Note
In OneTrust's Legacy SCIM Integration, only provisioning of users was supported. As of OneTrust 6.29, OneTrust encourages updating to the enhanced SCIM Integration. In addition to existing User Provisioning functionality available with the Legacy SCIM Integration, the enhanced SCIM Integration offers Site Admins the ability to utilize Group Provisioning to provision user groups in the OneTrust application. Group Provisioning also allows Site Admins to manage access for users by provisioning them to one or more user groups. Legacy SCIM Integration users can update their integration to use the enhanced SCIM Integration with Group Provisioning feature by completing the To enable the enhanced SCIM Integration with Group Provisioning procedure in the Legacy SCIM User Provisioning article.
OneTrust supports cross-domain identity management through the SCIM 2.0 specification. System for Cross-Domain Identity Management (SCIM) is an open specification to help facilitate the automated management of user identities and groups in cloud applications using RESTful APIs. This allows organizations to manage and update user information and group information across domains and applications.
The enhanced SCIM Integration utilizes User Provisioning and Group Provisioning to manage users and groups from your identity provider (IdP). With the enhanced SCIM Integration, Site Admins can manage user access from the IdP and keep user profiles in sync more easily. Site Admins can also leverage the ability to add roles to user groups, simplifying the assignment and removal of additional permissions of users. For more information on User & Group Provisioning, see the following table:
Note
OneTrust offers technical documentation about API integrations and calls through its Developer Portal. For more information, see Developer Portal Access.
To configure SCIM in OneTrust
-
Click the gear icon 
in the upper right-hand corner to access Global Settings.
-
On the menu, select . The User Provisioning screen appears.
-
In the SCIM Base URL field, click the Copy URL button to copy the SCIM Base URL to your computer's clipboard.
Note
You will need to provide the SCIM Base URL during the IdP configuration process. For more information, see IdP Configuration.
-
In the Organization field, select the default organizational group to which users should be assigned on creation through SCIM.
-
In the Role field, select the default role to which users should be assigned on creation through SCIM.
Note
External roles, such as Data Subject and Invited, cannot be selected in this field.
-
Click the Save button.
To test connection in IdP
In order to test the connection in your IdP, you will need to either generate OAuth 2.0 client credentials or API keys with the SCIM scope using the Client Credentials screen or API Keys screen, respectively. For more information, see Managing OAuth 2.0 Client Credentials or Managing OAuth 2.0 API Keys.
Client Credentials Method
-
Copy and paste the SCIM Base URL, Client ID, and Client Secret into your IdP.
Note
Some IdPs may require that the access token be entered directly instead of the Client ID and Client Secret. For more information on generating an access token, see the To generate a token procedure in Managing OAuth 2.0 Client Credentials.
-
Test the connection in your IdP.
API Keys Method
-
Copy and paste the SCIM Base URL and API key into your IdP.
-
Test the connection in your IdP.
In order to use SCIM in OneTrust, you must configure your IdP and SCIM client to accept and use SCIM. For more information about how to configure your IdP to utilize SCIM, see the following links:
User and Group Attribute Mapping
OneTrust's implementation of SCIM utilizes a combination of standard and custom attributes to describe Users and Groups. The following tables describe the mapping of the attributes to the OneTrust access management properties.
User Attribute Mapping
Group Attribute Mapping
