Which plan is SCIM available on?

SCIM provisioning requires the Enterprise plan.

Which identity providers support SCIM with Cosmo?

Cosmo supports the SCIM standard. A dedicated setup guide is available for Okta. Other SCIM-compliant identity providers may work but are not yet documented.

What happens when a user is added via SCIM?

Cosmo sends an invitation email to the user. The user accepts the invitation and joins the organization. No administrator action is required.

What happens when a user is removed via SCIM?

The user's Cosmo account is immediately deactivated.

How does SCIM authenticate with Cosmo?

SCIM uses an API key with the SCIM permission enabled as the HTTP authorization header. Create a dedicated API key for the SCIM integration in your organization settings.

Should I use SCIM alongside SSO?

Yes. SSO handles authentication (how users log in), while SCIM handles provisioning (who has an account). They are complementary. For complete identity management, configure both.

SCIM Provisioning for GraphQL | Automated User Lifecycle

The problem

Manual provisioning creates security gaps

User access that depends on manual steps depends on someone remembering to do them. Onboarding is delayed. Offboarding is incomplete. Audit trails don't add up.

New hires wait days for tool access

Manual invitations require an administrator to notice a new hire, find the right access level, and send the invitation. Access is delayed when the process depends on humans remembering.

Departing employees retain access

Offboarding requires visiting every tool individually. One step missed means a former employee retains access. The risk window grows with every tool added to the stack.

User data drifts between systems

When attributes change in the identity provider — name, team, role — those changes don't automatically reach Cosmo. Two systems, two sources of truth, neither fully correct.

Our solution

Automated user lifecycle via SCIM

Cosmo implements the SCIM standard. Your identity provider pushes user lifecycle events — create, update, deactivate — directly to Cosmo. The integration uses a dedicated API key for authentication and requires no ongoing maintenance.

How to set up SCIM

Generate an API key with SCIM permission enabled in Cosmo Studio.
Configure your identity provider's SCIM application using the Cosmo SCIM endpoint and the API key as the authorization header.
When a user is added to the SCIM application in your IdP, Cosmo sends them an invitation email automatically.
When a user's attributes change in the IdP, Cosmo synchronizes the change automatically.
When a user is removed from the SCIM application, Cosmo immediately deactivates their account.
Pair with SSO for complete identity management: SSO handles authentication, SCIM handles provisioning.

Configure once. User lifecycle runs automatically from there.

SCIM Provisioning

Before & After

Before Cosmo	With Cosmo
Manual invitation for every new hire	Automatic invitation when added to IdP SCIM app
Delayed or forgotten offboarding	Immediate deactivation on IdP removal
Attribute drift between IdP and Cosmo	Automatic synchronization of user attributes
Orphaned accounts from former employees	Clean user lifecycle, no manual cleanup required

Three operations

Full lifecycle support

Create users: Adding a user to the SCIM app triggers an invitation email to join Cosmo.
Update user attributes: Attribute changes in the IdP are synchronized to Cosmo automatically.
Deactivate users: Removing a user from the SCIM app immediately deactivates their Cosmo account.

How Cosmo SCIM works

01

Automatic invitation.

Create

Adding a user to your IdP's SCIM application triggers an invitation email to the user. They accept the invitation and join your Cosmo organization.

02

Automatic sync.

Update

Attribute changes in the identity provider — name, email, or other profile data — are synchronized to Cosmo automatically via the SCIM protocol.

03

Immediate deactivation.

Deactivate

Removing a user from the SCIM application immediately deactivates their Cosmo account. No lag, no manual step, no orphaned access.

04

API key authentication.

Authenticate

SCIM uses an API key with SCIM permission as its authorization header. Create a dedicated key for the SCIM integration and store it securely in your IdP configuration.

What's included

Automated identity lifecycle, standards-based

Enterprise plan only.

SCIM standard

Built on the SCIM protocol, with a dedicated setup guide for Okta.

Zero-gap offboarding

Removing a user from the SCIM application immediately deactivates their account. No manual revocation step, no access window between removal and deactivation.

Complements SSO

SCIM handles provisioning. SSO handles authentication. Together they cover the complete user lifecycle — who has access and how they log in.

Okta setup guide

A dedicated setup guide for Okta is available in the documentation. Configure your Okta SCIM application in minutes with step-by-step instructions.

Automate user provisioning for your organization

SCIM provisioning is available on the Enterprise plan. Contact us to get started.

Talk to Sales Read the Docs

User access follows your identity provider automatically