# SCIM Provisioning - LinkTime Documentation

> Automatic user provisioning and deprovisioning from identity providers via SCIM 2.0.
> Source: https://linktime.io/docs/enterprise/scim-provisioning
> Last updated: March 2026

## What is SCIM?

SCIM (System for Cross-domain Identity Management) is an industry standard protocol that lets your company's user directory — managed through an Identity Provider (IdP) like Okta, Azure AD, or Google Workspace — automatically push user changes to the apps your team uses.

Without SCIM, org admins manually invite each user and must remember to remove them when they leave. With SCIM, your IdP handles it automatically. When a new hire is added to your company directory, they get a LinkTime account instantly. When someone leaves, their access is revoked and upcoming bookings are cancelled — no manual work, no forgotten accounts.

## Overview

LinkTime supports SCIM 2.0 for automatic user sync. Requires **Business plan** and org **ADMIN** role.

## SCIM Base URL

```
https://linktime.io/api/scim/v2
```

## Authentication

SCIM uses a separate bearer token (not your API key):

```
Authorization: Bearer lt_scim_...
```

Generate a token from **Organization → SCIM** in your dashboard. The token is shown once — copy it immediately.

## Endpoints

| Method | Path | Description |
|--------|------|-------------|
| `GET` | `/api/scim/v2/ServiceProviderConfig` | Capabilities discovery (required by Azure AD) |
| `GET` | `/api/scim/v2/Schemas` | User schema definition |
| `GET` | `/api/scim/v2/ResourceTypes` | Supported resource types |
| `GET` | `/api/scim/v2/Users` | List users (supports filter, pagination) |
| `POST` | `/api/scim/v2/Users` | Provision new user |
| `GET` | `/api/scim/v2/Users/{id}` | Get user by ID |
| `PUT` | `/api/scim/v2/Users/{id}` | Full replace (nulls missing fields) |
| `PATCH` | `/api/scim/v2/Users/{id}` | Partial update |
| `DELETE` | `/api/scim/v2/Users/{id}` | Deprovision user |

## Filtering

Supported operators: `eq`, `co`, `sw`
Supported attributes: `userName`, `externalId`, `emails.value`, `displayName`

Example: `GET /api/scim/v2/Users?filter=userName eq "user@example.com"`

Unsupported filters return an empty list (not an error).

## User Lifecycle

- **Provision (POST):** Creates user as org MEMBER. If email matches an existing LinkTime user, links them instead of creating a duplicate.
- **Update (PUT/PATCH):** Updates name and email. Azure AD non-standard PATCH format (`{ op: "replace", value: { active: false } }`) is supported.
- **Deprovision (DELETE):** Cancels upcoming bookings, removes team memberships, removes org membership. User record and booking history are preserved.

## Okta Setup

1. Go to **Applications → Create App Integration → SCIM 2.0**
2. Set SCIM connector base URL to: `https://linktime.io/api/scim/v2`
3. Set Unique identifier field to: `userName`
4. Authentication Mode: **HTTP Header** → paste your SCIM token
5. Enable provisioning actions: **Create Users**, **Deactivate Users**

## Azure AD (Entra ID) Setup

1. Go to **Enterprise Applications → New Application → Create your own**
2. Under **Provisioning**, set Mode to **Automatic**
3. Tenant URL: `https://linktime.io/api/scim/v2`
4. Secret Token: paste your SCIM token
5. Click **Test Connection**, then **Save**
6. Under **Mappings**, configure user attribute mappings

## Security

- SCIM tokens use SHA-256 hashing — only the hash is stored
- Tokens start with `lt_scim_` prefix for identification
- All SCIM operations are recorded in the audit log
- Token generation and revocation require org ADMIN role