Validate SCIM Provisioning

Test AuthOS SCIM lifecycle, token, schema, and endpoint behavior

AuthOS release 0.8.2 TypeScript SDK 0.8.0 Latest-only documentation
Updated Jul 15, 2026 Edit this page
On this page

Run these checks in staging after completing one provider recipe. Successful smoke tests do not establish SCIM compliance or general provider interoperability.

Step 3: Verify Provisioning

After configuring your identity provider, verify that provisioning works correctly.

Manual Verification

Check User Creation

// List all users in the organization
const users = await sso.organizations.listUsers('acme-corp');

// Check if a specific user exists
const specificUser = users.find(u => u.email === 'newuser@example.com');
console.log('User provisioned:', specificUser ? 'Yes' : 'No');

Monitor SCIM Token Usage

// List SCIM tokens to check last usage
const { tokens } = await sso.organizations.scim.listTokens('acme-corp');

tokens.forEach(token => {
  console.log(`Token: ${token.prefix}`);
  console.log(`Last used: ${token.last_used_at || 'Never'}`);
  console.log(`Expires: ${token.expires_at || 'Never'}`);
});

Testing Scenarios

Test 1: User Creation

  1. Add a new user to your IdP
  2. Assign them to the SSO application
  3. Wait for sync cycle (1-40 minutes depending on IdP)
  4. Verify user exists in AuthOS

Test 2: User Update

  1. Change a user’s email or name in IdP
  2. Wait for sync
  3. Verify the change reflects in AuthOS

Test 3: User Deactivation

  1. Suspend or remove a user from the application in IdP
  2. Wait for sync
  3. Verify user is deactivated (not deleted) in AuthOS
// Check user's active status
const user = await sso.organizations.getUser('acme-corp', 'user-id');
console.log('User active:', user.deleted_at === null);

Test 4: Group Membership

  1. Create a group in IdP and assign users
  2. Assign the group to the SSO application
  3. Verify all group members are provisioned

Monitoring Best Practices

Track Token Usage

// Monitor SCIM token usage weekly
async function auditScimTokens(orgSlug: string) {
  const { tokens } = await sso.organizations.scim.listTokens(orgSlug);

  for (const token of tokens) {
    const daysSinceUsed = token.last_used_at
      ? Math.floor((Date.now() - new Date(token.last_used_at).getTime()) / (1000 * 60 * 60 * 24))
      : Infinity;

    if (daysSinceUsed > 7) {
      console.warn(`Token ${token.prefix} not used in ${daysSinceUsed} days`);
    }

    if (token.expires_at) {
      const daysUntilExpiry = Math.floor((new Date(token.expires_at).getTime() - Date.now()) / (1000 * 60 * 60 * 24));
      if (daysUntilExpiry < 30) {
        console.warn(`Token ${token.prefix} expires in ${daysUntilExpiry} days`);
      }
    }
  }
}

Monitor Provisioning Events

Review organization audit logs for SCIM activity:

// Get recent user provisioning events
const auditLogs = await sso.organizations.getAuditLog('acme-corp', {
  action: 'user.joined',
  limit: 50
});

// Filter for SCIM-provisioned users (check details for SCIM source)
const scimProvisionedUsers = auditLogs.filter(log =>
  log.details?.source === 'scim'
);

console.log(`${scimProvisionedUsers.length} users provisioned via SCIM`);

Direct endpoint checks

Test SCIM Endpoints Directly

Use curl to test SCIM endpoints directly:

# List users
curl -X GET "https://sso.example.com/scim/v2/Users?count=10" \
  -H "Authorization: Bearer scim_live_your_token"

# Get specific user
curl -X GET "https://sso.example.com/scim/v2/Users/user-id" \
  -H "Authorization: Bearer scim_live_your_token"

# Test token authentication
curl -X GET "https://sso.example.com/scim/v2/Users?count=1" \
  -H "Authorization: Bearer scim_live_your_token" \
  -v

Validate the implemented SCIM behavior

Check the schemas returned by the endpoints you intend to use. This smoke test does not establish SCIM compliance or client interoperability:

# Verify SCIM endpoints return correct schemas
curl -X GET "https://sso.example.com/scim/v2/Users/user-id" \
  -H "Authorization: Bearer scim_live_your_token" | \
  jq '.schemas'

# Should return: ["urn:ietf:params:scim:schemas:core:2.0:User"]

Next steps

Resolve failures with SCIM troubleshooting and repeat the full lifecycle checks before rollout.