SCIM integration - Basics

SCIM integration - Basics

SCIM Provisioning with KZero Passwordless


🔷 Why SCIM is important for MSPs

SCIM allows you to automatically manage the full user lifecycle from KZero.

🟢 Automatically create users
🟢 Update user information
🔴 Instantly deactivate users
🟢 Reduce manual errors
🟢 Strengthen offboarding security
  1. SCIM manages identities.
  2. KZero Passwordless manages authentication. Together, they ensure full lifecycle control.
Warning
Pre-requisite: 
  1. SSO (SAML or OIDC) is already configured
  2. You have Admin access to KZero
  3. You selected the correct tenant
  4. The target application supports SCIM 2.0

1) Select the correct tenant

  1. Log in to the KZero Admin Dashboard
  2. Select the appropriate tenant


IdeaMSP tip: Always double-check the tenant before enabling SCIM.

2) Enable the SCIM endpoint

From the left navigation menu:
  1. Click Integrations
  2. Click SCIM
  3. Enable Endpoint Configuration

Once enabled, the SCIM configuration panel appears.

3) Understanding the configuration fields

🧩 Profile

Options: Generic, Azure

  1. Generic → Recommended in most cases
  2. Azure → Use only when integrating specifically with Microsoft Entra ID


Notes
If unsure, choose Generic.

🔐 Use Remote Token Authentication

When enabled, SCIM uses OAuth 2.0 (Client Credentials flow) with a Client ID and Client Secret.

🟢 Recommended for production environments
🟠 Optional in test environments
  1. Requires the Token Endpoint

🔷 Integration details (generated by KZero)

🌐 SCIM Endpoint (Mandatory)

https://ca.auth.kzero.com/realms/<TENANT_NAME>/scim/v2

Used to create, update, and deactivate users (and groups if supported).


🎟 Token Endpoint (Required if Remote Token Authentication is enabled)

https://ca.auth.kzero.com/realms/<TENANT_NAME>/protocol/openid-connect/token

Used by the application to request an access token.


🆔 Client ID (Required if Remote Token Authentication is enabled)

Provided by KZero in your dashboard.


🔑 Client Secret (Required if Remote Token Authentication is enabled)

Provided by KZero. Treat it like a password and store it securely.


🔍 What is mandatory vs optional?

Always required:
  1. Profile
  2. SCIM Endpoint
Required only if Remote Token Authentication is enabled:
  1. Token Endpoint
  2. Client ID
  3. Client Secret
Notes
If Remote Token Authentication is disabled, some applications may use a simpler provisioning method.


🚀 What happens after activation?

🟢 Creating a user in KZero automatically creates the account in the application
🟢 Updating user information synchronizes changes
🔴 Disabling a user removes access

🛡 Why SCIM + Passwordless is a security advantage

Traditional password managers rely on a master password. KZero does not.

🟢 Identity is provisioned automatically
🟢 Authentication stays passwordless
🟢 No master password exists
🟢 Access removal is instant


⭐ MSP best practices

Use separate SCIM credentials per tenant
-
Rotate Client Secrets periodically
-
Test provisioning with a pilot user before full rollout
-
Verify deactivation behavior
-
Monitor provisioning logs after activation

    • Related Articles

    • Azure/Entra ID - SCIM Configuration

      SCIM Provisioning with Microsoft Entra ID (Microsoft 365) This guide explains how to configure SCIM provisioning between Microsoft Entra ID (Microsoft 365) and KZero Passwordless. SCIM allows Microsoft Entra ID to automatically manage the user ...

    • SAML SSO Integration Guide

      This guide provides an overview of how to configure SAML Single Sign-On (SSO) between Multi-Pass and a third-party Service Provider (SP). Multi-Pass acts as the Identity Provider (IdP) in this federation model. Multi-Pass is working on SCIM support ...

    • Mulesoft - SSO Integration

      This application has been formally tested by Kelvin Zero Inc. This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Mulesoft using Multi-Pass. SSO simplifies user authentication by allowing access to multiple ...

    • D2L Brightspace - SSO Integration

      This application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a step-by-step guide to ...

    • Azure EAM - MPAS integration

      This documentation has been tested and approved by Kelvin Zero's team This document will outline the steps required to enable MPAS as an external authentication method in Microsoft Entra ID. To set up Multi-Pass, ensure you meet the following ...