Skip to main content
Skip to main content

SCIM Provisioning

Automate user and group lifecycle management in IronWifi using SCIM 2.0 (System for Cross-domain Identity Management). When users are created, updated, or deactivated in your identity provider (IdP), those changes automatically sync to IronWifi -- eliminating manual account management and ensuring WiFi access stays in sync with your directory.

Overview

IronWifi implements a full SCIM 2.0 server compliant with RFC 7643 and RFC 7644. Your IdP pushes changes to IronWifi in real time, rather than IronWifi pulling on a schedule.

Key benefits:

  • Automated onboarding -- New employees get WiFi access as soon as they are added to your IdP
  • Automated offboarding -- Deactivated users lose WiFi access immediately
  • Group-based policies -- IdP group membership drives VLAN, bandwidth, and session policies
  • Single source of truth -- Your IdP remains the authoritative directory

Prerequisites

  • IronWifi account with admin access
  • Identity provider with SCIM 2.0 provisioning support (Entra ID, Okta, OneLogin, JumpCloud, or any SCIM 2.0 compliant IdP)
  • Admin access to the identity provider

IronWifi Setup

These steps are common to all identity providers.

Step 1: Generate a SCIM Token

  1. Log in to IronWifi Console
  2. Navigate to Users > Connectors > SCIM Tokens (or Identity Provisioning)
  3. Click Generate Token
  4. Copy the token immediately -- it is displayed only once
warning

The SCIM token is shown only at creation time. Store it in a secure location (e.g., a password manager) before closing the dialog. If you lose it, you must generate a new one.

Step 2: Note Your SCIM Base URL

Your SCIM endpoint depends on your IronWifi region:

RegionSCIM Base URL
US East
https://us-east1.ironwifi.com/scim/v2
US West
https://us-west1.ironwifi.com/scim/v2
Europe
https://console.ironwifi.com/scim/v2
Asia Pacific
https://asia-northeast1.ironwifi.com/scim/v2

Find your region on the IronWifi Console dashboard or in your account settings.

Step 3: Configure Group Policy Mapping

Map IdP groups to IronWifi policies before enabling provisioning so that synced users receive the correct network access:

  1. Navigate to Users > Groups
  2. Create or edit groups with the desired policies:
    • VLAN ID -- Network segmentation
    • Bandwidth limits -- Upload/download caps
    • Session timeout -- Maximum session duration
    • Idle timeout -- Disconnect after inactivity
  3. Note the group names -- they must match the group 
    displayName
    values pushed by your IdP

Step 4: Set Sync Schedule (Optional)

IronWifi also supports pull-based sync as a complement to SCIM push:

  1. In Connectors, select your SCIM connector
  2. Set the Sync interval (15 to 60 minutes)
  3. Enable Suspended user detection to automatically disable users marked as suspended

Microsoft Entra ID (Azure AD) Setup

Step 1: Create Enterprise Application

  1. Sign in to Azure Portal
  2. Navigate to Microsoft Entra ID > Enterprise applications
  3. Click New application > Create your own application
  4. Enter name: IronWifi SCIM
  5. Select Integrate any other application you don't find in the gallery (Non-gallery)
  6. Click Create

Step 2: Configure Provisioning

  1. In the IronWifi SCIM application, go to Provisioning
  2. Click Get started
  3. Set Provisioning Mode to Automatic

Step 3: Enter Admin Credentials

In the Admin Credentials section:

FieldValue
Tenant URL
https://REGION.ironwifi.com/scim/v2
(replace REGION with your region)
Secret TokenThe SCIM token from IronWifi

Click Test Connection. Azure should report "The supplied credentials are authorized to enable provisioning."

Step 4: Configure Attribute Mappings

  1. Expand Mappings
  2. Click Provision Microsoft Entra ID Users
  3. Review and adjust mappings:
Entra ID AttributeSCIM AttributeNotes
userPrincipalNameuserNamePrimary identifier
givenNamename.givenNameFirst name
surnamename.familyNameLast name
mailemails[type eq "work"].valueEmail address
mobilephoneNumbers[type eq "mobile"].valueMobile number
accountEnabledactiveAccount status
  1. Click Save
  2. Optionally configure Provision Microsoft Entra ID Groups to sync group memberships

Step 5: Set Scope and Enable

  1. Go back to Provisioning > Settings
  2. Set Scope to one of:
    • Sync only assigned users and groups (recommended) -- only users assigned to the app are provisioned
    • Sync all users and groups -- provisions the entire directory
  3. Set Provisioning Status to On
  4. Click Save
tip

Start with Sync only assigned users and groups and assign a small test group first. After verifying provisioning works correctly, expand to additional groups.

