SCIM 2.0

SCIM 2.0 directory sync enables automatic user and group provisioning from your identity provider.

Overview

localskills.sh implements the SCIM 2.0 protocol for automated user lifecycle management through Better Auth. It works with Okta, Azure AD, OneLogin, and any other SCIM 2.0–compliant identity provider.

Configuring SCIM requires the organization owner role. Configuration lives under Organization > SSO & SCIM.

SCIM base URL

https://localskills.sh/api/auth/scim/v2

Token management

Generate a SCIM provider token from your organization's SSO & SCIM tab. Tokens are scoped to the selected provider ID and displayed only once at creation time.

Configure the token as Bearer authentication in your identity provider's SCIM integration — the per-provider guides below show where (Okta, Authentik, or any generic SCIM 2.0 client).

Okta

  1. In the app's General tab, set Provisioning to SCIM.
  2. In the Provisioning tab, set the SCIM connector base URL to the SCIM base URL above and the unique identifier field to email.
  3. Set Authentication Mode to HTTP Header and paste a token generated from the SSO & SCIM settings page.
  4. Under Provisioning → To App, enable Create Users, Update User Attributes, and Deactivate Users.

Cloudflare Access

Cloudflare Access does not push SCIM provisioning to service providers — its SCIM support pulls users from your IdP into Access. Users are provisioned here automatically on their first SSO sign-in instead.

Authentik

  1. In authentik, go to Applications → Providers → Create and pick SCIM Provider.
  2. Set URL to the SCIM base URL above and Token to a token generated from the SSO & SCIM settings page.
  3. Edit your application and add the SCIM provider under Backchannel Providers.

Custom SAML

  1. Point your identity provider's SCIM 2.0 client at the SCIM base URL above.
  2. Authenticate with a Bearer token generated from the SSO & SCIM settings page.

User provisioning

Your identity provider pushes create, update, and delete events to the SCIM endpoint. Deactivated users are automatically removed from the organization; provisioning and deprovisioning are recorded in the audit log (scim.user_provisioned, scim.user_updated, scim.user_deprovisioned).

Supported SCIM attributes:

  • userName — email address
  • name.formatted — display name
  • externalId — IdP identifier
  • active — account status

Group provisioning

Your identity provider can push SCIM groups to localskills.sh. Group records and membership changes are handled through the shared SCIM endpoint.

Roles & permissions

SCIM manages membership, not permissions. Assign roles to provisioned users in the dashboard — directly or via teams — and use SSO group → team mapping to drive permissions from your directory groups. See /docs/roles and /docs/teams.