SCIM Provisioning
FORG supports SCIM 2.0 for automated user and group provisioning. When SCIM is enabled, your identity provider manages the FORG user directory — users are created, updated, and deprovisioned automatically as they are added or removed in your IdP.
Supported operations
| Operation | Supported |
|---|---|
| Create user | Yes |
| Update user attributes | Yes (email, name, department) |
| Deactivate user | Yes — suspends license, ends active sessions |
| Delete user | Yes — hard delete with 30-day retention grace period |
| Create group | Yes — creates a FORG team |
| Add user to group | Yes |
| Remove user from group | Yes |
| Delete group | Yes — removes team (members are not deleted) |
Setup
Step 1 — Generate a SCIM token
Go to Dashboard → Settings → SCIM → Generate token. Copy the token — it is shown only once. This is a long-lived bearer token used by your IdP to authenticate SCIM requests.
Step 2 — Configure your IdP
Enter these values in your IdP's SCIM provisioning settings:
| Field | Value |
|---|---|
| SCIM base URL | https://forg.pro/scim/v2 |
| Authentication type | Bearer token |
| Bearer token | Token generated in step 1 |
Step 3 — Assign users and groups
Assign the FORG application to the users and groups in your IdP that should have FORG access. Your IdP will push the initial set of users to FORG. Subsequent changes sync automatically.
Attribute mapping
| SCIM attribute | FORG field |
|---|---|
userName | Email address (unique identifier) |
name.givenName | First name |
name.familyName | Last name |
emails[primary] | Email address |
active | Account active/suspended |
title | Job title (optional) |
department | Team assignment (optional) |
Deprovisioning behavior
When a user is deactivated or deleted via SCIM, FORG immediately revokes all active sessions and prevents new logins. The user's license seat is released. Usage data and audit logs are retained per your data retention policy.
If a user is later re-provisioned with the same email address, their FORG account is reactivated and a new license seat is allocated. Historical data is preserved.
Testing SCIM
# Verify SCIM endpoint is reachable:
curl -H "Authorization: Bearer <your-scim-token>" \
https://forg.pro/scim/v2/ServiceProviderConfig
# List provisioned users:
curl -H "Authorization: Bearer <your-scim-token>" \
https://forg.pro/scim/v2/Users