HailBytes SAT Tutorial

SCIM 2.0 Provisioning

Stop managing the user list by hand. Connect HailBytes SAT to your IdP and let it create, update, and deactivate users automatically.

Endpoint & Auth

HailBytes SAT exposes a SCIM 2.0 endpoint at /scim/v2/. Authentication uses the same bearer token as the REST API.

Tenant URL: https://<your-sat-host>:3333/scim/v2/
Token:      Bearer YOUR_API_KEY
Content:    application/scim+json

What the Endpoint Supports

MethodPathPurpose
GET/ServiceProviderConfigCapabilities advertisement.
GET/SchemasSchema definitions.
GET/ResourceTypesResource list (Users).
GET / POST/UsersList / create.
GET / PUT / PATCH / DELETE/Users/{id}Get / replace / partial update / delete.

Group provisioning is on the roadmap; today, manage SAT target groups via the REST API or the dashboard.

Microsoft Entra ID

  1. In the Entra admin center: Enterprise applications → New application → Create your own. Name it "HailBytes SAT" and pick non-gallery.
  2. Open Provisioning and switch mode to Automatic.
  3. Tenant URL: https://<your-sat-host>:3333/scim/v2/
  4. Secret Token: paste your HailBytes SAT API key.
  5. Click Test Connection. Save.
  6. Edit attribute mappings — the defaults work. Recommended: map userPrincipalName to userName, displayName to displayName, mail to emails[type eq "work"].value.
  7. Set Provisioning Status to On. Entra will run an initial cycle and then sync every ~40 minutes.

Okta

  1. Add an app, choose Create New App → SAML 2.0 + SCIM (you can SAML-enable later; SCIM works standalone).
  2. Under Provisioning → Integration, set the SCIM connector base URL to https://<your-sat-host>:3333/scim/v2/.
  3. Authentication mode: HTTP Header. Token: Bearer YOUR_API_KEY.
  4. Click Test Connector Configuration; expect a green check.
  5. Enable Create Users, Update User Attributes, and Deactivate Users.
  6. Assign the app to the right groups.

JumpCloud, OneLogin, etc.

Any standards-compliant SCIM 2.0 client works. Point at /scim/v2/, use the API key as a bearer token, and verify with GET /ServiceProviderConfig.

Sanity Check From the CLI

curl -H "Authorization: Bearer $KEY" \
     -H "Content-Type: application/scim+json" \
     https://sat.example.com:3333/scim/v2/ServiceProviderConfig

curl -X POST \
     -H "Authorization: Bearer $KEY" \
     -H "Content-Type: application/scim+json" \
     -d '{
       "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],
       "userName":"alice@example.com",
       "name":{"givenName":"Alice","familyName":"Liu"},
       "emails":[{"value":"alice@example.com","type":"work","primary":true}],
       "active":true
     }' \
     https://sat.example.com:3333/scim/v2/Users

Multi-Tenant SCIM (MSSP)

Each tenant org has its own API key. Configure one Entra/Okta SCIM app per tenant, each with that tenant's key. Provisioning is org-scoped: an Okta push for tenant A will never spill into tenant B.

Next Steps

SAML / OIDC SSO

Pair SCIM provisioning with SAML or OIDC for end-to-end identity.

View Tutorial →

MSSP White-Label

Layer SCIM on top of multi-tenant deployments.

View Tutorial →

Get the Free HailBytes SAT Getting Started Guide

A 7-part email series covering everything from your first deployment to advanced configuration and real-world workflows. One email per day, no spam.