SSO SCIM Security Permissions
Minimum Security
-
SCIM endpoints require TLS 1.2+.
-
SCIM access key is treated as a secret. Rotate it regularly and store it securely.
SCIM Scopes Recommendation
-
Limit scopes to the minimum required for provisioning:
-
users:create, users:read, users:update, users:deactivate
-
groups:read, groups:update (if provisioning groups)
-
Rate Limits and Bulk Operations
-
Use batched pushes when supported by the IdP to avoid throttling.
-
Monitor SailPoint Entro SCIM logs for 429 or 5xx responses and act on rate-limit signals.
Audit and Logging
-
Log SCIM request IDs and response codes.
-
Alert on repeated failures or provisioning errors.
Recovery and Rotation
-
Coordinate SCIM key rotation with SailPoint Entro.
-
Maintain emergency manual provisioning paths for admins in case automated provisioning is disrupted.