto-provisioning runs at login whereas SCIM runs continuously.
SSO gives you a User record the first time someone signs in. SCIM creates a Custodian for everyone in the directory, including people who never sign in.
Within minutes, the IdP tells xAssets the user is no longer active. xAssets sets the Custodian status to "Left", sets the Disabled flag on any matching User record, and runs the standard Custodian status workflow if you have offboarding actions configured.
The record is preserved. Asset assignments and audit history stay intact, and nothing is hard-deleted.
SCIM tokens can only perform actions within the SCIM endpoints. They cannot be used to login or to run API functionality.
If a token needs to be revoked, remove it from "Manage API Keys" and issue a new one. Tokens carry an expiry date, so they can be issued for a fixed period.
Only on fields that the IdP owns. Department, manager, title, email and group membership come from the directory and will be overwritten on the next provisioning cycle if you edit them in xAssets.
Asset assignments, custom fields and notes are not touched by SCIM. The rule of thumb is simple: if it lives in your directory, change it there.
No. SCIM matches incoming users to existing Custodians by externalId first, then by work email. If a record already exists for an employee, SCIM updates it instead of creating a second one.
Turning SCIM on for the first time starts the synchronisation process.
Yes. The daily Graph or LDAP integration and the SSO auto-provisioning at login both continue to work alongside SCIM. They write to the same Custodian table and the matching logic deduplicates across all three sources.
There is no conflict if you leave the daily integration running while you bed SCIM in.
Any IdP that speaks SCIM 2.0. The xAssets implementation conforms to RFC 7643 and RFC 7644 with bearer token authentication.
Microsoft Entra ID, Okta, OneLogin and DUO are the most common in production. Smaller and self-hosted IdPs that implement SCIM 2.0 will also work.
By default it creates a Custodian only. The matching User record is created when the person first signs in via SSO.
If you need login accounts created up front (for SCIM-only deployments without SSO, or to grant
admin access before first sign-in), set the SCIMCreateMode option to Both. SCIM will
then create the Custodian and a User account in one operation, with a generated password and the
Disabled flag mirroring the SCIM active flag.
Entra runs provisioning every 40 minutes by default, so a leaver is typically deactivated in xAssets within that time window. You can also trigger an on-demand provisioning cycle from the Entra Provisioning page, which gets the change across in under a minute.
Okta and OneLogin behave similarly. The on-demand button is the path to use when timing matters.
Free instances are free forever and can show demo data or your data.
