LIVE · AUDIT-CHAINED · EU-RESIDENT
SYSTEM · 99.99% UPTIME
v 1.0 ↗ MADE IN EU
Documentation

SCIM provisioning

Provision + deprovision NexBasira users from your identity provider via SCIM 2.0.

SCIM provisioning

NexBasira exposes a SCIM 2.0 endpoint at /api/scim/v2/ so your IdP can create, update, and deactivate users automatically when employees join, change roles, or leave the company. Per-org bearer-token auth, standard SCIM schemas, no surprises.

Before you start

  • SCIM is available on the Pro tier and above.
  • You already need SSO configured (see SSO setup). SCIM provisions users; SSO logs them in.
  • You need org_admin on the NexBasira side + permission to configure provisioning in your IdP.

Issue a SCIM token

  1. In the SPA: Admin → SCIM provisioning token.
  2. Click Issue token. The plaintext token is shown exactly once — copy it immediately.
  3. Note the SCIM base URL shown above the button: 
    https://app.nexbasira.com/api/scim/v2/

The token authenticates every SCIM call as that org. It's scoped + revocable independently of API credentials and SSO config.

Wire your IdP

Microsoft Entra ID (Azure AD)

  1. In the Entra admin centre, open your NexBasira Enterprise App.
  2. Provisioning → Get started → Provisioning Mode: Automatic.
  3. Tenant URL: https://app.nexbasira.com/api/scim/v2/
  4. Secret Token: paste the token from NexBasira.
  5. Click Test Connection. You should see "Tenant URL and Secret Token are valid".
  6. Map attributes (defaults work for the common case). Save.
  7. Assign users / groups + flip Provisioning Status to On.

Okta

  1. In Okta, open your NexBasira app.
  2. Provisioning → Configure API Integration → Enable API Integration.
  3. Base URL: https://app.nexbasira.com/api/scim/v2/
  4. API Token: paste the token.
  5. Click Test API Credentials; expect "API token verified".
  6. On the To App tab, enable Create / Update / Deactivate.
  7. Assign users / groups.

OneLogin / Google Workspace / Keycloak

All similar: enable SCIM provisioning on the NexBasira app, paste the base URL + token, test, assign. The endpoint conforms to RFC 7644, so any SCIM 2.0-compliant IdP works.

What gets provisioned

The SCIM endpoint exposes the standard Users + Groups resources. We don't currently expose custom Org-side roles via SCIM Groups — role assignment after first sign-in is managed in the SPA. SCIM creates the user; you set the role.

Supported operations

OperationEffect on NexBasira
POST /UsersCreates a User + Membership in your org with the configured default role.
PUT /Users/{id}Updates the user's name + email + active flag.
PATCH /Users/{id}Same — partial updates supported.
DELETE /Users/{id}Soft-deactivates the membership (sets active=false). Audit-trail rows preserved.
GET /UsersLists users in your org for IdP reconciliation.
GET /Users/{id}Reads one user.
GET /GroupsReturns the four system roles + any custom roles, for visibility only.

Attribute mapping (defaults)

SCIM attributeNexBasira field
userNameemail (lowercased)
emails[type=work].valueemail (fallback)
name.givenNamefirst_name
name.familyNamelast_name
activeMembership.is_active
externalIdstored on Membership for IdP correlation

Filtering

The endpoint supports the SCIM filter query param on userName + externalId, which is what IdPs use for reconciliation: 

GET /api/scim/v2/Users?filter=userName eq "alice@acme.com"
GET /api/scim/v2/Users?filter=externalId eq "azure-uid-12345"

More complex filters (and, or, co, etc.) aren't required by IdP integrations in our experience. Open a ticket if you hit a case.

Rotating the token

On the SCIM card in the SPA admin, click Rotate token. The plaintext is shown once + the old token is revoked immediately. Update your IdP with the new token before the next provisioning sweep or provisioning will start failing.

Revocation

Click Revoke on the SCIM card to immediately invalidate the active token. SCIM provisioning stops; existing users + memberships are untouched. Issue a new token to resume.

What this doesn't do

  • Doesn't grant API access — that's cvp_pub/cvp_sec.
  • Doesn't drive RBAC role assignment — SCIM Groups expose roles read-only; assign roles in the SPA.
  • Doesn't replace SSO — users still need SSO (or a password) to actually sign in. SCIM creates the account shell.

What's next

  • SSO setup — pair SCIM with OIDC / SAML for the full IdP-driven flow
  • Security posture — token-at-rest hashing + audit logging for SCIM calls