Delinea SCIM Connector

This integration is currently available only to customers participating in a private preview. If you'd like to participate to be among the first to try this feature, ask our support or account team for details.

SCIM 2.0 (System for Cross-domain Identity Management) is a protocol designed to automate the provisioning and de-provisioning of user identities across different systems. The Delinea SCIM Cloud Connector enables IAM/IGA providers to securely integrate with the Delinea Platform using the SCIM 2.0 protocol.

This is a cloud-native Delinea Platform service that supports the following use cases:

  • Automated Provisioning and De-provisioning
  • Identity Data Synchronization
  • Group and Role Management

The SCIM Cloud Service supports the following capabilities:

User Management

  • Create / Get / Update Group
  • Add / Remove User to / from Group
  • Search User by Username
  • Search User by ID
  • Create / Update / Delete User

Folder Management

  • Create New Folder
  • Search Folder by Folder Name
  • Search Folder Permissions by Folder ID and/or User ID
  • Post New Folder Permission
  • Delete Folder Permission

Secret Management

  • Add / Remove Secret in the Folder

Prerequisites

The integration of the SCIM Cloud Connector with the Delinea Platform requires that:

SCIM Cloud Workflow

The Delinea Platform relies on the SCIM connector to process all IAM requests. Authentication is managed via OAuth using client credentials to ensure secure access. Once authenticated, the connector performs all SCIM operations—such as provisioning, updating, or de-provisioning users and groups. After user or group creation or modification, the SCIM connector synchronizes data bidirectionally between the platform and the IAM to maintain consistency.

When an administrator creates or updates users and groups in the Identity Provider, the SCIM connector synchronizes these changes with the Delinea Platform. Similarly, any user modifications made directly in the Delinea Platform are synchronized back to the Identity Provider when the IdP’s sync process runs.

The Delinea Platform uses GUIDs as the unique identifiers for users and groups.

User Provisioning via SCIM

When provisioning users through the SCIM Cloud Connector, user accounts are created and mapped based on the configured Identity Provider (IdP) integration in the Delinea Platform.

Provisioning Behavior Based on IdP Configuration

  • SAML or OIDC Configuration

    • Users are provisioned as local Delinea Platform users.

    • When users log in for the first time, the platform maps them to the Federated Directory Service.

    • User identities are synchronized from external identity providers using SAML or OIDC.

  • Active Directory Configuration

    • The platform maps users to Active Directory accounts.

    • User identities are synchronized from on-premises Active Directory.

    • User lifecycle is managed through Active Directory.

  • Microsoft Entra ID (Direct API) Configuration

    • The platform maps users to Microsoft Entra ID directory accounts.

    • User identities are synchronized from Microsoft Entra ID.

    • User lifecycle is managed through Entra ID.

Data Synchronization Workflow

IAM solutions initiate requests to sync data. These requests are sent in the SCIM format.

The SCIM Connector supports bidirectional data flow between the IGA system (such as SailPoint, Okta, etc.) and the Delinea Platform. Each direction serves a distinct purpose.

Pull: IGA Retrieves Data from the Delinea Platform

The IGA system schedules periodic synchronization jobs that pull user, group, and entitlement data from the Delinea Platform. This enables the IGA to:

  • Discover existing identities and their current access rights.
  • Populate its identity warehouse with Delinea Platform data.
  • Detect drift between IGA records and the actual Delinea Platform state.

Pull operations are read-only and do not modify data in the Delinea Platform.

Push: IGA Provisions Identities to the Delinea Platform

When users and groups are created or modified in the IGA system, the IGA pushes those changes to the Delinea Platform via SCIM. This includes:

  • Provisioning (Joiner): Creating new user accounts and group memberships.
  • Updates (Mover): Modifying user attributes or group assignments when roles change.
  • Deprovisioning (Leaver): Removing or disabling user access.

If the IGA supports bulk user or group creation, those identities are pushed to the Delinea Platform in the same operation.

Best Practice: Manage Identities from the IGA

Administrators should always create, update, and remove users and groups from the IGA system rather than directly in the Delinea Platform. The IGA serves as the authoritative source. Changes made directly in the Delinea Platform may be overwritten during the next synchronization cycle or cause sync conflicts.

Request Types

  • GET requests: Retrieve and sync user, group, folder, and secret data from the Delinea Platform to the IAM solution.
  • POST, PUT, PATCH, DELETE requests: Manage data by adding, updating, or deleting users, groups, folders, group memberships, and access rights to folders/secrets within the Delinea Platform.

The SCIM Cloud Connector acts as a translator and intermediary. It receives SCIM requests and translates them into a format understood by the Delinea Platform Services. The connector uses the Delinea Platform’s APIs to communicate with:

  • Delinea Platform Identity — for users, groups, and memberships
  • Delinea Secret Server on the Platform — for folders, secrets, and access permissions

Once the above operations are completed, the Delinea Platform services send a response back via APIs to the SCIM Cloud Connector. The SCIM Cloud Connector translates the Delinea API response back into the SCIM format and returns it to the requesting IAM solution. This confirms the success or failure of the requested operation and provides the updated data as needed.