# SCIM Provisioning

> Source: https://parallelworks.com/docs/organization-admin/scim

# SCIM Provisioning

ACTIVATE exposes a **read-only SCIM 2.0 API** that lets external services synchronize your organization's users and groups. This is how systems outside ACTIVATE discover who your users are, what groups they belong to, and the POSIX identity and SSH keys associated with each account.

:::info Direction of sync
ACTIVATE is the **source** of identity, not a destination. Consuming services *read* users and groups from ACTIVATE; they cannot create, modify, or delete them through this API. Every write request (`POST`, `PUT`, `PATCH`, `DELETE`) returns `501 Not Implemented`.
:::

## Enabling SCIM

1. From the **Organizations** list, select your organization.
2. In the left sidebar, under **Settings**, click **SCIM Provisioning**.
3. Toggle **Enable SCIM provisioning**.

Once enabled, the page displays your organization's **SCIM endpoint URL**. Provide this URL to the consuming service:

```
https://<platform-host>/api/organizations/<organization>/scim/v2
```

The endpoint is scoped to a single organization - only that organization's users and groups are returned.

## Bearer Tokens

SCIM requests are authenticated with a bearer token. Tokens are scoped to the organization and are independent of any single user account.

To create a token:

1. On the **SCIM Provisioning** page, find the **Bearer Tokens** section.
2. Click **Create SCIM token**.
3. Enter a descriptive **name**. Optionally set an **expiration** (in days); leave it blank for a non-expiring token.
4. Copy the generated token.

:::caution Tokens are shown once
The full token value is displayed only at creation time and is never shown again. Store it securely (for example in the consuming service's secret manager) before closing the dialog. If you lose it, revoke the token and create a new one.
:::

The consuming service sends the token as a standard bearer credential on every request:

```
Authorization: Bearer <token>
```

To revoke access, delete the token from the **Bearer Tokens** list. Any service using that token immediately loses access to the SCIM API.

:::info Token creation requires a browser session
For security, SCIM tokens can only be minted from a logged-in browser session by an organization admin - not via the API itself.
:::

## What the API Exposes

The API implements the SCIM 2.0 discovery and resource endpoints:

| Endpoint | Purpose |
|----------|---------|
| `GET /ServiceProviderConfig` | Advertises supported capabilities (filtering, bearer auth). |
| `GET /ResourceTypes` | Lists the `User` and `Group` resource types. |
| `GET /Schemas` | Returns the core User/Group schemas plus the CoreWeave extensions. |
| `GET /Users`, `GET /Users/{id}` | List or fetch users. |
| `GET /Groups`, `GET /Groups/{id}` | List or fetch groups. |

### Filtering and pagination

- **Users** can be filtered by `userName`, `externalId`, or `displayName` using the `eq` operator, e.g. `?filter=userName eq "jdoe@example.com"`.
- **Groups** can be filtered by `displayName eq`.
- Results are paginated with `startIndex` (1-based) and `count` (default 50, maximum 200).

### CoreWeave extension attributes

ACTIVATE groups map directly to SCIM groups, and ACTIVATE users to SCIM users. In addition to the standard SCIM fields, each resource carries a CoreWeave extension that exposes the POSIX identity consumers need to provision Linux accounts.

The extension blocks are **omitted by default** and are only returned when explicitly requested via the `attributes` query parameter:

```
?attributes=urn:coreweave:params:scim:schemas:extension:coreweave:2.0:CoreWeaveUser
```

**User extension** (`urn:coreweave:params:scim:schemas:extension:coreweave:2.0:CoreWeaveUser`):

| Attribute | Description |
|-----------|-------------|
| `sunkPosixUsername` | The user's POSIX (Linux) username. |
| `sunkPosixUserId` | The user's POSIX UID. |
| `sunkPosixGroupId` | The user's primary POSIX GID. |
| `sunkLoginShell` | Login shell (defaults to `/bin/bash`). |
| `sunkPreferredHomeDirectory` | Home directory (defaults to `/home/<username>`). |
| `sunkSshKeys` | The user's registered authorized SSH public keys. |

**Group extension** (`urn:coreweave:params:scim:schemas:extension:coreweave:2.0:CoreWeaveGroup`):

| Attribute | Description |
|-----------|-------------|
| `sunkPosixGroupId` | The group's POSIX GID. |
| `sunkPosixGroupName` | The group's POSIX name. |

:::tip Excluding inactive users
When listing groups, pass `?excludeInactiveUsers=true` to drop disabled users from each group's member list. CoreWeave's identity cache uses this so that deactivated ACTIVATE accounts stop resolving on the cluster.
:::

## Next Steps

- [Connecting a CoreWeave Slurm Cluster](/docs/compute/connecting-coreweave-slurm) - the most common consumer of this API, which uses SCIM to populate Linux users, groups, and SSH keys on the cluster.