WorkOS Docs Homepage

CyberArk SCIM

Learn about syncing your user list with CyberArk SCIM.

This guide outlines how to synchronize your application’s CyberArk directories using SCIM.

To synchronize an Enterprise’s users and groups provisioned for your application, you’ll need to provide the Enterprise with two pieces of information:

  • An Endpoint that CyberArk will make requests to.
  • A Bearer Token for CyberArk to authenticate its endpoint requests.

After completing step 1 below, both of these are available in your Endpoint’s Settings in the WorkOS Dashboard.

The rest of the steps below will need to be carried out by the Enterprise when configuring your application in their CyberArk instance.

In your WorkOS Dashboard, select or create an Organization. Then select “Manually Configure Directory”.

Select “CyberArk SCIM v2.0” as the Directory Provider and add a descriptive name for the directory sync connection.

On the Directory Sync connection settings page, save the Endpoint and the Bearer Token. You’ll input these in the CyberArk settings.

We have support for whitelabeled URLs for Directory Sync endpoints. Contact us for more info!

CyberArk supports SCIM provisioning in the context of a SAML app. The usual set up is to enable SAML first, following our docs here.

Log in to the CyberArk Admin Portal, and navigate to your SAML app. Open the “Provisioning” tab, and select the box to “Enable provisioning for this application”.

Click “Yes” in the confirmation modal.

Enter the Endpoint from the WorkOS Dashboard into the SCIM Service URL field, and enter the Bearer Token from the WorkOS Dashboard into the corresponding field in the Provisioning tab. Select “Verify” to save these credentials.

Users assigned to the SAML app will be synced, and roles mapped will be synced as groups. The roles are mapped on the Provisioning settings page, by selecting the “Add” button.

In the role mapping modal, select the role you’d like to map, and then create a destination group. The name will be what you see as the group name in directory sync. All users assigned to that role will be members of the mapped group. Select “Done”.

After the role mapping is completed, click “Save”. The SCIM configuration part of the setup is complete.

In CyberArk, navigate to the Settings → Users → Outbound Provisioning page. Under Synchronizations, start the sync. You can also set up scheduled syncs here.

In your WorkOS dashboard, you should see the users and groups synced over.