---
keywords: SCIM, SSO, user provisioning, de-provisioning, role mapping, assign users
title: SCIM provisioning
linkTitle: SCIM
description: Learn how System for Cross-domain Identity Management works and how to set it up.
aliases:
- /security/for-admins/scim/
- /docker-hub/scim/
weight: 30
---
{{< summary-bar feature_name="SSO" >}}
System for Cross-domain Identity Management (SCIM) is available for Docker
Business customers. This guide provides an overview of SCIM provisioning.
## How SCIM works
SCIM automates user provisioning and de-provisioning for Docker through your
identity provider (IdP). After you enable SCIM, any user assigned to your
Docker application in your IdP is automatically provisioned and added to your
Docker organization. When a user is removed from the Docker application in your
IdP, SCIM deactivates and removes them from your Docker organization.
In addition to provisioning and removal, SCIM also syncs profile updates like
name changes—made in your IdP. You can use SCIM alongside Docker’s default
Just-in-Time (JIT) provisioning or on its own with JIT disabled.
SCIM automates:
- Creating users
- Updating user profiles
- Removing and deactivating users
- Re-activating users
- Group mapping
> [!NOTE]
>
> SCIM only manages users provisioned through your IdP after SCIM is enabled.
It cannot remove users who were manually added to your Docker organization
before SCIM was set up.
>
> To remove those users, delete them manually from your Docker organization.
For more information, see [Manage organization members](/manuals/admin/organization/members.md).
## Supported attributes
SCIM uses attributes (e.g., name, email) to sync user information between your
IdP and Docker. Properly mapping these attributes in your IdP ensures that user
provisioning works smoothly and prevents issues like duplicate user accounts
when using single sign-on (SSO).
Docker supports the following SCIM attributes:
| Attribute | Description |
|:---------------------------------------------------------------|:-------------------------------------------------------------------------------------------|
| userName | User’s primary email address, used as the unique identifier |
| name.givenName | User’s first name |
| name.familyName | User’s surname |
| active | Indicates if a user is enabled or disabled, set to “false” to de-provision a user |
For additional details about supported attributes and SCIM, see [Docker Hub API SCIM reference](/reference/api/hub/latest/#tag/scim).
> [!IMPORTANT]
>
> By default, Docker uses Just-in-Time (JIT) provisioning for SSO. If SCIM is
enabled, JIT values still take precedence and will overwrite attribute values
set by SCIM. To avoid conflicts, make sure your JIT attribute values match your
SCIM values.
>
> Alternatively, you can disable JIT provisioning to rely solely on SCIM.
For details, see [Just-in-Time](/manuals/security/for-admins/provisioning/just-in-time.md).
## Enable SCIM in Docker
You must [configure SSO](../single-sign-on/configure/_index.md) before you enable SCIM. Enforcing SSO isn't required to use SCIM.
{{< tabs >}}
{{< tab name="Admin Console" >}}
{{% admin-scim product="admin" %}}
{{< /tab >}}
{{< tab name="Docker Hub" >}}
{{% include "hub-org-management.md" %}}
{{% admin-scim %}}
{{< /tab >}}
{{< /tabs >}}
## Enable SCIM in your IdP
The user interface for your IdP may differ slightly from the following steps. You can refer to the documentation for your IdP to verify. For additional details, see the documentation for your IdP:
- [Okta](https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_SCIM.htm)
- [Entra ID (formerly Azure AD)](https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/user-provisioning)
{{< tabs >}}
{{< tab name="Okta" >}}
### Enable SCIM
1. Sign in to Okta and select **Admin** to open the admin portal.
2. Open the application you created when you configured your SSO connection.
3. On the application page, select the **General** tab, then **Edit App Settings**.