SCIM provisioning
Connect your identity provider over SCIM 2.0 so joiners, changes, and leavers propagate without a human in the loop.
What SCIM gives you
- New hires are provisioned automatically — account created, profile populated.
- Attribute changes propagate from your directory within the IdP's sync cycle.
- Suspending a user in the IdP suspends them in The Quantum Club.
- Offboarding deprovisions the account; the profile is retained for audit.
The full endpoint and filter reference lives in the API section. This page covers setup and operations.
Tokens
Authentication uses a tenant-scoped bearer token in the format tqc_scim_<random>. Key properties:
- The plaintext is shown once at issuance; only a PBKDF2-SHA256 hash is stored. Copy it immediately into your IdP.
- The tenant is resolved from the token, never from the URL — a misconfigured IdP cannot touch another tenant.
- Multiple unrevoked tokens per tenant are allowed, so rotation is overlap-free: issue the new token, swap it in the IdP, revoke the old one.
- Optional expiration dates are enforced; expired or revoked tokens receive
401.
Tokens are issued and revoked from the SCIM administration area at os.thequantumclub.com. Issuing and revoking tokens are step-up-protected operations — see MFA and sessions.
User lifecycle
| Directory action | Effect in The Quantum Club |
|---|---|
| Create | Account created and activated; SCIM attributes mapped to the profile |
| Update | Name, email, and external ID changes applied |
Suspend (active: false) | Account suspended; sign-in blocked |
Reactivate (active: true) | Account restored |
| Deprovision (DELETE) | SCIM binding removed, account suspended; profile retained for audit. Subsequent SCIM reads return 404 |
Groups are recorded with their memberships. Group membership does not currently grant roles automatically.
Filter examples
The list endpoints accept the filter subset that mainstream IdPs emit:
userName eq "alice@acme.com"
externalId eq "00u1abcd2EFGHIJKL345"
active eq false
emails[type eq "work"].value eq "alice@acme.com"Unsupported filters return 400 with scimType: invalidFilter — switch your IdP's matching attribute to userName or externalId.
Connect your identity provider
On your app integration, open Provisioning → Configure API Integration → Enable API integration. Set the base URL to the SCIM users endpoint and paste the token, then select Test API Credentials — expect a 200 with an empty list. On Provisioning → To App, enable Create Users, Update User Attributes, and Deactivate Users. Okta's default attribute mappings work without changes. Assigned users are pushed within about 30 seconds.
On the enterprise application, open Provisioning → Mode: Automatic. Enter the SCIM users endpoint as the tenant URL and the token as the secret, then run Test Connection. Keep the default attribute mappings; confirm objectId maps to externalId and mail to the primary email. Set Provisioning Status to On. The initial sync runs in roughly 10 minutes; subsequent cycles run on Entra ID's fixed ~40-minute interval.
Google Workspace does not provide a native SCIM client for custom applications. Route provisioning through a SCIM-capable proxy or middleware that speaks SCIM 2.0 to the endpoints documented in the API reference. SSO itself works natively — see SSO.
Monitor synchronization
Every SCIM call is recorded in a sync log with operation, resource, status, and latency, with secrets redacted from stored payloads. The log is retained for 90 days and is browsable in the SCIM administration area, with filtering and full-payload drill-down. Every mutation also produces a security audit event.
A user provisioned into more than one tenant is suspended platform-wide if any connected IdP deprovisions them. Agree handling for shared users before connecting overlapping directories.
Your IdP's connection test returns 200, a test user appears after assignment, suspension in the directory blocks sign-in, and the sync log shows the operations you expect.