← Back to docs
RECIPE / IDENTITY

SCIM Provisioning

Wire Meridian into Okta, Azure AD, OneLogin, or any SCIM 2.0 identity provider to automate user lifecycle. When HR deprovisions in your IdP, Meridian revokes API keys, rotates session tokens, and burns down active model routes within 90 seconds.

1.Enable SCIM on your workspace

Navigate to Settings → Identity → SCIM. Click Generate Token to mint a workspace-scoped bearer token. The token is shown once; copy it into your IdP's connector config immediately. Tokens are HMAC-bound to your workspace ID and cannot be reused across environments.

  • • Tokens expire after 365 days by default (configurable).
  • • Rotation is supported via overlapping token windows.
  • • All SCIM calls are audit-logged with IdP correlation IDs.

2.Configure the endpoint

Point your IdP at the Meridian SCIM v2 base URL. All four standard resource types are supported with full PATCH semantics per RFC 7644. Group membership changes propagate to RBAC within one tick of the reconciliation loop.

# SCIM 2.0 Endpoint Configuration
Base URL: https://api.meridian.dev/scim/v2
Auth: Bearer <SCIM_TOKEN>

# Supported Resources
- /Users      (GET, POST, PUT, PATCH, DELETE)
- /Groups     (GET, POST, PUT, PATCH, DELETE)
- /Schemas    (GET)
- /ServiceProviderConfig (GET)

# Example: Provision User (POST /Users)
{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "userName": "alice@acme.com",
  "name": { "givenName": "Alice", "familyName": "Chen" },
  "emails": [{ "value": "alice@acme.com", "primary": true }],
  "active": true
}

# Response: 201 Created
{ "id": "usr_8f3k2", "meta": { "resourceType": "User" } }

3.Map groups to roles

Meridian roles (admin, developer, viewer, billing) bind to IdP groups via the displayName field. Unmapped groups default to viewer. Deprovisioned users have all API keys revoked and active sessions terminated on the next inbound SCIM DELETE.

Tip: enable strict mode in production. Strict mode rejects any provisioning event that would grant a role above the IdP-asserted group floor, preventing privilege escalation via PATCH.