Step 6: Assign Users and Groups

  1. Go to Users and groups in the enterprise application
  2. Click Add user/group
  3. Select the users and groups to provision
  4. Click Assign

Entra ID begins provisioning within approximately 40 minutes. Monitor progress under Provisioning > Provisioning logs.

Okta Setup

Step 1: Create Application

  1. Log in to Okta Admin Console
  2. Navigate to Applications > Applications
  3. Click Create App Integration
  4. Select SWA - Secure Web Authentication
  5. Name the application IronWifi SCIM and click Finish

Step 2: Enable SCIM Provisioning

  1. In the application, go to the General tab
  2. Click Edit
  3. Under Provisioning, select SCIM
  4. Click Save

Step 3: Configure SCIM Connection

  1. Go to the Provisioning tab > Integration
  2. Click Edit and enter:
FieldValue
SCIM connector base URL
https://REGION.ironwifi.com/scim/v2
Unique identifier field for users
userName
Supported provisioning actionsPush New Users, Push Profile Updates, Push Groups
Authentication ModeHTTP Header
AuthorizationThe SCIM token from IronWifi
  1. Click Test API Credentials -- Okta should confirm the connection is valid
  2. Click Save

Step 4: Configure Provisioning Actions

  1. Go to Provisioning > To App
  2. Click Edit and enable:
    • Create Users
    • Update User Attributes
    • Deactivate Users
  3. Click Save

Step 5: Configure Attribute Mappings

  1. In Provisioning > To App, scroll to Attribute Mappings
  2. Review default mappings and adjust if needed: 
    • userName
      maps to Okta 
      login
    • givenName
      maps to Okta 
      firstName
    • familyName
      maps to Okta 
      lastName

Step 6: Configure Group Push

  1. Go to the Push Groups tab
  2. Click Push Groups > Find groups by name
  3. Select the groups to sync to IronWifi
  4. Click Save

Step 7: Assign Users

  1. Go to the Assignments tab
  2. Click Assign > Assign to Groups
  3. Select the groups and click Done

Okta begins provisioning immediately for new assignments.

Google Workspace Setup

note

Google Workspace does not natively support outbound SCIM provisioning. Use one of these alternatives:

IronWifi has a built-in Google Workspace connector that provides similar functionality:

  1. Navigate to Users > Connectors > New Connector
  2. Select Google Apps
  3. Authorize with your Google Workspace admin account
  4. Select groups and organizational units to sync

See Google Workspace Integration for detailed setup instructions.

Option 2: Google Cloud Identity with Third-Party SCIM Bridge

If you require SCIM-based provisioning from Google Workspace:

  1. Deploy a SCIM bridge service (e.g., using Google Cloud Identity or a third-party tool)
  2. Configure the bridge to read from Google Directory API
  3. Point the bridge to IronWifi's SCIM endpoint:
    • Base URL: 
      https://REGION.ironwifi.com/scim/v2
    • Bearer Token: Your SCIM token
  4. Configure attribute and group mappings in the bridge

OneLogin Setup

Step 1: Add Application

  1. Log in to OneLogin Admin Portal
  2. Navigate to Applications > Applications
  3. Click Add App
  4. Search for SCIM Provisioner with SAML (SCIM v2 Core)
  5. Click Save

Step 2: Configure SCIM Connection

  1. Go to the Configuration tab
  2. Enter:
    • SCIM Base URL: 
      https://REGION.ironwifi.com/scim/v2
    • SCIM Bearer Token: Your SCIM token from IronWifi
    • SCIM JSON Template: Leave as default
  3. Click API Connection > Enable
  4. Click Save

Step 3: Configure Provisioning

  1. Go to the Provisioning tab
  2. Enable:
    • Create user
    • Delete user (maps to deactivation in IronWifi)
    • Update user
  3. Click Save

Step 4: Assign Users

  1. Go to Users tab
  2. Assign users or roles to the application

JumpCloud Setup

Step 1: Create Application

  1. Log in to JumpCloud Admin Portal
  2. Navigate to SSO > Add New Application
  3. Select Custom SCIM
  4. Enter application name: IronWifi

Step 2: Configure SCIM Endpoint

  1. In the Identity Management tab, enter:
    • Base URL: 
      https://REGION.ironwifi.com/scim/v2
    • Token Key: Your SCIM token from IronWifi
  2. Click Test Connection
  3. Click Activate

Step 3: Configure User and Group Provisioning

  1. Enable User provisioning and Group provisioning
  2. Configure attribute mappings as needed
  3. Assign user groups to the application

