Configure SCIM Connector

The SCIM connector adds a SCIM API to Password Safe to allow third-party applications to view and modify users, groups, and Smart Rule permissions.

For more information, please see the following:

SailPoint IdentityIQ Integration

IdentityIQ currently supports:

  • Reading users, groups, Smart Rules, and Smart Rule permissions into their system
  • Creating users, and adding and removing users to and from groups

Although this is what the IdentityIQ supports, the SCIM connector follows the SCIM and PAM extension standard, so it is possible to assign permissions to groups. IdentityIQ supports assigning permissions to users only, which isn't compatible with Password Safe.

Configure SailPoint IdentityIQ

To help configure the SCIM API in IndentityIQ, an application XML prebuilt with local and AD user provisioning is available on the BeyondTrust customer portal.

For more information, please see the SailPoint IdentityIQ Deployment Guide Tutorial.

Account Schema

To configure the IdentityIQ SCIM application manually to be compatible with Password Safe, there are some default schema settings you need to modify, as follows:

  • Under name, remove middleName, honorificPrefix, and honorificSuffix.
  • Remove nickName, profileUrl, title, userType, preferredLanguage, locale, and timezone.
  • Remove all email fields and replace with a single email field.

For the provisioning form, if you intend to create Active Directory users only, the native identifier must be populated with the distinguished name. All other fields are populated with what is in Active Directory. The following script populates IdentityIQ fields with allowed values for distinguished name:

import java.util.*;
import sailpoint.object.*;
import sailpoint.api.*;

List adLinks = new ArrayList();
if (identity != null) {
  Application targetApplication = context.getObjectByName(Application.class, "Active Directory");
  // "Active Directory" here is the name of the AD application you want to use
  IdentityService identityService = new IdentityService(context);
  List links = identityService.getLinks(identity, targetApplication);
  if (links != null) {
    for (Link link : links) {
return adLinks;

Enable the SCIM Connector

  1. In BeyondInsight, go to Configuration > General > Connectors.
  2. From the Connectors pane, click Create New Connector.
  3. Enter a name for the connector.
  1. Select SCIM Connector.
  2. Check Enable.
  3. Set the Refresh Token Expiry.

This is intended to be long-lived.

  1. Set the Access Token Expiry.

This is intended to be short-lived.

Access and Refresh tokens are an OAuth 2.0 concept.

  1. Select a Default Access Policy, and then click Update.

If a requester role is assigned to a group via the SCIM API, this access policy is assigned. The API does not support assigning different access policies. The container permissions you can provision include Read, Write, and Password Safe roles, such as Requester and Approver.

  1. Now that the connector has been enabled and saved, the API is available to access, and you see credential information specific to your user account on the Connectors > SCIM Details page:
    • Client ID
    • Recycle Client Secret button
    • Generate Refresh Token button

The Client ID and secret are part of your credentials for requesting refresh and access tokens. The authentication endpoint is [host]/scim/oauth/token.

  1. To obtain a refresh and access token, you can use client credentials or password authentication. Send a POST request with a body in one of these formats:

    Client Credentials:

    grant_type=client_credentials&client_id=[Client ID]&client_secret=[Client Secret]



    If you already have a refresh token, you can get a new access token with a POST request in this format:

    grant_type=refresh_token&refresh_token=[Refresh Token]

The base URL for non-authentication requests is [host]/scim/v2.