Secureframe User Management API Guide

Auth method: Not documented

User object field mapping is not yet verified for this app.

Endpoint coverage is not yet verified for this app.

• Rate limits: Not documented

• Rate-limit headers: No

• Retry-After header: No

• Rate-limit notes: Not documented

• Pagination method: none

• Default page size: 0

• Max page size: 0

• Pagination pointer: Not documented

• Webhooks available: No

• Webhook notes: No webhook documentation found in official Secureframe sources at research time.

• Alternative event strategy: SCIM provisioning via IdP (Okta, Entra ID, OneLogin) is the supported mechanism for automated user lifecycle management.

• SCIM available: Yes

• SCIM version: 2.0

• Plan required: Complete (Custom pricing, ~$14,000–$20,000/yr typical; SSO prerequisite required)

• Endpoint: Not documented

• Supported operations: Create user, Update user, Deactivate user

Limitations:

• SSO must be enabled before SCIM can be activated.
• SCIM is only available on the Complete plan; not included in Fundamentals.
• SCIM endpoint URL is IdP-generated and provisioned per integration (Okta, Entra ID, OneLogin); no single static public endpoint is documented.
• Must contact accountmanagement@secureframe.com to enable SCIM provisioning.
• Google Workspace is not listed as a supported IdP for SCIM.
• Specific SCIM attribute mappings, rate limits, and supported schema extensions are not publicly documented.
• Group provisioning support is not confirmed in available official documentation.

Supported SCIM operations cover Create, Update, and Deactivate user.

Okta, Microsoft Entra ID, and OneLogin are the confirmed IdPs;

Google Workspace is not listed as a supported SCIM IdP.

For Okta, provisioning is configured in the Okta application's Provisioning tab using the SCIM base URL and API token supplied post-enablement.

For Entra ID, set provisioning mode to Automatic, enter the SCIM tenant URL and secret token, and map at minimum: userName, name.givenName, name.familyName, and active.

Group provisioning support is unconfirmed in available documentation.

For identity graph use cases - correlating Secureframe user state against IdP identity records - the active attribute on SCIM deprovision is the only reliable signal;

hard-delete vs.

soft-deactivation behavior on deprovision is not publicly documented and should be validated with Secureframe support before building offboarding compliance workflows against it.

Provision users via Okta SCIM

1. Ensure SSO is configured and active on the Secureframe Complete plan.
2. Contact accountmanagement@secureframe.com to request SCIM enablement.
3. In Okta, add the Secureframe application and navigate to the Provisioning tab.
4. Enter the SCIM base URL and API token provided by Secureframe after enablement.
5. Enable 'Create Users', 'Update User Attributes', and 'Deactivate Users' in Okta provisioning settings.
6. Assign users or groups in Okta to trigger provisioning to Secureframe.

Watch out for: SCIM endpoint credentials are not self-generated; they are provided by Secureframe after manual enablement. Without contacting account management, provisioning cannot be configured.

Provision users via Microsoft Entra ID (Azure AD) SCIM

1. Confirm SSO is active and Complete plan is in effect.
2. Request SCIM enablement from Secureframe account management.
3. In Entra ID, create an Enterprise Application for Secureframe or use an existing gallery app.
4. Navigate to Provisioning, set mode to Automatic, and enter the SCIM tenant URL and secret token supplied by Secureframe.
5. Map required attributes (at minimum: userName, name.givenName, name.familyName, active).
6. Start provisioning and monitor the provisioning logs for errors.

Watch out for: Attribute mapping details and supported SCIM schema extensions are not publicly documented by Secureframe; validate mappings with Secureframe support.

Deprovision a user

1. Remove or unassign the user from the Secureframe application in the IdP (Okta, Entra ID, or OneLogin).
2. The IdP sends a SCIM PATCH or PUT request setting 'active: false' to Secureframe.
3. Secureframe deactivates the user account; confirm deactivation in the Secureframe admin console.

Watch out for: Whether Secureframe performs a hard delete or soft deactivation on SCIM deprovision is not documented publicly. Verify behavior with Secureframe support before relying on this for offboarding compliance workflows.

The primary integration trap is assuming SCIM is self-serve. It is not: enablement requires a manual step through account management, which introduces lead time and a dependency outside the engineering team's control.

A second trap is attribute mapping opacity - supported SCIM schema extensions and full attribute mapping details are not publicly documented, meaning Entra ID or Okta mappings may require back-and-forth with Secureframe support to validate. Finally, SCIM is plan-gated to Complete tier; customers on Fundamentals have no programmatic provisioning path at all.

Teams building identity graph pipelines that include Secureframe should treat the SCIM active flag as the authoritative deactivation signal, but must confirm deprovision behavior before relying on it for audit-grade offboarding evidence.