Automate roster management with SCIM 2.0 provisioning
Most organisations that issue ID cards still manage their rosters manually. Someone exports a list from the HR system, reformats it into a CSV, imports it into the badge platform, and hopes nothing changed between export and import. When someone joins, leaves, or changes department, there’s a gap — sometimes hours, sometimes weeks — between the source system knowing and the credential system catching up.
That gap is where data drifts, badges go stale, and leavers keep credentials they shouldn’t have.
What SCIM is (in plain language)
SCIM — System for Cross-domain Identity Management — is an industry standard (RFC 7643/7644) that lets your identity provider talk directly to other systems. Instead of you exporting and importing data manually, your IdP pushes changes to CaptrID automatically.
When someone is added to your IdP, they appear in your CaptrID roster. When their department changes, the roster updates. When they leave and are deactivated, their roster record is deactivated too. No CSV. No manual step. No delay.
Think of it as a direct pipe between your identity provider and your credentialing roster.
How it works in CaptrID
Setup takes minutes, not days:
-
Connect your IdP — navigate to your master list’s Sync tab and choose Automated User Provisioning. Pick a unique identifier (employee number, username, or email) and CaptrID sets up your schema automatically with default fields.
-
Copy credentials to your IdP — CaptrID generates a SCIM Base URL and a bearer token. Copy both into your identity provider’s SCIM application configuration.
-
Assign users or groups — in your IdP, assign the users or groups you want to provision. They flow into your CaptrID master list within seconds.
That’s it. From this point, every change in your IdP propagates automatically.
What gets synced
CaptrID maps 27 SCIM attributes by default, including:
- Name — first name, last name, display name
- Contact — email, phone number
- Organisation — department, job title, employee number, manager, division
- Custom fields — any attribute your IdP sends via the SCIM schema
You control the mapping. A full-screen field mapping editor lets you add, remove, or remap fields. If your IdP sends a custom attribute, you can map it to any field in your roster schema.
Works with your identity provider
CaptrID’s SCIM implementation is standards-compliant (34/34 compliance checks passing), which means it works with any SCIM 2.0 provider:
- Okta — tested end-to-end with full lifecycle provisioning
- Microsoft Entra ID (Azure AD) — standard SCIM provisioning (requires Entra P1/P2 licence)
- PingOne — standard SCIM 2.0 connector
- OneLogin — standard SCIM 2.0 connector
- JumpCloud — custom application with SCIM export
If your IdP supports SCIM 2.0, it works with CaptrID. No custom integration needed.
Per-list control
Different groups of people often need different rosters. Staff in one master list, students in another, contractors in a third.
Each CaptrID master list gets its own SCIM token and endpoint. In your IdP, you create a separate SCIM application per list and assign the relevant group to each. Staff go to the Staff list, students go to the Students list — automatically, with no overlap.
Full audit trail
Every SCIM operation is logged in the provisioning audit trail, visible directly in the Sync tab:
- Who was created, updated, or deactivated
- Which fields changed
- When the operation happened
- The IdP that triggered it
When compliance asks “how do you know your roster is current?”, you have a timestamped, operation-level log.
How SCIM fits with the rest of CaptrID
Automated provisioning handles roster population. The rest of the CaptrID pipeline handles everything after:
IdP (automatic) —> Master List —> Photo Session (on-site or self-upload) —> Approval —> Card Design —> Print or Wallet ID
When someone joins your organisation:
- Your IdP creates them in CaptrID automatically via SCIM
- You capture their photo (on-site session, self-upload link, or admin upload)
- Approve the photo
- Design and print their card, or issue a digital ID via Apple or Google Wallet
When someone leaves:
- Your IdP deactivates them in CaptrID automatically
- Their wallet pass can be revoked instantly
- The audit trail records the full lifecycle
No manual roster management at any step.
SCIM vs Entra Graph sync
CaptrID offers two directory sync options:
| Entra ID (Graph API) | SCIM 2.0 | |
|---|---|---|
| Direction | CaptrID pulls from Microsoft | Your IdP pushes to CaptrID |
| Providers | Microsoft Entra only | Any SCIM 2.0 provider |
| Sync model | Scheduled pull (delta sync) | Real-time push |
| Availability | Pro plans and above | Business plans and above |
| Best for | Microsoft-only environments | Multi-IdP or non-Microsoft environments |
They’re mutually exclusive per master list — you choose one sync method. If you’re on Microsoft and want pull-based sync with group scoping, Entra Graph is the simpler option. If you run Okta, PingOne, JumpCloud, or any other SCIM-capable provider — or if you want push-based provisioning — SCIM is the way to go.
Who this is for
Any organisation where roster accuracy matters and manual imports don’t scale:
- Schools and universities — student and staff changes synced from Okta or Entra, every term
- Healthcare and NDIS providers — worker onboarding and offboarding reflected in credentials within seconds
- Enterprise and government — contractor badges auto-deactivated when contracts end, with a compliance-ready audit trail
- Security firms — guard rosters kept current across client sites without manual data entry
If your people are in an identity provider, your credentialing roster should sync from it — not from a spreadsheet.
Automated User Provisioning is available on Business and Enterprise plans. Learn about directory sync or start a free trial.