SCIM overview

SCIM (System for Cross-domain Identity Management) is an open, standardized protocol designed to simplify the automated exchange of user identity data between different systems.

The NetFoundry console supports SCIM, allowing corporate IdPs like Okta, Microsoft Entra ID, or Google Workspace to securely communicate with your network.

Purpose and function

The SCIM integration serves two primary purposes:

Automated provisioning: The IdP uses SCIM to automatically create new identities in your NetFoundry network whenever a user is added to a specific group.
Lifecycle management: The IdP automates updates and de-provisioning. If a user's name changes, or if they're disabled or removed from a group, it communicates that change to the NetFoundry controller via SCIM, ensuring the identity is immediately updated or deleted.

Identity synchronization and attributes

When identities are synced from the IdP, NetFoundry assigns attributes based on three primary sources:

IdP group membership: Attributes are created based on the group name.
Roles SCIM property: Attributes are assigned based on values in the rles list.
Entitlements SCIM property: Attributes are assigned based on values in the entitlements list.

The group name attribute is set when the identity is synced for the first time. This attribute won't be updated in NetFoundry if the group name is changed in the IdP later on.

Identity mapping and configuration

When you create or edit a SCIM integration, you define the rules for how the IdP "handshakes" with the NetFoundry platform.

Automating authentication setup

A key benefit of SCIM is its ability to automatically configure the authentication requirements for every identity it creates:

Auth policy mapping: SCIM assigns an auth policy to each identity. This determines which security rules apply when the user connects. While the default policy is recommended for most users, you can select custom policies here.
External ID mapping: To allow users to log in via OIDC/SAML, SCIM automatically sets the external ID on the identity. This value must match a claim in the JWT provided by the IdP. Options include: user name, primary email, or a custom mapping.

info

The combination of an auth policy and an external ID allows the NetFoundry controller to validate a user against your JWT signers. Without these being correctly mapped via SCIM, synced users are created but can't authenticate.

Mapping fields

Identity name: Determines which IdP field (e.g., display name or username) becomes the primary name of the identity in the NetFoundry console.
Auth policy: Sets the specific authentication policy applied to all identities provisioned through this integration.
External ID: Defines the field used to match the identity to the JWT claim during authentication.

Console reference

SCIM table

The SCIM tab lists all configured integration endpoints. From this view, you can create new integrations or select an existing one to edit its mappings and rotate tokens.

Column	Description
Name	The unique, user-defined name of the SCIM integration instance.
Has Auth Token	Indicates whether a valid authorization token has been configured.
Integration URL	The specific URL endpoint provided by NetFoundry that the IdP must use to send provisioning requests.
ID	The unique, system-assigned ID (UUID) assigned to the integration instance.

Purpose and function​

Identity synchronization and attributes​

Identity mapping and configuration​

Automating authentication setup​

Mapping fields​

Console reference​

SCIM table​