Knowi supports SCIM 2.0 (System for Cross-domain Identity Management) for automated user and group provisioning from your Identity Provider. SCIM provisioning is configured alongside your existing SAML SSO setup - both live under the same External Auth configuration in Knowi. Users provisioned via SCIM can log in using SAML SSO, and SAML attributes (role, contentFilter, dashboardUrl) continue to apply on login.
What SCIM adds beyond JIT (Just-in-Time) SAML provisioning:
- Pre-create users in Knowi before their first login
- Auto-deactivate users when removed from the IdP app assignment
- Real-time group membership sync (JIT-only applies changes on next login)
SCIM provisioning is available for any IdP that supports outbound SCIM 2.0, including Microsoft Entra ID and Okta.
Supported SCIM Operations
| Endpoint | Operation | Description |
|---|---|---|
| POST /scim/v2/Users | Create user | Creates a new Knowi user when assigned in the IdP. |
| GET /scim/v2/Users | List / filter users | Used by the IdP for reconciliation. |
| GET /scim/v2/Users/{id} | Read user | Retrieves a single user by SCIM ID. |
| PUT /scim/v2/Users/{id} | Replace user | Full replacement of user attributes. |
| PATCH /scim/v2/Users/{id} | Partial update | Updates specific attributes - used heavily by Entra for status changes (e.g. active=false to deactivate). |
| DELETE /scim/v2/Users/{id} | Deactivate user | Soft-deactivates the Knowi user (does not permanently delete). |
| POST/GET/PUT/PATCH/DELETE /scim/v2/Groups | Group CRUD | Create, read, update, and delete groups. PATCH handles member add/remove. |
SCIM Attribute Mapping
| SCIM Attribute | Knowi Field | Notes |
|---|---|---|
| userName / emails[primary].value | userEmail | Primary identifier for the user. |
| externalId | loginId | IdP-side identifier used for reconciliation. |
| displayName / name.formatted | loginName | Display name shown in Knowi. |
| active | enabled / disabled | Setting active=false deactivates the user in Knowi. |
| groups[] | Knowi group membership | Multi-valued; same stacking behavior as the SAML groups attribute. |
| urn:knowi:scim:role | role | Custom extension. Mirrors the SAML role attribute. |
| urn:knowi:scim:contentFilter | contentFilter | Custom extension. Row-level filter applied to the user. |
| urn:knowi:scim:dashboardUrl | dashboardUrl | Custom extension. Default dashboard for the user on login. |
Bearer Token Authentication
SCIM provisioning uses Bearer token authentication. Each Knowi customer account has a dedicated SCIM token issued from the External Auth admin UI alongside the existing SAML configuration.
To generate a SCIM bearer token:
- Navigate to Settings - External Auth.
- Open your SAML SSO configuration.
- In the SCIM Provisioning section, click Generate Token.
- Copy the token and store it securely - it will not be shown again.
- To rotate the token, click Regenerate Token. The old token is immediately invalidated.
Configure SCIM with Microsoft Entra ID
Prerequisites: SAML SSO between Entra and Knowi must be configured and working. Entra requires SAML for authentication even when SCIM handles provisioning.
- In the Azure portal, open Microsoft Entra ID - Enterprise Applications and select your Knowi app.
- Go to Provisioning and set Provisioning Mode to Automatic.
- Under Admin Credentials, enter:
- Tenant URL:
https://www.knowi.com/scim/v2 - Secret Token: Your Knowi SCIM bearer token.
- Tenant URL:
- Click Test Connection to verify Entra can reach the endpoint.
- Under Mappings, configure attribute mappings. Entra's default SCIM mappings cover standard attributes. For Knowi custom attributes, add mappings to the
urn:knowi:scim:role,urn:knowi:scim:contentFilter, andurn:knowi:scim:dashboardUrlextension attributes. - Set Provisioning Status to On and click Save.
- Entra will run an initial sync cycle. Monitor progress under Provisioning logs in the Azure portal.
Entra attribute mapping reference:
| Entra Attribute | SCIM Attribute |
|---|---|
| userPrincipalName | userName |
| emails[type eq "work"].value | |
| objectId | externalId |
| displayName | displayName |
| accountEnabled | active |
| [extension attribute or app role] | urn:knowi:scim:role |
Configure SCIM with Okta
Prerequisites: SAML SSO between Okta and Knowi must be configured and working.
- In the Okta Admin Console, open your Knowi app integration.
- Go to the Provisioning tab and click Configure API Integration.
- Check Enable API integration and enter:
- Base URL:
https://www.knowi.com/scim/v2 - API Token: Your Knowi SCIM bearer token.
- Base URL:
- Click Test API Credentials to verify the connection, then click Save.
- Under Provisioning to App, enable Create Users, Update User Attributes, and Deactivate Users.
- Assign users or groups to the Knowi app. Assigned users will be provisioned to Knowi on the next sync cycle.
SCIM FAQ
Can users provisioned via SCIM log in with SAML SSO?
Yes. SCIM handles provisioning; SAML handles authentication. They work together - a user provisioned via SCIM logs in via the SAML flow, and SAML attributes are applied on login.
What happens when a user is removed from the app in Entra or Okta?
Knowi receives a PATCH with active=false, which deactivates the user. The user can no longer log in, but their data is preserved (soft-delete).
What happens to group membership changes?
Group changes are pushed to Knowi in real time via PATCH requests. Users do not need to log out and back in for group changes to take effect - this is the key advantage over JIT-only provisioning.
Does SCIM replace JIT provisioning?
No. JIT provisioning via SAML attributes continues to work for IdPs that do not support SCIM. SCIM and JIT can coexist; SCIM takes precedence for users it manages.