SCIM Provisioning Overview

Manage GraphOS members with SCIM provisioning

GraphOS provides automated user management capabilities through the System for Cross-domain Identity Management (SCIM) protocol. SCIM automates user and group management by integrating your identity provider (IdP) with GraphOS.

Supported SCIM operations

Provisioning: Automatically create new GraphOS users when they are added to your IdP
Deprovisioning: Automatically remove users from GraphOS when they are removed from your IdP
Attribute updates: Sync user attributes (such as name and email) from your IdP to GraphOS
GraphOS role assignment: Assign users GraphOS roles based on IdP group membership
note
You can also assign GraphOS roles based on groups in your IdP via your SSO configuration. Apollo recommends using either SCIM or SSO for role assignment. If you use both, role assignments will overwrite one another.

Prerequisites

Only GraphOS Org admins can set up SCIM.
You must have administrative access to your identity provider (IdP).
You must configure SSO before configuring SCIM.

Setup instructions

To set up SCIM, follow the instructions for your configuration method:

If you use another identity provider, the setup instructions are generally similar to those provided above for Okta.

If you encounter any issues or need assistance, please email [email protected]—we're here to help!

Publishing

Contracts

SAML

OIDC

Subgraph Reference

Development and Tooling

From Federation 1 to 2

Server-Driven UI

Publishing

Contracts

SAML

OIDC

Authentication

Router Telemetry

Log Exporters

Metrics Exporters

Trace Exporters

Instrumentation

Subgraph Observability

Client Observability

OpenTelemetry

GraphQL Subscriptions

Coprocessors

Rhai Scripts

Custom Builds

Dedicated

AWS Lattice

SCIM Provisioning Overview

Supported SCIM operations

Prerequisites

Setup instructions