Prerequisites:
SSO must be configured and working in Pirros (see the Set Up SSO article)
JIT Provisioning must be enabled in Pirros
Application Administrator permissions in your identity provider (Azure AD or Okta)
SCIM (System for Cross-domain Identity Management) automates user account creation and removal in Pirros. When you add or remove a user from your identity provider, SCIM automatically updates Pirros — no manual user management needed.
Microsoft Azure AD / Entra ID
If you have already followed the full SSO and SCIM setup guide (article 5.1), SCIM is already configured. The steps below are for firms that set up SSO first and are now adding SCIM separately.
Create the Enterprise Application (if not already done)
Navigate to Azure Portal > Entra ID > Enterprise Applications.
Click New Application > Create your own application.
Name: Pirros SCIM (or similar).
Select Integrate any other application you don't find in the gallery.
Click Create.
Configure SAML SSO (if not already done)
Go to Single sign-on > Select SAML.
In Basic SAML Configuration, enter:
Identifier (Entity ID): Copy from the Pirros Settings page (SSO/SCIM tab)
Reply URL: Copy from the Pirros Settings page (SSO/SCIM tab)
Configure SCIM Provisioning
Go to Provisioning > Get started > Provisioning (in the sidebar).
Set Provisioning Mode to Automatic.
In Admin Credentials, enter:
Tenant URL: Copy the SCIM Base/Reply URL from the Pirros Settings page
Secret Token: Copy the Bearer Token from the Pirros Settings page
Click Test Connection to verify.
Go to Attribute Mappings > Provision Microsoft Entra ID Users (not Groups):
Ensure Enabled is set to Yes
Enable Target Object Actions for Create, Update, and Delete
Verify these field mappings:
userName→userPrincipalNamename.givenName→givenNamename.familyName→surnameemails[type eq "work"].value→mailactive→Switch([IsSoftDeleted], , "True", "False", "False", "True")
Click Save on the Attribute Mapping page.
Navigate to Users and Groups and assign users. Provisioning runs on a schedule (up to 45 minutes). For immediate provisioning, use Provision on demand.
Okta
1. Create the Okta Application
Navigate to Okta Admin Console > Applications > Create App Integration.
Select SAML 2.0 > Next.
Name: Pirros SSO (or similar).
2. Configure SAML Settings
Single sign-on URL: Copy the Reply URL from the Pirros Settings page.
Audience URI (SP Entity ID): Copy the Entity ID from the Pirros Settings page.
Name ID format: EmailAddress.
Application username: Email.
3. Configure SCIM Provisioning
Go to the Provisioning tab > Configure API Integration.
Check Enable API integration.
Enter credentials:
Base URL: Copy the SCIM Base URL from the Pirros Settings page
API Token: Copy the Bearer Token from the Pirros Settings page
Click Test API Credentials.
Enable provisioning features:
Create Users
Update User Attributes
Deactivate Users
FAQ
Q: Does SCIM work without SSO?
A: No. SSO and JIT Provisioning must both be enabled in Pirros before SCIM can be configured.
Q: How long does it take for Azure to provision a new user?
A: Azure provisioning runs on a schedule and can take up to 45 minutes. Use Provision on demand in Azure for immediate provisioning.
Q: What happens when I deactivate a user in my identity provider?
A: SCIM automatically deactivates the user in Pirros during the next provisioning cycle. The user loses access but their data and history are preserved.
Q: Can I use both Azure and Okta at the same time?
A: No. Pirros supports one identity provider connection at a time.