Provisioning

SCIM 2.0 Provisioning

Keep shopper accounts in lockstep with your identity provider. SCIM automates the creation, update, and deprovisioning of Hygrade users so that a new hire in your HR system can place an order on day one — and a termination removes access immediately.

When to enable SCIM. SAML alone creates users on first sign-in ("just-in-time"). SCIM is strongly recommended if you need to pre-provision accounts before first use, manage group memberships centrally, or require immediate deprovisioning on offboarding.

Overview

Endpoints

Base URL
PRODhttps://order.hygradebusiness.com/scim/v2/
TESThttps://test.hygradebusiness.com/scim/v2/
ServiceProviderConfig
/scim/v2/ServiceProviderConfig
Users
/scim/v2/Users
Groups
/scim/v2/Groups
Schemas
/scim/v2/Schemas

Authentication

SCIM requests are authenticated with a long-lived OAuth 2.0 bearer token issued for the SCIM client credentials grant. Tokens are tenant-scoped and carry the users:read, users:write, and (if using groups) groups:read, groups:write scopes.

Authenticated request
curl https://order.hygradebusiness.com/scim/v2/Users \
  -H "Authorization: Bearer hg_live_scim_8f3c9..."

Request a SCIM token from your implementation engineer; the token should be stored exclusively in your IdP’s secret store and rotated annually.

User schema

Hygrade implements the core SCIM User schema plus an enterprise extension with Hygrade-specific attributes.

POST /scim/v2/Users
{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:extension:hygrade:2.0:User"
  ],
  "userName": "jane.doe@acmecorp.com",
  "name": {
    "givenName": "Jane",
    "familyName": "Doe"
  },
  "emails": [
    { "value": "jane.doe@acmecorp.com", "type": "work", "primary": true }
  ],
  "active": true,
  "urn:ietf:params:scim:schemas:extension:hygrade:2.0:User": {
    "custId": "ACME001",
    "login": "jdoe",
    "costCenter": "CC-4420",
    "department": "Marketing",
    "employeeId": "E-10472",
    "roles": ["buyer", "approver"]
  }
}

Extension attributes

custIdstringrequired
The Hygrade customer account code. Must match an account you are authorized to provision into.
loginstring
Override for the Hygrade login identifier. Defaults to the local-part of userName.
costCenterstring
Default cost center code.
departmentstring
Department label (free text).
employeeIdstring
Internal employee identifier, written through to order records.
rolesarray<string>
Role memberships. Any of buyer, approver, chief_approver, customer_admin.

Common operations

Create a user

POST /scim/v2/Users

Look up by username

GET /scim/v2/Users?filter=userName eq "jane.doe@acmecorp.com"

Update a user (partial)

PATCH /scim/v2/Users/{id}
PATCH body
{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [
    { "op": "replace", "path": "name.familyName", "value": "Doe-Smith" },
    { "op": "replace",
      "path": "urn:ietf:params:scim:schemas:extension:hygrade:2.0:User:costCenter",
      "value": "CC-9900" }
  ]
}

Deactivate a user

Set active: false. The shopper is immediately prevented from signing in and cannot place new orders; order history is retained for compliance.

PATCH /scim/v2/Users/{id}
{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [
    { "op": "replace", "path": "active", "value": false }
  ]
}

Delete a user

DELETE /scim/v2/Users/{id}

Hard-delete is supported but strongly discouraged for audited customers — prefer active: false.

Groups

SCIM groups are mapped onto Hygrade approval groups and cost-center groups. Create a group, then add members:

POST /scim/v2/Groups
{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
  "displayName": "North America Approvers",
  "members": [
    { "value": "7c1a5b24-e9f7-4a43-9dc0-9b3f1c2d4a80", "display": "jane.doe@acmecorp.com" }
  ]
}

Identity provider setup

Okta

  1. Open the Hygrade Business app in Okta, switch to the Provisioning tab, and click Configure API Integration.
  2. Check Enable API integration.
    • Base URL: https://order.hygradebusiness.com/scim/v2/
    • API Token: the token issued by your Hygrade implementation engineer.
  3. Click Test API Credentials. Once green, enable:
    • Create Users
    • Update User Attributes
    • Deactivate Users
  4. Under Provisioning → To App, map Okta profile attributes to the Hygrade extension attributes (custId, costCenter, roles, …).
  5. Assign the app to users or groups to kick off initial provisioning.

Microsoft Entra ID

  1. Open the Hygrade enterprise app, then Provisioning → Get started. Set Provisioning Mode to Automatic.
  2. Under Admin Credentials:
    • Tenant URL: https://order.hygradebusiness.com/scim/v2/
    • Secret Token: the SCIM bearer token from Hygrade.
  3. Click Test Connection. Save.
  4. Under Mappings, review both Provision Microsoft Entra ID Users and Groups mappings. Ensure the Hygrade extension attributes are populated (create customAppSSO attributes if needed).
  5. Turn Provisioning Status to On and assign users/groups.

Other SCIM-capable IdPs

Hygrade’s SCIM service is standards-compliant and works with any SCIM 2.0 client, including:

  • Ping Identity (PingOne Directory, PingFederate with SCIM connector)
  • OneLogin
  • JumpCloud
  • Rippling, Workday (via middleware)
  • Custom SCIM clients built against our service

Use the base URL, the bearer token from Hygrade, and map your directory attributes onto the user schema above.

Error responses

Errors conform to RFC 7644 §3.12.

409 Conflict
{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
  "detail": "A user with this userName already exists in account ACME001.",
  "scimType": "uniqueness",
  "status": "409"
}

Common codes

Rate limits

Related: if you’re building bespoke provisioning logic instead of using a stock SCIM connector, the REST API’s users endpoints provide equivalent functionality with richer filtering.

© Hygrade Business. All rights reserved.
Docs home SAML API Contact