Skip to content

SSO SCIM Security Permissions

Minimum Security

  • SCIM endpoints require TLS 1.2+.

  • SCIM access key is treated as a secret. Rotate it regularly and store it securely.

SCIM Scopes Recommendation

  • Limit scopes to the minimum required for provisioning:

    • users:create, users:read, users:update, users:deactivate

    • groups:read, groups:update (if provisioning groups)

Rate Limits and Bulk Operations

  • Use batched pushes when supported by the IdP to avoid throttling.

  • Monitor SailPoint Entro SCIM logs for 429 or 5xx responses and act on rate-limit signals.

Audit and Logging

  • Log SCIM request IDs and response codes.

  • Alert on repeated failures or provisioning errors.

Recovery and Rotation

  • Coordinate SCIM key rotation with SailPoint Entro.

  • Maintain emergency manual provisioning paths for admins in case automated provisioning is disrupted.