New article
Recently updated
Preparing for SCIM 2.0 user provisioning
Who is this article for?
IT Administrators responsible for system configuration.
Administrator permissions are required.
SCIM 2.0 (System for Cross-domain Identity Management) allows your organisation to automate user account management in Ideagen Quality Management directly from your identity provider (IdP).
SCIM 2.0 availability
Once configured, your IdP - such as Microsoft Entra ID or Okta - automatically creates and updates user accounts in Ideagen Quality Management on its own provisioning schedule, without requiring manual user administration.
Important
SCIM 2.0 user provisioning is available for on-premises Ideagen Quality Management installations only. It is not available for cloud-hosted tenants.
SCIM actions
The following table shows how SCIM 2.0 actions in your IdP affect user accounts in Ideagen Quality Management:
| Action | What happens in Ideagen Quality Management |
|---|---|
| Create user | A new Ideagen Quality Management user account is created automatically when a user is assigned in your IdP. The account is mapped using the user's email address as the login name. |
| Update user | Changes to a user's profile in your IdP (such as name or email) are synced to their Ideagen Quality Management account on the next provisioning cycle. |
| Re-enable user | If a user is re-activated in your IdP, Ideagen Quality Management automatically re-enables their account and reclaims a licence seat. |
| Deprovision user | When a user is disabled or unassigned in your IdP, Ideagen Quality Management does not automatically disable the account. An Ideagen Quality Management administrator must do this manually. See Deprovisioning below. |
Note
Provisioning runs on a cycle - typically around 40 minutes. To provision a single user immediately, use your IdP's on-demand provisioning option.
Checking prerequisites
Before configuring SCIM 2.0, ensure the following requirements are met:
- SAML SSO is already configured - SCIM requires SAML Single Sign-On to be set up first. If SSO is not yet configured, see Configuring Single Sign-On (SSO) providers
- Database access - initial setup requires running a SQL script against your Ideagen Quality Management database to generate a SCIM bearer token. This is covered in the setup guides below
- Sufficient licence seats - Ideagen Quality Management assigns a licence seat when a user is provisioned. If no seats are available, provisioning will fail for that user
Provisioning users
Your IdP connects to Ideagen Quality Management's SCIM 2.0 endpoint using a secure bearer token you generate during setup. When a user is provisioned for the first time, IQM Core:
- Checks whether the user already exists using their IdP object ID, then falls back to their email address if no match is found
- Creates a new account (or updates an existing one) using the email address as the login name
- Automatically wires the account to your SAML SSO provider, so the user can sign in immediately via SSO
- Assigns a licence seat from the available pool (Concurrent first, then Dedicated)
Note
If a user account already exists in Ideagen Quality Management before SCIM is enabled, the provisioning cycle will match and update the existing account rather than creating a duplicate.
Deprovisioning users
Deprovisioning does not automatically disable users in Ideagen Quality Management. When a user is disabled or unassigned in your IdP, Ideagen Quality Management acknowledges the request but does not disable the account. An Ideagen Quality Management administrator must disable the account manually under in the Administration module.
Re-enabling a user in the IdP is automatic - Ideagen Quality Management will re-enable the account and reclaim a licence seat on the next provisioning cycle.
Configuring provisioning
To configure SCIM 2.0 user provisioning:
- Confirm SAML SSO is working.
- Follow the setup guide for your identity provider:
| Identity provider | Setup guide |
|---|---|
| Microsoft Entra ID (Azure AD) | Configuring SCIM 2.0 user provisioning with Microsoft Entra ID |
| Okta | Coming soon |
Frequently asked questions
Does SCIM replace the need to create users manually in Ideagen Quality Management?
Yes. Once SCIM is configured and a user is assigned in your IdP, their Ideagen Quality Management account is created automatically.
What happens if a user already exists in Ideagen Quality Management when SCIM is enabled?
The provisioning cycle will match and update the existing account rather than creating a duplicate. Matching uses the IdP object ID first, then falls back to email address.
Why was a user not disabled in Ideagen Quality Management after I removed them in the IdP?
Deprovisioning does not automatically disable the account in Ideagen Quality Management. An administrator must disable it manually under Administration → Users.
What happens if there are no licence seats available?
Provisioning will fail for that user and no account will be created. Once a seat is available, re-trigger provisioning from your IdP.
Can I connect more than one IdP to the same Ideagen Quality Management installation?
Yes. Each IdP requires its own dedicated bearer token and service account, configured separately during database setup.