SCIM

The SCIM integration lets any SCIM 2.0-compatible identity provider (Okta, Azure AD / Entra, JumpCloud, OneLogin, Google Workspace via SCIM, etc.) provision users and groups directly into Akiles.

Unlike the other integrations, SCIM is push-based: your identity provider sends user and group changes to Akiles as they happen. Akiles does not poll or connect back to the IdP — everything is initiated from the IdP side.

Connecting SCIM

  1. In the Akiles admin panel, go to Integrations and create a new SCIM integration.
  2. After creating it, two values will appear on the integration page:
    • SCIM endpoint — The base URL your IdP should use (e.g. https://integrations.akiles.app/scim/int_xxxxxxx).
    • Bearer token — The secret used by your IdP to authenticate its requests.
  3. Copy both values and paste them into your IdP’s SCIM configuration.
Warning

Keep the bearer token secret. Anyone with the token can create, modify, and delete users and groups in this integration.

Resource mapping

Akiles exposes two kinds of resources for a SCIM integration:

For each resource, you can assign an Akiles member group. This determines which doors users in that group will be able to access. A user can belong to multiple groups, and each group can be mapped to a different Akiles member group.

Users with no matching resource mappings will not be synced.

How members are synced

Each active user pushed by your IdP becomes a member in Akiles. The member’s name and email come from the SCIM userName and name attributes.

Users marked as inactive (active: false) by the IdP — for example, when you deactivate them in Okta — are skipped and will not have access in Akiles.

When a user is added to or removed from a group in your IdP, their Akiles access is updated accordingly the next time the IdP pushes the change.

Note

Akiles is a pure SCIM receiver. It does not push anything back to the IdP — PINs, Magic Links, and any other Akiles-side state are not reflected in your IdP.

Settings

PIN

When enabled, Akiles generates a random PIN for each synced member. The PIN is managed entirely within Akiles and is not written back to the IdP. The user can view it if they log in to the Akiles app with their email.

Configuring Okta

To push users and groups from Okta to Akiles:

1. Add the SCIM application

  1. In Okta, go to Applications → Applications and click Browse App Catalog.
  2. Search for “SCIM 2.0 Test App (OAuth Bearer Token)” and add it.
  3. In General Settings:
    • Application label: Akiles SCIM (or any name you prefer).
    • Enable Do not display application icon to users.
    • Select Secure Web Authentication.
    • Select Administrator sets username and password.
    • Set Application username format to Email.
  4. Save.

2. Configure the API integration

  1. Go to the Provisioning tab and click Configure API integration.
  2. Check Enable API integration.
  3. Fill in:
    • SCIM 2.0 Base Url: paste the SCIM endpoint from the Akiles integration page.
    • OAuth Bearer Token: paste the bearer token from the Akiles integration page.
  4. Click Test API credentials and confirm there are no errors.
  5. Click Save.

3. Enable user provisioning

On the Provisioning tab, next to Provisioning to App, click Edit and enable:

Save.

4. Assign users and groups

  1. Go to the Assignments tab and assign the Okta users you want to push to Akiles. You can choose to push individual users, or push all users in a group.
  2. Go to the Push Groups tab and add the Okta groups you want to push. Without this step, Okta will push the users inside assigned groups but not the groups themselves.

Once configured, Okta will push users and group memberships to Akiles in real-time. You can monitor the push activity from Okta’s Dashboard → Reports → System Log.

Warning

Suspending a user in Okta does not revoke their Akiles access. Okta treats suspension as an Okta-internal action — it blocks sign-in to Okta itself but does not notify downstream SCIM apps, so Akiles never sees the change and the user keeps their access.

To revoke access, deactivate the user in Okta instead (or unassign them from the Akiles SCIM app). Deactivation triggers a SCIM active: false update, which Akiles uses to remove the member’s access.

Configuring Microsoft Entra

To push users and groups from Microsoft Entra (formerly Azure AD) to Akiles:

1. Create the application

  1. Sign in to the Microsoft Entra admin center as at least an Application Administrator.
  2. Browse to Entra ID → Enterprise apps.
  3. Click + New application → + Create your own application.
  4. Fill in:
    • What’s the name of your app?: Akiles SCIM (or any name you prefer).
    • What are you looking to do with your application?: select Integrate any other application you don’t find in the gallery (Non-gallery).
  5. Click Create.

2. Configure provisioning

  1. In the app management screen, select Provisioning in the left panel.
  2. Click + New configuration.
  3. Fill in:
    • Select authentication method: Bearer authentication.
    • Tenant URL: paste the SCIM endpoint from the Akiles integration page.
    • Secret token: paste the bearer token from the Akiles integration page.
  4. Click Test connection and confirm there are no errors.
  5. Click Create.

3. Assign users and groups

  1. In the application page, go to Manage → Users and groups.
  2. Click Add user / group to add the users and groups you want to sync.

4. Start provisioning

In the application provisioning overview, click Start provisioning.

Once configured, Entra will push users and group memberships to Akiles automatically. You can monitor the sync activity from the Provisioning logs in the application page.

Warning

Entra syncs every 40 minutes, so changes in Entra will not be reflected in Akiles in real time. This is an Entra limitation and cannot be changed. To expedite a sync manually, use the Provision on demand option in the application’s provisioning page.