SCIM Provisioning
Wire Meridian into Okta, Azure AD, OneLogin, or any SCIM 2.0 identity provider to automate user lifecycle. When HR deprovisions in your IdP, Meridian revokes API keys, rotates session tokens, and burns down active model routes within 90 seconds.
1.Enable SCIM on your workspace
Navigate to Settings → Identity → SCIM. Click Generate Token to mint a workspace-scoped bearer token. The token is shown once; copy it into your IdP's connector config immediately. Tokens are HMAC-bound to your workspace ID and cannot be reused across environments.
- • Tokens expire after 365 days by default (configurable).
- • Rotation is supported via overlapping token windows.
- • All SCIM calls are audit-logged with IdP correlation IDs.
2.Configure the endpoint
Point your IdP at the Meridian SCIM v2 base URL. All four standard resource types are supported with full PATCH semantics per RFC 7644. Group membership changes propagate to RBAC within one tick of the reconciliation loop.
# SCIM 2.0 Endpoint Configuration
Base URL: https://api.meridian.dev/scim/v2
Auth: Bearer <SCIM_TOKEN>
# Supported Resources
- /Users (GET, POST, PUT, PATCH, DELETE)
- /Groups (GET, POST, PUT, PATCH, DELETE)
- /Schemas (GET)
- /ServiceProviderConfig (GET)
# Example: Provision User (POST /Users)
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "alice@acme.com",
"name": { "givenName": "Alice", "familyName": "Chen" },
"emails": [{ "value": "alice@acme.com", "primary": true }],
"active": true
}
# Response: 201 Created
{ "id": "usr_8f3k2", "meta": { "resourceType": "User" } }3.Map groups to roles
Meridian roles (admin, developer, viewer, billing) bind to IdP groups via the displayName field. Unmapped groups default to viewer. Deprovisioned users have all API keys revoked and active sessions terminated on the next inbound SCIM DELETE.