## SCIM configuration ### Enabling SCIM for self-service To allow your end users to configure SCIM connections from the self-service portal, go to the builder and enable the SCIM Provisioning toggle, like so: ![scim](/assets/scim-builder.25406182a8359919053db60173f98b662696a3ed4d53c4e2f07a03ef0de2a6f4.ed513d11.png) ### Set authorization for SCIM Once you have set up provisioning for your self-service, you need to decide which roles include permissions related to performing provisioning-related tasks in the portal to read, create, and delete provisioning configurations. The only users who need access to provisioning settings in the self-service portal are those responsible for configuring and maintaining identity provider settings. You can assign the relevant provisioning permissions to your roles. The 3 relevant permissions are: 1. **Create new provisioning configurations** - Allows users with this role to create provisioning configurations 2. **Read provisioning configurations** - Allows users to see the provisioning tab and see existing configurations 3. **Delete provisioning configurations** - Allows users to delete existing configurations. ![scim](/assets/scim-permissions.12aa7212efc4f24ed7b34cc2aef5820954de21bdf243aa452d59ec038e522515.ed513d11.png) ### Create and manage SCIM connections from Frontegg dashboard Under each account on the Frontegg management dashboard, there is a **Provisioning** section, where you can create and delete SCIM connections on behalf of your customers. ![scim](/assets/scim-manage.90b4e4784a3420f0e29bd69a5734f8ea3ea1c27c12efd005f153617bcf491eaa.ed513d11.png) There are several pre-set directory providers on the list, but a connection can be created with any IdP that supports [SCIM 2.0 standards](https://datatracker.ietf.org/doc/html/rfc7644). ![scim](/assets/scim-account.db0f35f8b73a977fea17158e46ef5a2a87405f4adc6eca3f86ce1889bf27f630.ed513d11.png) #### Deleting a connection When deleting a SCIM connection from the management dashboard, the option to remove all associated users and groups is selected by default. If you choose to uncheck this option, you’ll need to manually remove all previously synced users and groups. ![scim](/assets/scim-delete.7a0ccbe726652175903819b5aab920bf66467053b4652955c38115f9fdd20dd7.ed513d11.png) ### Create and manage SCIM connections via API If you do not use Frontegg's self-service portal in your application, you can use Frontegg's APIs to set up a SCIM connection on behalf of your customers or implement your own UI. 1. [Create SCIM connection](/ciam/api/scim/scim-configurations/scim2connectionconfigcontroller_create) - This request will return an `id` and a `token`. Use the `id` to construct the `provisioning URL` for the IdP. It should look as below: `https://[your-custom-or-frontegg-domain]/directory/resources/scim/v2.0/[id-from-response]` Use the URL and the authorization token in your IdP settings for the connection. 1. [Get all SCIM connections for an environment](/ciam/api/scim/scim-settings/scim2connectionconfigcontroller_fetchall) - This endpoint requires an environment token and will return all the connections from all accounts. 2. [Delete SCIM connection](/ciam/api/scim/scim-configurations/scim2connectionconfigcontroller_deletebyid) - Note that currently, when a connection is being deleted, it does not automatically delete users and groups that were provisioned through this connection. ### SCIM monitoring and troubleshooting For details related to provisioned users and groups along with troubleshooting logs, we recommend checking the relevant logs in the [monitoring section](/ciam/guides/monitoring/events-overview#logged-events).