SCIM (System for Cross-domain Identity Management) automates user lifecycle management for your Gemfury organization. When enabled, your Identity Provider can automatically remove users from your organization when they are unassigned in the IdP — no manual intervention required.
SCIM is a companion to SAML SSO, not a replacement. SAML handles authentication (logging in); SCIM handles provisioning (managing who has access). Both require an active SAML provider on the organization.
Requirements
- An active SAML SSO provider configured on your organization
- SCIM provisioning enabled on your plan
- Administrator access to your Identity Provider
How It Works
SCIM manages organization membership, not user accounts. The lifecycle is:
- User logs in via SAML SSO — This creates their Gemfury account and adds them to your organization (just-in-time provisioning). This step must happen before SCIM can manage the user.
- IdP syncs via SCIM — Your IdP periodically queries the SCIM endpoint to reconcile its member list with Gemfury’s. Users who have logged in via SAML appear in the response.
- IdP deprovisions a user — When you unassign a user from the application in your IdP, the IdP notifies Gemfury via SCIM. Gemfury immediately removes their organization membership.
- User re-activates — If you re-assign the user in the IdP and they log in via SAML again, just-in-time provisioning restores their membership automatically.
What SCIM Does Not Do
- Create Gemfury accounts — Users must log in via SAML at least once before SCIM can manage them.
- Re-create memberships — Re-provisioning happens when the user logs in via SAML again, not through SCIM.
Setup
Step 1: Generate a SCIM Token
- Log in to manage.fury.io and select your organization
- Go to Settings → SSO
- In the SCIM provisioning section, click Generate new SCIM Bearer token
The token is displayed once — copy it immediately. You will not be able to view it again.
Step 2: Configure Your Identity Provider
Enter these settings in your IdP’s SCIM provisioning configuration:
| Setting | Value |
|---|---|
| SCIM Endpoint URL | https://api.fury.io/1/users/ACCOUNT/scim/v2 |
| Authentication Method | Bearer Token (OAuth Bearer) |
| Bearer Token | The token from Step 1 |
Replace ACCOUNT with your organization’s Gemfury username (lowercase).
Step 3: Test the Connection
Most IdPs have a Test Connection button. A successful test queries Gemfury and returns a list of users who have logged in via SAML. If the list is empty, that’s normal — users appear after their first SAML login.
Token Management
Your SCIM token is shown under Tokens along with other API tokens. The tokens and associated permissions are immutable. However, you can generate multiple tokens and add a human-friendly description.
Deprovisioning Behavior
When your IdP deprovisions a user:
- The user’s organization membership is removed immediately
- Push, deploy, and API tokens owned by the user within the organization are disabled
- The user’s Gemfury account continues to exist — only the organization membership is removed
- The user’s other organization memberships are not affected
Last-owner protection: If the user is the organization’s last remaining owner, deprovisioning will fail. Promote another member to owner before removing the last one.
Supported IdP Operations
Your IdP may perform these SCIM operations against Gemfury:
| Operation | Behavior |
|---|---|
| List users | Returns all users linked to your SAML provider, with their membership status |
| Get user | Returns a single user by ID |
| Create user | Not supported. Users must log in via SAML first. |
| Deactivate user | Removes the user’s organization membership |
| Delete user | Removes the user’s organization membership and SCIM identity |
Deactivate vs. Delete: Deactivation (PATCH) is a soft removal — the user’s SCIM identity is preserved, so your IdP can still query their status and re-provision them later via SAML login. Deletion (DELETE) is a hard removal — the SCIM resource is gone and subsequent queries return not found. Use deactivation for temporary removal.
Troubleshooting
| Error | Cause | Solution |
|---|---|---|
| 401 Unauthorized | Missing, invalid, or revoked token | Regenerate the SCIM token and update your IdP |
| 403 Forbidden | SAML provider is not active | Ensure SAML SSO is configured and active |
| 404 Not Found | User has not logged in via SAML | The user must complete at least one SAML login before SCIM can manage them |
| 409 Conflict (on create) | User must log in via SAML first | Have the user log in through your IdP before syncing |
| 409 Conflict (on deprovision) | User is the last owner | Promote another member to owner first |
Limitations
- Users must log in via SAML at least once before SCIM can manage them
- Only the User resource type is supported (no Groups)
- No bulk operations — users are managed individually
- Maximum 100 users per page in list responses