Frequently Asked Questions about SCIM

General Questions

What is SCIM and why should I use it?

SCIM (System for Cross-domain Identity Management) is an industry-standard protocol for automating user identity management between systems. With SCIM integration, you can:

Automatically create user accounts when new employees join
Update user information when changes occur in your identity provider
Immediately remove accounts when employees leave
Reduce manual administrative work and human errors
Ensure consistent user data across systems

Which identity providers are supported?

Microsoft Entra ID (formerly Azure Active Directory, Azure AD)

To configure Cosafe SCIM with other IdPs, please contact support.

Technical Questions

What SCIM version does Cosafe support?

Cosafe implements SCIM 2.0 protocol, specifically supporting a subset of operations focused on standard user provisioning and group management, which is being used by majority of identity providers.

What happens if my API key is compromised?

If you suspect your API key has been compromised:

Contact Cosafe support immediately at support@cosafe.com
Support will deactivate the current key and issue a new one
Update your identity provider configuration with the new key
Monitor your identity provider audit logs

User And Groups Management Questions

What user information is synchronized?

The following user attributes are synchronized:

Required: Username, display name
Optional: Phone numbers, job title
Status: Active status for account management

Updatable attributes:

Updatable: Username, display name, job title, phone numbers

For more information about attributes, see Supported Attributes

What group information is synchronized?

The following group attributes are synchronized:

Optional: Display name

For information on how to remove the mapping of display name, see Step 5: Attribute Mapping Setup and scroll down a bit.

Can I use the same Group ID for multiple groups in Cosafe?

With the SCIM protocol, matching has to be unique. One externalId per Cosafe group.

Can I exclude certain users or groups from SCIM sync?

Yes, most identity providers allow you to:

Create provision integration with only assigned users and groups scope
Configure scope limitations in your provisioning settings

Contact Cosafe support for specific configuration guidance.

How does the invitations to Cosafe work with SCIM created users?

When users are created through SCIM:

The users are activated immediately so they can log in with SSO or use the “forgot password” function.
At the moment, they do not automatically receive an invitation email. If you want the users to receive the invitation email, you need to invite them manually.

What happens if we reach our licens limit when syncing in users?

SCIM will not be able to exceed the maximum limit. If the limit is reached, users will no longer be provisioned and your SCIM provider will error out. You will need to contact our support to increase the the limit. Once additional licenses are available, the users will start to be provisioned again.

What happens when a user is deleted in my identity provider?

When a user is deleted or deactivated in your identity provider:

The user account in Cosafe is automatically deleted
The user loses access to Cosafe immediately
Historical data and audit logs are preserved

Can I manually override SCIM-managed data?

You can edit attributes that are not mapped via SCIM (Supported Attributes).

It is strongly recommended to not edit data and attributes mapped via SCIM. Doing this will result in conflicting or invalid user data between Cosafe and your IdP.

Can I still create users manually if I have enabled SCIM?

Yes! Users you create manually will be ignored by the SCIM synchronization, provided they are not managed by your identity provider.

This includes adding the user to SCIM managed groups.

What happens if a synced user, who was manually added to manually managed groups, is removed from it's synced group?

If a user is set to inactive, deleted, or removed from all SCIM groups in your AD, the user will be deleted from Cosafe and removed from all groups, including manually managed groups.

However, if the user is still a member of one or more SCIM groups, the user will remain in any manually added groups until they are manually removed from those groups or until the user meets the criteria above.

Can I sync a user into a otherwise manually managed group?

Yes - but only under certain conditions.

If you have a manually managed group and want to sync specific users (for example, language teachers) into that group via AD/IdP, it will work as long as the other users in the group are not included in the same AD/IdP sync.

If a user’s email address is part of the synced directory, the identity provider (AD/IdP) will take control of that user’s group membership. In that case, manual group management may be overridden by the sync.

In short:

You can mix manual and synced users in a group
But only if the manually added users are not part of the synced AD/IdP scope

Can I add a manually created user to a synced group?

