Directory Provisioning (SCIM)
If your organization already manages people in an external identity provider — Okta, Microsoft Entra ID (Azure AD), OneLogin, or another — you can have it create and maintain the matching user and group records in Kanshin automatically, instead of adding people by hand. Kanshin does this with SCIM, the industry-standard System for Cross-domain Identity Management. You set it up from the SCIM area of the console.
How it works
Your identity provider is the source of truth; Kanshin is kept in step with it. When someone is added, changed, or deactivated in your provider, your provider tells Kanshin over SCIM, and Kanshin updates its directory to match — no manual re-entry.
Setup has two parts: create a token in Kanshin, then give that token to your identity provider.
Creating a provisioning token
Kanshin authenticates your identity provider with a bearer token you create:
- In the SCIM area, create a token and give it a name (for example “Okta production”).
- Kanshin shows you the token value once. Copy it then — it is stored only as a secure hash and cannot be shown again.
- You can list your tokens and revoke any of them at any time. Revoking a token immediately stops the provider that used it.
Each token belongs to your organization, and everything it provisions lands in your organization only — a token can never reach another organization’s directory.
Connecting your identity provider
In your identity provider’s SCIM/provisioning settings, enter:
- The SCIM base URL for Kanshin (your provider connects to Kanshin’s
/scim/v2endpoint). - The token you created, as the bearer token.
Your provider will verify the connection and then begin provisioning. Kanshin implements the standard SCIM 2.0 endpoints, so any SCIM-compliant provider can connect.
The provisioning lifecycle
Once connected, your identity provider manages the lifecycle for you:
| In your provider | In Kanshin |
|---|---|
| A person is assigned the app | A user record is created |
| Their details change | The user record is updated |
| A group is created or its membership changes | A group and its membership are updated |
| A person is deactivated | The user is marked inactive |
| A person is removed | The user record is removed |
Users are matched by their user name, and groups by their display name, each unique within your organization.
What SCIM syncs
SCIM keeps the directory itself — users, their core details, groups, and group membership — synchronized. It is the automated alternative to the manual Users and Groups management covered elsewhere: the same directory, maintained by your identity provider rather than by hand.
Related pages
- Users & People — the user records SCIM maintains
- Groups — the groups SCIM maintains
- Organizations & Realms — the per-organization isolation SCIM respects