Skip to main content
This article explains how Paradigm implements the SCIM (System for Cross-domain Identity Management) protocol to enable transparent provisioning and management of users between systems.

What is SCIM?

SCIM (System for Cross-domain Identity Management) is an open standard that simplifies user management in multi-domain scenarios. It provides a standardized schema and API for creating, reading, updating, and deleting identity data between identity providers and service providers.
Please note that modifications on the users are still possible from the Paradigm admin panel even if you have user provisioning with SCIM activated for your company.

SCIM Implementation Details

Supported SCIM Version

Paradigm supports SCIM 2.0 (RFC 7642, RFC 7643 and RFC 7644).

Tested Identity Providers

Our SCIM implementation has been tested with:
  • Microsoft Entra ID

Base URL

All SCIM endpoints are accessible via:
With [paradigm-domain] being the domain name under which is hosted Paradigm. For the Saas platform of LightOn, its value would be https://paradigm.lighton.ai/scim/v2/.

Authentication

To secure the SCIM API, we implemented a token-based authentication using our API key authentication backend. Each request must include an authorization header:
You can generate and manage API keys in the Admin Panel under API Settings.
A Paradigm API key can only be used to manage users part of the same company as the API key owner, no matter the role of the user.

Supported Endpoints

Here are the SCIM endpoints supported by Paradigm together with their HTTP methods:
It is currently not possible to manage groups through the /Groups endpoint.

Supported user SCIM attributes

The SCIM implementation of Paradigm supports the following user attributes: Core Attributes

Group Schema

The SCIM implementation of Paradigm supports the following group attributes:

Error Handling

The Paradigm SCIM API endpoints return standard HTTP codes following the SCIM error format: Here is an example of error response:

Provisioning Workflow

User Provisioning

  1. The Identity Provider (IdP) initiates a SCIM request to create a user on the /Users endpoint
  2. Paradigm validates the request and user data
  3. A new user account is created with default permissions
  4. A success response is returned to the IdP

User Deprovisioning

  1. The Identity Provider (IdP) sends a request to deactivate or delete a user
  2. Paradigm validates the request
  3. For deactivation: User’s active status is set to false
  4. For deletion: User account is anonymized (Any user data is removed but the behavioral data)
  5. A success response is returned to the IdP
Any further SCIM request on the anonymized user will return a 404 Not Found HTTP response.

API request/response examples

User Creation

Request data example:
Related response:

Update a User

Request data example:

Troubleshooting

Authentication Failures

  • Verify your API key is valid and not expired
  • Verify the owner of the API key has permissions to manage users.
  • Ensure the Authorization header is formatted correctly

Good Practices

  1. Implement Incremental Updates: Use PATCH operations instead of PUT when possible
  2. Handle API Failures Gracefully: Implement retry logic with exponential backoff
  3. Maintain IdP Synchronization: Schedule regular full syncs to ensure consistency
  4. Secure Your API keys: Rotate tokens regularly and store them securely