Attribute Mapping Reference

IronWifi maps SCIM attributes to internal user fields as follows:

SCIM AttributeIronWifi FieldDescription
userName
UsernamePrimary identifier (typically email)
name.givenName
First NameUser's given name
name.familyName
Last NameUser's surname
emails[type eq "work"].value
EmailWork email address
phoneNumbers[type eq "mobile"].value
Mobile PhoneMobile number
active
Active Status
true
= enabled, 
false
= disabled
displayName
Display NameFull display name
groups
Group MembershipLinked IronWifi groups
note

When a user is deleted via SCIM (HTTP DELETE), IronWifi performs a soft delete -- the user is set to 

active=false
rather than permanently removed. This preserves accounting records and allows re-activation.

Group Policy Mapping

SCIM group provisioning enables automatic policy assignment based on IdP group membership:

  1. Create matching groups in IronWifi -- go to Users > Groups and configure each group with the desired policies (VLAN, bandwidth, session limits)
  2. Push groups from your IdP -- use the group push feature in your IdP to create and sync groups via SCIM
  3. IronWifi matches groups by 
    displayName
     -- ensure the group name in your IdP matches the group name in IronWifi

Example policy mapping:

IdP GroupIronWifi GroupVLANBandwidthSession Timeout
Corporate-WiFiCorporate100100/100 Mbps12 hours
Guest-WiFiGuests20010/10 Mbps2 hours
ContractorsContractors15025/25 Mbps8 hours

When a user is added to "Corporate-WiFi" in your IdP, SCIM pushes the group membership change to IronWifi, and the user inherits VLAN 100, 100 Mbps bandwidth, and a 12-hour session timeout.

SCIM Endpoints Reference

For IdPs that require manual endpoint configuration or for custom integrations:

EndpointMethodDescription
/scim/v2/ServiceProviderConfig
GETCapabilities discovery
/scim/v2/ResourceTypes
GETSupported resource types
/scim/v2/Schemas
GETSCIM schema definitions
/scim/v2/Users
GET, POSTList or create users
/scim/v2/Users/:id
GET, PUT, PATCH, DELETERead, replace, update, or deactivate a user
/scim/v2/Groups
GET, POSTList or create groups
/scim/v2/Groups/:id
GET, PATCH, DELETERead, update, or delete a group

Authentication: All requests require an 

Authorization: Bearer <SCIM_TOKEN>
header.

Filtering: The Users and Groups endpoints support SCIM filter expressions: 

eq
, 
ne
, 
co
, 
sw
, 
ew
, 
gt
, 
ge
, 
lt
, 
le
, and 
pr
.

Example:

Troubleshooting

Token Authentication Failures

Symptom: IdP reports "Unable to connect" or "401 Unauthorized"

  • Verify the token was copied correctly with no leading/trailing whitespace
  • Confirm the token starts with 
    scim_
    followed by 64 hexadecimal characters
  • Check that the SCIM Base URL uses the correct region
  • Generate a new token if the current one may have been revoked

Users Not Provisioning

Symptom: Users exist in the IdP but do not appear in IronWifi

  • Check the IdP provisioning logs for error details
  • Verify the user is assigned to the application (for Entra ID and Okta)
  • Confirm the scope includes the user (especially if set to "assigned users only")
  • Ensure 
    userName
    is mapped and contains a valid value
  • Wait for the initial provisioning cycle to complete (Entra ID can take up to 40 minutes)

Group Membership Not Updating

Symptom: Users are provisioned but not assigned to the correct IronWifi groups

  • Verify group push is enabled in your IdP
  • Confirm the group 
    displayName
    in the IdP matches the group name in IronWifi exactly (case-sensitive)
  • Check that the groups were created in IronWifi before SCIM group push was enabled
  • Review SCIM PATCH operations in IdP provisioning logs

Users Not Deactivated

Symptom: Disabled users in the IdP still have WiFi access

  • Verify your IdP sends a PATCH or PUT with 
    active: false
    when deactivating
  • Check the IdP provisioning configuration includes "Deactivate Users"
  • Confirm the deactivation mapping is set (e.g., 
    accountEnabled
    to 
    active
    in Entra ID)
  • Review IronWifi user status -- the user should show as inactive

Attribute Mapping Errors

Symptom: User data is incomplete or incorrect in IronWifi

  • Review attribute mappings in your IdP provisioning configuration
  • Ensure required fields (
    userName
    , 
    name.givenName
    , 
    name.familyName
    ) are mapped
  • Check for conflicting mappings or expressions
  • Test with a single user before bulk provisioning