Run these checks in staging after completing one provider recipe. Successful smoke tests do not establish SCIM compliance or general provider interoperability.
Step 3: Verify Provisioning
After configuring your identity provider, verify that provisioning works correctly.
Manual Verification
Check User Creation
// List all users in the organization
const users = await sso.organizations.listUsers('acme-corp');
// Check if a specific user exists
const specificUser = users.find(u => u.email === 'newuser@example.com');
console.log('User provisioned:', specificUser ? 'Yes' : 'No');
Monitor SCIM Token Usage
// List SCIM tokens to check last usage
const { tokens } = await sso.organizations.scim.listTokens('acme-corp');
tokens.forEach(token => {
console.log(`Token: ${token.prefix}`);
console.log(`Last used: ${token.last_used_at || 'Never'}`);
console.log(`Expires: ${token.expires_at || 'Never'}`);
});
Testing Scenarios
Test 1: User Creation
- Add a new user to your IdP
- Assign them to the SSO application
- Wait for sync cycle (1-40 minutes depending on IdP)
- Verify user exists in AuthOS
Test 2: User Update
- Change a user’s email or name in IdP
- Wait for sync
- Verify the change reflects in AuthOS
Test 3: User Deactivation
- Suspend or remove a user from the application in IdP
- Wait for sync
- Verify user is deactivated (not deleted) in AuthOS
// Check user's active status
const user = await sso.organizations.getUser('acme-corp', 'user-id');
console.log('User active:', user.deleted_at === null);
Test 4: Group Membership
- Create a group in IdP and assign users
- Assign the group to the SSO application
- Verify all group members are provisioned
Monitoring Best Practices
Track Token Usage
// Monitor SCIM token usage weekly
async function auditScimTokens(orgSlug: string) {
const { tokens } = await sso.organizations.scim.listTokens(orgSlug);
for (const token of tokens) {
const daysSinceUsed = token.last_used_at
? Math.floor((Date.now() - new Date(token.last_used_at).getTime()) / (1000 * 60 * 60 * 24))
: Infinity;
if (daysSinceUsed > 7) {
console.warn(`Token ${token.prefix} not used in ${daysSinceUsed} days`);
}
if (token.expires_at) {
const daysUntilExpiry = Math.floor((new Date(token.expires_at).getTime() - Date.now()) / (1000 * 60 * 60 * 24));
if (daysUntilExpiry < 30) {
console.warn(`Token ${token.prefix} expires in ${daysUntilExpiry} days`);
}
}
}
}
Monitor Provisioning Events
Review organization audit logs for SCIM activity:
// Get recent user provisioning events
const auditLogs = await sso.organizations.getAuditLog('acme-corp', {
action: 'user.joined',
limit: 50
});
// Filter for SCIM-provisioned users (check details for SCIM source)
const scimProvisionedUsers = auditLogs.filter(log =>
log.details?.source === 'scim'
);
console.log(`${scimProvisionedUsers.length} users provisioned via SCIM`);
Direct endpoint checks
Test SCIM Endpoints Directly
Use curl to test SCIM endpoints directly:
# List users
curl -X GET "https://sso.example.com/scim/v2/Users?count=10" \
-H "Authorization: Bearer scim_live_your_token"
# Get specific user
curl -X GET "https://sso.example.com/scim/v2/Users/user-id" \
-H "Authorization: Bearer scim_live_your_token"
# Test token authentication
curl -X GET "https://sso.example.com/scim/v2/Users?count=1" \
-H "Authorization: Bearer scim_live_your_token" \
-v
Validate the implemented SCIM behavior
Check the schemas returned by the endpoints you intend to use. This smoke test does not establish SCIM compliance or client interoperability:
# Verify SCIM endpoints return correct schemas
curl -X GET "https://sso.example.com/scim/v2/Users/user-id" \
-H "Authorization: Bearer scim_live_your_token" | \
jq '.schemas'
# Should return: ["urn:ietf:params:scim:schemas:core:2.0:User"]
Next steps
Resolve failures with SCIM troubleshooting and repeat the full lifecycle checks before rollout.