As enterprises continue to converge around identity-centric security as the foundation of their platform strategy, the ability to consistently manage identities and access across systems has become critical. SCIM brings a standardized, interoperable approach to identity lifecycle management. This ensures that user and group provisioning into Vault aligns with authoritative identity providers and governance systems. Reduce fragmentation, minimize configuration drift, and strengthen lifecycle governance by automatically enforcing joiner, mover, and leaver workflows.
In an environment where secrets access must be tightly controlled and auditable, SCIM enables organizations to extend their identity-first security model directly into Vault, improving compliance posture while eliminating the risks associated with stale or orphaned access.
Equally important is the role SCIM plays in driving operational scalability and standardization across modern enterprise platforms. Rather than relying on custom integrations or manual processes, teams can adopt a consistent, standards-based mechanism that scales with organizational growth and complexity. Teams can also focus on integrating identity workflows and securing secrets at scale without the burden of managing the underlying platform. This accelerates time to value while maintaining enterprise-grade reliability, security, and compliance.
»Introducing SCIM for Vault: Standardized identity provisioning for users and
»groups
For teams managing identity and credential access at scale, SCIM support (beta) in IBM Vault Enterprise and HCP Vault Dedicated closes an important integration gap. It’s now becoming easier to connect identity lifecycle workflows to Vault entities, reduce manual provisioning work, and keep Vault identities aligned with the systems already used to manage an organization’s joiners, movers, and leavers.
Teams can use a familiar, standards-based approach to provision identity resources into Vault with SCIM support (beta) in Vault Enterprise and Vault Dedicated and manage them with more consistency. The public beta currently supports SCIM clients such as SailPoint and Okta, with plans to add other SCIM clients in future releases.
Figure 1: A high-level overview of the SCIM identity provisioning workflow into Vault.
»How SCIM is setup in Vault
Vault exposes SCIM through the identity secrets engine. With this beta release, Vault maps SCIM users to Vault entities, and SCIM groups to internal identity groups. Each SCIM client can only view and manage the users and groups it created. However, SCIM manages identity objects, not Vault policies.
»Built for secure, scoped provisioning
Each Vault SCIM client represents one external provisioning system.
A SCIM client is configured with:
client_name
access_grant_principal
alias_mount_accessor
The authentication model follows Vault’s identity primitives so a SCIM client authenticates through a supported auth method and supports new SCIM client entity creation through alias_mount_accessor to align provisioning workflows to a specific path.
This model gives teams a clear trust boundary. External provisioning systems only manage the resources associated with their own SCIM client, which helps reduce risk and keeps provisioning scoped by design.
»What SCIM beta supports
The SCIM beta is available for Vault Enterprise (self-managed) and Vault Dedicated (Cloud/SaaS) customers and includes support for:
SCIM client configuration through /identity/scim/client
User create, read, list, replace, patch, and delete
Group create, read, list, replace, patch, and delete
Discovery endpoints for Schemas, ResourceTypes, and ServiceProviderConfig
Vault returns SCIM responses as application/scim+json, making it easier to integrate with standards-based SCIM clients.
Customers with Vault 2.0.1 or later can enable SCIM functionality by activating the feature in the UI. Instructions for using the API or CLI can be found in Vault developer documentation.
»Scalable and secure user and group lifecycle management
Since SCIM provides a consistent way to provision, update, and deprovision users and groups, having SCIM server support within Vault continues the enforcement of least privilege. With Vault's SCIM beta implementation, external clients can manage permissions via SCIM group memberships, while Vault remains in control of the actual policies associated with SCIM users and groups.
Access management continues to be scalable, especially as it relates to accessing secrets within Vault for organizations with identity teams that rely on SCIM. Vault policies are only assigned based on group membership, and users only receive access tied to their current role, with less risk of excessive or outdated privileges as these identities evolve. By preventing over-authorization, teams can reduce the risk ofbreach.
Vault accurately mirrors the groups and memberships from SCIM as the source of truth, ensuring identity-based access to secrets, and with this integration, there’s no drift between the identity systems and the Vault entities.
SCIM integration supports efforts to reduce human error in high-risk systems. Teams can reduce the risk of incorrect policies, lingering access due to forgotten deprovisioning and inconsistent naming, or duplication that occurs with manual user and group management. Since teams can standardize how identities enter and leave Vault, access management is predictable and repeatable.
»Getting started
SCIM for Vault gives platform, security, and identity teams a more standardized way to provision users and groups into Vault. Instead of relying on manual workflows or custom integrations, teams can connect Vault to existing identity lifecycle systems with a protocol designed for that purpose.
For organizations looking to simplify identity provisioning and reduce operational overhead, SCIM for Vault is a strong feature to evaluate in beta.
Start with a dedicated SCIM client, validate how your provisioning platform handles Vault’s supported operations, and plan token lifecycle and auth mount choices up front.
Modern platforms rely on standardized identity provisioning to reduce platform friction, improve efficiency, and minimize operational overhead. With SCIM support in Vault Enterprise (beta starting April 30, 2026) and Vault Dedicated (beta starting June 15, 2025), customers can bring these same operational benefits into Vault.
For detailed instructions on activating SCIM and provisioning identity users and groups from external IdPs, read the Vault developer documentation.
