Go back to the web Sign In

SCIM Provisioning

SCIM (System for Cross-domain Identity Management) lets your identity provider automatically manage users in CRA Evidence. When someone joins your company and is assigned to CRA Evidence in Okta or Azure AD, they're automatically provisioned. When they leave, they're automatically deprovisioned.

This feature is available on Enterprise plans.

How It Works

  1. You create a SCIM client in CRA Evidence and get a bearer token
  2. You configure your identity provider with our SCIM endpoint and the token
  3. When you assign users to CRA Evidence in your IdP, they're automatically created here
  4. When you remove users, they're automatically deactivated

No more manual user management. No more forgotten accounts after someone leaves.

Supported Identity Providers

CRA Evidence works with any SCIM 2.0-compliant identity provider, including:

  • Okta
  • Azure Active Directory (Microsoft Entra ID)
  • Google Workspace
  • OneLogin
  • JumpCloud

If your IdP supports SCIM 2.0, it should work with CRA Evidence.

Setting Up SCIM

Step 1: Create a SCIM Client

Go to Settings > SCIM Provisioning and click "Add SCIM Client".

Enter a name for the client (e.g., "Okta Production"). If you've already configured SAML SSO with this IdP, you can optionally link them together for easier management.

Configure the provisioning settings:

Default Role determines what role new users get. Choose Member for people who need to create and edit products, or Viewer for read-only access.

Auto-activate controls whether new users can log in immediately. Enable this for seamless onboarding. Disable it if you want to manually approve each user.

Sync Attributes determines whether CRA Evidence updates user names and preferences when your IdP sends changes. Usually you want this enabled.

Click "Create Client". A bearer token appears on screen. Copy this token immediately and store it securely. This is the only time you'll see it.

Step 2: Configure Your Identity Provider

In your identity provider, find the SCIM provisioning settings for CRA Evidence. Each IdP is slightly different, but you'll need:

SCIM Endpoint:

https://app.craevidence.com/scim/v2

Authentication: Bearer Token

Token: Paste the token you copied in Step 1

Test the connection in your IdP to verify everything is working.

Step 3: Assign Users

In your IdP, assign users or groups to the CRA Evidence application. Within a few seconds, those users appear in your CRA Evidence organisation.

Managing SCIM Clients

Viewing Statistics

The SCIM settings page shows statistics for each client:

  • Users created (total provisioned)
  • Users updated (total sync operations)
  • Users deactivated (total deprovisioned)
  • Last sync time

Click on a client to see detailed provisioning logs.

Rotating Tokens

If you suspect a token has been compromised, or as part of regular security hygiene, you can rotate it:

  1. Go to Settings > SCIM Provisioning
  2. Click on the client
  3. Click "Rotate Token"
  4. Copy the new token immediately
  5. Update the token in your IdP

The old token stops working immediately, so update your IdP promptly to avoid provisioning interruptions.

Enabling and Disabling

You can temporarily disable a SCIM client without deleting it. This stops all provisioning from that IdP while you troubleshoot issues or make changes.

Deleting a Client

Deleting a SCIM client removes the connection entirely. Users already provisioned remain in CRA Evidence but won't receive further updates from the IdP. You'd need to manage them manually or create a new SCIM client.

Provisioning Behaviour

User Creation

When your IdP provisions a user:

  1. CRA Evidence checks if the email address already exists
  2. If new, creates the user with the default role you configured
  3. If auto-activate is enabled, user can log in immediately
  4. Logs the provisioning event

User Updates

When your IdP updates a user (name change, etc.):

  1. If sync attributes is enabled, CRA Evidence updates the user's profile
  2. The user's role isn't changed (roles are managed in CRA Evidence)
  3. Logs the update event

User Deactivation

When you remove someone from the CRA Evidence app in your IdP:

  1. CRA Evidence marks the user as inactive
  2. They can no longer log in
  3. Their data remains (for audit purposes)
  4. Logs the deactivation event

If you want to permanently delete users when they're removed from your IdP, enable the "Allow Deletion" option on the SCIM client. Use this with caution as it permanently removes user data.

Reactivation

If you re-assign someone to CRA Evidence in your IdP, they're automatically reactivated. Their previous data and access is restored.

Troubleshooting

Users Not Being Provisioned

Check these common issues:

  1. Token is correct. Copy it fresh from CRA Evidence and paste into your IdP
  2. SCIM client is enabled. Make sure it hasn't been disabled in CRA Evidence
  3. Users are assigned. In your IdP, verify users or groups are assigned to CRA Evidence
  4. No network issues. Your IdP must be able to reach app.craevidence.com

Look at the provisioning logs in your SCIM client detail page for specific error messages.

Users Can't Log In

If provisioned users can't log in:

  1. Auto-activate is disabled. Enable it, or manually activate users in Settings > Members
  2. User is deactivated. Check if they were previously deactivated
  3. SSO is enforced. If you enforce SSO, users must log in via your IdP, not with password

Token Stopped Working

If your IdP suddenly can't connect:

  1. Token was rotated. Check if someone rotated the token
  2. Client was disabled. Check if the SCIM client is enabled
  3. Client was deleted. Check if it still exists

If the token was rotated, get the new one from the SCIM client detail page.

Audit Trail

All SCIM operations are logged. Go to the SCIM client detail page to see:

  • What operation occurred (create, update, deactivate)
  • Which user was affected
  • When it happened
  • Whether it succeeded or failed
  • Error details if it failed

These logs are retained for 10 years to meet CRA audit requirements.

Best Practices

Start with a test group. Before rolling out to everyone, provision a small test group and verify everything works.

Use auto-activate. Manual approval creates friction. Most organisations want seamless onboarding.

Rotate tokens periodically. Treat SCIM tokens like other credentials. Rotate them annually or when team members with access leave.

Link SSO and SCIM. If you're using both SAML SSO and SCIM from the same IdP, link them in CRA Evidence for easier management.

Monitor provisioning logs. Periodically check for failed operations that might indicate configuration issues.

Last updated February 27, 2026
Was this page helpful?
Thanks for your feedback!

Help us improve. What was missing or unclear?