SCIM Integration

BastionXP supports SCIM version 2.0. Integrate BastionXP with your Identity Provider(IdP) using SCIM provisioning.

Manage all the users who have access to BastionXP and the users' group membership from a centralized IdP. You can provision users and groups from the identity provider into BastionXP, which functions as the SCIM service provider.

BastionXP can integrate with popular IdPs such as Microsoft Entra (Azure Active Directory), Okta, Google Workspace, Keycloak, AWS IAM etc., that supports SCIM protocol.

SCIM API

Identity providers can use a SCIM client to make RESTful API requests to the BastionXP SCIM server. After validating the API request, BastionXP performs actions requested by the identity providers on users or groups.

BastionXP authenticates SCIM API requests from identity providers through an OAuth Bearer token in the Authorization header of HTTP requests. The token is valid for a year. You must ensure your token is not expired when authenticating. If your token expires, you can generate a new access token from the BastionXP Web Portal as an admin user.

To push user and group information from your IdP to BastionXP, visit the SCIM provisioning configuration settings page of your IdP, supply the SCIM Tenant URL (For example: https://bastionxp.example.com/scim/v2) and the SCIM provisioning Secret Token obtained from the BastionXP web portal.

Check the BastionXP Web Portal logs for SCIM users and groups sync'ed from your IdP.

Note:

Some IdPs may not immediately sync user and group membership information right away to the SCIM service provider(BastionXP). They may delay upto 30 to 40 minutes to batch updates that needs to be sync'ed. You could manually push users and groups to BastionXP, if your IdP provides that option.