Configuring the SCIM Connector

Step 1: Configure SCIM Connector in Delinea Platform

Create Service Account

This service account will be used to authenticate SCIM requests.

Log in to the Delinea Platform as an administrator.
Navigate to Access > Users > More > Add Service User.
Enter a unique username (e.g., scim.integration@domain.com).
Configure OAuth2 client credentials.

Create and Assign Custom Role for SCIM Operations

Assign the Platform User role to the service account.This enables SCIM operations and token generation.

Log in to the Platform as an administrator.
Navigate to Access > Roles.
Click Add Role to open the Role Creation.
Select the Add New Custom Role checkbox, and then in the Role Name field type a name for your new role.
Select Save.

Assign Roles and Permissions

Go to the Permissions tab and select Add Permission.
Create a custom role with the following permissions:
- Administer Secret Server Folders
- Administer Secret Server Reports
- Bypass Direct API Authentication Restriction
- Create Root Folders in Secret Server
- Manage Identity Settings
- Own Secret
- Personal Folder in Secret Server
- View Secrets
Navigate to Access > Users.
1. Search for the service user you have created for SCIM operations.
2. Open the service user, go to the Role tab, and click Assign Roles.
3. Select the custom role you created and click Save.
To learn how to create a role with these permissions and how to assign the role to your application account in Delinea Platform open the Roles and Permissions topic.

Retrieve Delinea Platform Access Token

The Delinea Platform uses the OAuth 2.0 Client Credentials Grant to allow backend services to authenticate using their own credentials to access protected resources, such as the Delinea Platform. This method supports secure server-to-server communication without user interaction and is commonly used by background services or service accounts.

This grant type is used for:

SCIM integrations
Background jobs
Server-to-server automation
Identity provisioning systems

Using Postman (Recommended)

POST Request URL

https://<your-hostname>.delinea.app/identity/api/oauth2/token/xpmplatform

POST Body (x-www-form-urlencoded)

Key	Value
grant_type	client_credentials
scope	xpmheadless
client_id	scim.integration@domain.com
client_secret	<service account password>

Expected Result: HTTP 200 OK with an access token returned.

Retrieving the Token Using cURL

Copy

curl "https://<your-hostname>.delinea.app/identity/api/oauth2/token/xpmplatform" \
            --header "Content-Type: application/x-www-form-urlencoded" \
            --data-urlencode "grant_type=client_credentials" \
            --data-urlencode "scope=xpmheadless" \
            --data-urlencode "client_id=scim.integration@domain.com" \
            --data-urlencode "client_secret=<service-account-password>"

Example Successful Response

Copy

{
            "access_token": "...",
            "refresh_token": "...",
            "token_type": "Bearer",
            "expires_in": 3609,
            "session_expires_in": 43200,
            "scope": "xpmheadless"
            }

Explanation of Token Fields

access_token — JSON Web Token (JWT) used to authenticate SCIM API calls.
token_type — Always Bearer.
expires_in — Access token lifetime in seconds.
session_expires_in — Refresh token lifetime in seconds (typically 12 hours).
refresh_token — Used to request a new access token after the current token expires.
scope — Must match the configured scope (xpmheadless for SCIM integrations).

To view token expiration details, decode the JWT at jwt.io and inspect the exp claim (Unix timestamp).

To learn more technical information follow this topic.

Step 2: Configuring the IAM/IGA Provider

The configuration process varies depending on your IGA/IGA provider. Each system (e.g., SailPoint vs. Okta) has its own UI and field names, but the required information remains the same:

Platform Token URL: The token generated after following these steps should look like this: https://<your-platform-tenant-url>/identity/api/oauth2/token/xpmplatform
SCIM endpoint URL: https://<your-platform-tenant-url>/scim/v2
Service account username (Client ID)
Service account password (Client Secret)

No additional configuration is required on the Delinea Platform side. Once the IAM application (e.g., SailPoint) is configured, SCIM endpoints are automatically triggered whenever users, groups, or containers are modified in the IAM system.

Supported Endpoints

The Delinea SCIM Cloud Connector supports the following SCIM 2.0 endpoints for managing users, groups, containers, and permissions in the Delinea Platform.