Yes.

You can manually add users to groups, even if those users come from AD/IdP. However:

If the group itself is SCIM-managed (synced), its membership is controlled by the identity provider.
SCIM will automatically add and remove users based on what is defined in AD/IdP.
Any manual changes to a SCIM-managed group may be overwritten during the next sync.

If the group is manually managed, you can freely add AD/IdP users to it - and SCIM will not automatically remove them unless the group itself is part of the sync configuration.

In short:

You can manually add AD/IdP users to manually managed groups
SCIM only controls groups that are configured for sync
Synced groups will always follow the IdP - manual edits may not persist

What happens if you move a synced group to another account in the admin panel?

When you move a group in the admin panel, you will be asked whether you want to add the users to the new account or remove them from the group.

If you choose Add, they will be added as usual and continue to be synced to the group in the new account.
If you choose Remove, the results may vary depending on your provider. For example, Entra may still consider the users as members of the group and therefore not add them again.

Important note

Please note that SCIM cannot remove users from the previous sub- or main account. The sync will only add users to the new account. If users need to be removed from their previous sub- or main account, this will need to be handled manually.

What happens to a user if the synced group gets deleted?

If the group is deleted in Entra:

If the user is synced via Entra and is only a member of that group, the user will be deleted.
If the user is synced via Entra and is a member of multiple groups, the user will remain in the remaining groups.

If the group is deleted in the admin panel:

The SCIM sync will error out, as there is no longer a matching group in CoSafe.
The users will remain in the the account the groups belonged to.

Troubleshooting Questions

Users aren't syncing - what should I check?

Common troubleshooting steps:

Verify API credentials:
- Check API key is correct and active
- Confirm SCIM Base URL format
- Test connection via your identity provider integration configuration. Usually, in integration setup/credentials settings, after base-url and access-key/token fields, there's a button "Test", "Connect" or "Test connection".
Check identity provider configuration:
- Verify provisioning is enabled
- Confirm that attribute mappings are correct
- Confirm that groups and / or users are assigned to the SCIM integration

Why are some user attributes not syncing?

Possible causes:

Missing attribute mapping: Check your identity provider configuration
Unsupported attributes: Verify the attributes are supported by Cosafe SCIM and are mapped correctly in your identity provider configuration
Data format issues: Ensure data formats match expected SCIM standards

More details on mapping and format requirements are in Attribute Mapping Setup

How do I handle group assignment issues?

For group assignment problems:

Verify group mapping: Check that identity provider groups map to valid Cosafe group IDs
Check group permissions: Ensure groups exist and are accessible in Cosafe
Review attribute rules: Confirm group assignment in your identity provider

Implementation Questions

Can I migrate existing users to SCIM management?

Yes, existing users can be migrated to SCIM management.

Need More Help?

If you have questions not covered in this FAQ email our support team at support@cosafe.com

General Questions​

What is SCIM and why should I use it?​

Which identity providers are supported?​

Technical Questions​

What SCIM version does Cosafe support?​

What happens if my API key is compromised?​

User And Groups Management Questions​

What user information is synchronized?​

What group information is synchronized?​

Can I use the same Group ID for multiple groups in Cosafe?​

Can I exclude certain users or groups from SCIM sync?​

How does the invitations to Cosafe work with SCIM created users?​

What happens if we reach our licens limit when syncing in users?​

What happens when a user is deleted in my identity provider?​

Can I manually override SCIM-managed data?​

Can I still create users manually if I have enabled SCIM?​

What happens if a synced user, who was manually added to manually managed groups, is removed from it's synced group?​

Can I sync a user into a otherwise manually managed group?​

Can I add a manually created user to a synced group?​

What happens if you move a synced group to another account in the admin panel?​

What happens to a user if the synced group gets deleted?​

Troubleshooting Questions​

Users aren't syncing - what should I check?​

Why are some user attributes not syncing?​

How do I handle group assignment issues?​

Implementation Questions​

Can I migrate existing users to SCIM management?​

Need More Help?​