SCIM Connector Best Practices

When using the SCIM Connector, keep the following best practices in mind:

Implementation Best Practices

Recommended best practices for configuring SCIM based integrations for IAM/IGA providers with the Delinea Platform via the SCIM Cloud Connector:

Authentication

Authentication is managed via OAuth using client credentials to ensure secure access. Once authenticated, the connector performs all SCIM operations—such as provisioning, updating, or deprovisioning users and groups. After user or group creation or modification, the SCIM connector synchronizes data bidirectionally between the platform and the IdP to maintain consistency.

Identity Data Synchronization

The current SCIM implementation relies on the Platform's configured Identity Provider (IdP). The IdP is configured using one of the following supported integration methods:

• Federation Management
• Entra ID API Integration
• Delinea AD Connector

Known Limitations

Bulk Operations

The Delinea SCIM Cloud Connector does not currently support SCIM 2.0 Bulk Operations (the /Bulk endpoint as defined in RFC 7644, Section 3.7). This means that submitting multiple create, update, or delete operations in a single batched HTTP request is not available through the SCIM Cloud Connector.

Additionally, bulk user onboarding (the ability to provision a large number of users simultaneously via a single SCIM bulk request) is not currently supported. All user and group provisioning must be performed through individual SCIM operations (one request per resource).

Organizations planning large-scale user onboarding through the Delinea SCIM Cloud Connector should be aware that users and groups must be provisioned individually. To onboard users at scale, leverage your Identity Provider's (IdP) native incremental sync scheduling to orchestrate provisioning over successive sync cycles rather than expecting a single bulk import operation.

Deployment Topology and Redundancy

• SCIM Cloud is a multi-tenant SaaS service managed by Delinea—no customer-side installation is required.
• Being natively hosted in the Delinea Platform, you avoid firewall configuration, networking complexity, and dependency on an on-prem connector.
• Delinea manages availability and redundancy—no manual HA configuration is needed.

Credentials and Permissions

• Always create a dedicated service account purely for SCIM use.
• Assign only the following minimum permissions:
  • Owner
  • Edit
  • Add Secret
  • View
• Excess permissions are not needed and should be explicitly excluded.
• A service user must be created in the Delinea Platform with the necessary permissions to communicate with both the Platform Identity API and the Secret Server API.
• If a change occurs (e.g., username update), manage it from your IAM/IGA provider (not in the Delinea Platform) to avoid sync issues.

Filter Usage and API Efficiency

Use only Delinea-supported filters to prevent failures:

• Users / Groups:userName eq/co, displayName eq/co
• Containers:name eq/co, displayName eq/co
• Container Permissions: requires at least one filter; supports container.value eq, user.display eq/co, user.value eq, group.display eq/co, group.value eq
• Privileged Data:privilegedData.value eq, user.display eq/co, user.value eq, group.display eq/co, group.value eq

Avoid unsupported filters such as: createdDate, lastModifiedDate, id, le, sw, ew, logical operators (e.g., or).

Only AND is supported in filter expressions.

Ensure you provide at least one supported filter when using the Get All Container Permissions API, as it does not accept a blank filter to retrieve container permissions successfully.

Always validate filters in staging before production use.

Please be advised that eq stands for equal and co stands for contains.

Connection Testing and Sync Validation

Test SCIM connectivity immediately after setting up the IAM/IGA side.

Verify common workflows in a non-production environment:

• Provisioning: User creation, group assignments
• Updates: Attribute changes, membership modifications
• Deprovisioning: User disablement or deletion

Set up sync tasks in your IAM/IGA (e.g., user sync, group sync, permission sync) and monitor for successful runs.