Entity	Operation	HTTP Method	Endpoint	Description
User	Get user by ID	GET	/scim/v2/Users/{id}	Fetch a specific user by ID
	Get all users	GET	/scim/v2/Users	Retrieve all users (supports pagination)
	Get users with filter	GET	/scim/v2/Users?filter=...	Filter users by attributes (userName, displayName). Only eq and co operators supported
	Create user	POST	/scim/v2/Users	Create a new user
	Update full user	PUT	/scim/v2/Users/{id}	Replace entire user object
	Update partial user	PATCH	/scim/v2/Users/{id}	Modify selected fields (displayName, email, groups)
	Delete user	DELETE	/scim/v2/Users/{id}	Remove a user
Group	Get group by ID	GET	/scim/v2/Groups/{id}	Fetch a specific group by ID
	Get all groups	GET	/scim/v2/Groups	Retrieve all groups (supports pagination)
	Get groups with filter	GET	/scim/v2/Groups?filter=...	Filter groups by attributes (displayName). Only eq and co operators supported
	Create group	POST	/scim/v2/Groups	Create a new group
	Update full group	PUT	/scim/v2/Groups/{id}	Replace entire group object
	Update partial group	PATCH	/scim/v2/Groups/{id}	Modify selected fields (displayName, members)
	Delete group	DELETE	/scim/v2/Groups/{id}	Remove a group
Container	Get container by ID	GET	/scim/v2/Containers/{id}	Fetch a specific container by ID
	Get all containers	GET	/scim/v2/Containers	Retrieve all containers (supports pagination)
	Get containers with filter	GET	/scim/v2/Containers?filter=...	Filter containers by attributes (name, displayName). Only eq and co operators supported
	Create container	POST	/scim/v2/Containers	Create a new container
	Update full container	PUT	/scim/v2/Containers/{id}	Replace entire container object
	Update partial container	PATCH	/scim/v2/Containers/{id}	Modify selected fields (name, privilegedData)
	Delete container	DELETE	/scim/v2/Containers/{id}	Remove a container
PrivilegedData	Get privileged data by ID	GET	/scim/v2/PrivilegedData/{id}	Fetch a specific privileged data by ID
	Get all privileged data	GET	/scim/v2/PrivilegedData	Retrieve all privileged data (supports pagination)
	Get privileged data with filter	GET	/scim/v2/PrivilegedData?filter=...	Filter privileged data by attributes (name, displayName). Only eq and co operators supported
ContainerPermission	Get container permission by ID	GET	/scim/v2/ContainerPermissions/{id}	Fetch a specific container permission by ID
	Get all container permissions	GET	/scim/v2/ContainerPermissions	Retrieve all container permissions (supports pagination)
	Get container permissions with filter	GET	/scim/v2/ContainerPermissions?filter=...	Filter container permissions by container id, user id, group id, username, and group name. Only eq and co operators supported
	Create container permission	POST	/scim/v2/ContainerPermissions	Create a new container permission
	Update full container permission	PUT	/scim/v2/ContainerPermissions/{id}	Replace entire container permission object
	Update partial container permission	PATCH	/scim/v2/ContainerPermissions/{id}	Modify selected fields (permission)
	Delete container permission	DELETE	/scim/v2/ContainerPermissions/{id}	Remove a container permission
PrivilegedDataPermissions	Get all privileged data permissions	GET	/scim/v2/PrivilegedDataPermissions	Retrieve all privileged data permissions (supports pagination)
	Get privileged data permissions with filter	GET	/scim/v2/PrivilegedDataPermissions?filter=...	Filter privileged data permissions by privileged data id, user id, group id, username, and group name. Only eq and co operators are supported in filters. Unsupported filters or invalid syntax will result in an error response.

Supported Attributes

Delinea supports the SCIM 2.0 protocol as well as the SCIM PAM Extension. Our implementation adheres to the schemas defined in RFC 7643 Section 8.7.1 and PAM-ext-00 Section 3.1 .

SCIM Cloud supports SCIM meta-attributes for all objects. Metadata values are generated dynamically at runtime based on each object's creation and modification state within the Delinea Platform.

User Attributes

Delinea SCIM Cloud supports the standard SCIM User and EnterpriseUser schemas. The following attributes are supported:

Attribute	Notes
id	System-generated and immutable.
displayName	Fully supported for reads and updates.
emails	Only the first email in the array is processed.
phoneNumbers	Only the first phone number in the array is processed.
active	Used for enabling/disabling user accounts.
password	Accepted for user creation.
groups	Managed automatically by group membership changes.

Group Attributes

Delinea SCIM Cloud supports the standard SCIM Group schema. The following attributes are supported:

Attribute	Notes
id	System-generated and immutable.
displayName	Name of the group.
members	Array of users or groups assigned to the group.

Container (Folder) Attributes

Delinea SCIM Cloud supports folder provisioning using the PAM Extension schema aligned with Secret Server folder objects.

Attribute	Notes
id	Unique identifier of the folder.
name	Internal name of the folder.
displayName	Visible display name.
description	Folder description.
type	Hardcoded per PAM extension specification.
parent	Parent folder ID (supports nested folders).
owner	Owner of the container.
privilegedData	Associated privileged data entries.

Metadata Provisioning

All SCIM objects include metadata attributes such as resourceType, created, lastModified, version, and location. These are generated dynamically at runtime. Some fields—such as resourceType and version—are fixed and cannot be modified.