Set Up SCIM Integration in SailPoint IdentityNow

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Available from release 2026.2.1.0

You can configure SailPoint IdentityNow (SaaS) to provision users and groups to Alation using SCIM 2.0. This integration enables automated user lifecycle management, including user provisioning, group membership updates, user suspension, and deprovisioning.

This guide explains how to configure the SCIM 2.0 connector in IdentityNow to integrate with Alation’s SCIM API after enabling SCIM on your Alation Cloud Service instance.

Note

SailPoint offers two identity governance products:

  • IdentityNow: SaaS, SailPoint-hosted cloud

  • IdentityIQ: On-premises, customer-managed deployment

This guide covers IdentityNow (SaaS) integration. The configuration uses Sources (not Applications as in IdentityIQ). For the on-premises variant, see Set Up SCIM Integration in SailPoint IdentityIQ.

Important

The SailPoint IdentityNow configuration steps in this guide are based on the current SailPoint setup at the time of writing. SailPoint may update their UI, navigation paths, or feature names in future releases. If you notice discrepancies, refer to the latest SailPoint IdentityNow documentation for current instructions.

Prerequisites

Before configuring the integration, ensure the following:

  1. You have an Alation Cloud Service instance with SCIM enabled. See Enable SCIM Integration for User and Group Management.

  2. You have SCIM authentication credentials configured in Alation. You can use either:

  3. Open a Support case with Alation to assist with server-side configuration. In the initial request, ask Support to set the SCIM client to sailpoint on your Alation Cloud Service instance. Depending on your configuration choices, you may need to add additional requests to the same ticket later.

  4. You have a SailPoint IdentityNow tenant with the SCIM 2.0 SaaS connector available.

  5. You have admin access to IdentityNow with privileges to do the following configuration.

  6. You have an Active Directory source (for example, Entra ID) configured in IdentityNow as the identity source.

  7. Network connectivity is established between IdentityNow and the Alation Cloud Service instance over HTTPS.

Configuration Steps

Follow these steps to configure the integration:

Step 1: Create the Source in IdentityNow

  1. In IdentityNow, navigate to Admin > Connections > Sources.

  2. Click Create New and select SCIM 2.0 SaaS as the source type.

  3. Provide a descriptive name for the source (for example, Alation SCIM Integration).

  4. On the Configuration tab, enter the following settings:

    Setting

    Value

    Base URL

    https://<your-instance>.alationcloud.com/scim/v2

    Authentication Type

    API Token or Basic Authentication

    Token

    Paste the SCIM bearer token from Alation (if using API Token authentication)

    Username

    Enter the username configured in Django shell (if using Basic Authentication)

    Password

    Enter the password configured in Django shell (if using Basic Authentication)

    Enable Non-Compliant Server

    Enabled (select the checkbox)

  5. Click Test Connection to verify the configuration. You should see a success message.

Step 2: Configure Account Management

Configure the account schema and create accounts for user provisioning.

  1. Navigate to Account Management > Account Schema > Discover Schema to allow IdentityNow to detect the SCIM schema from Alation.

  2. Click Create New Account and configure the following:

    Setting

    Value

    userName

    Identity Attribute

    Attribute

    Work Email

  3. Save the account configuration.

Step 3: Aggregate Entitlements

Run an initial entitlement aggregation to import Alation’s SCIM groups into IdentityNow.

  1. On the source page, navigate to Entitlement Management > Entitlement Aggregation.

  2. Select Specific Types and choose Group.

  3. Click Start Aggregation.

IdentityNow imports the existing SCIM groups from Alation as entitlements. You can use these entitlements in access profiles and access requests.

Step 4: Create an OAuth Client in IdentityNow

Create an OAuth client to authenticate API calls from the workflow to IdentityNow’s entitlements API.

  1. Navigate to Admin > Global > Security Settings > API Management.

  2. Click New Client and configure the following:

    Setting

    Value

    Grant Type

    Client Credentials

    Scopes

    idn:entitlement:read idn:sources-admin:read idn:sources-admin:manage idn:sources:read sp:scopes:default

  3. Copy the Client ID and Client Secret immediately. You need these values in the workflow configuration.

  4. Verify the OAuth client by requesting a token:

    curl -s -X POST \
  'https://<your-identitynow-tenant>.api.identitynow.com/oauth/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'grant_type=client_credentials' \
  --data-urlencode 'client_id=<CLIENT_ID>' \
  --data-urlencode 'client_secret=<CLIENT_SECRET>'

    A successful response returns a JWT bearer token.

Step 5: Configure the Workflow for Group Sync

SailPoint IdentityNow does not natively support group creation and management for this integration. A custom workflow is used to handle these tasks.

Create a workflow in IdentityNow to automatically sync groups from your Active Directory source (for example, Entra ID) to Alation as SCIM groups. The workflow runs each time your Active Directory source completes an account aggregation, if scheduled.

Note

Before configuring the workflow, identify the source ID of your Active Directory source. Run the following command to find it:

curl -s "https://<your-identitynow-tenant>.api.identitynow.com/v3/sources?filters=name%20eq%20%22Active%20Directory%22" \
  -H "Authorization: Bearer <JWT_TOKEN>" \
  -H "Accept: application/json"

The response includes an id field. Note this value for use in the workflow trigger filter.

Navigate to Admin > Workflow and create a new workflow with the following components:

Configure the Trigger

Set the workflow to run automatically when your Active Directory source aggregation completes.

Field

Value

Trigger Type

Account Aggregation Completed

Filter

source.id == "<AD_SOURCE_ID>"

Replace <AD_SOURCE_ID> with the source ID of your Active Directory source.

Add Action: Get Entitlements from Active Directory

Add an HTTP Request action to fetch group entitlements from the Active Directory source.

Field

Value

Method

GET

Request URL

https://<your-identitynow-tenant>.api.identitynow.com/v2025/entitlements

Request URL Parameters

sourceId=<AD_SOURCE_ID>, type=group, limit=250, offset=0

Request Headers

Accept: application/json

Authentication Type

OAuth 2.0 Client Credentials

Token URL

https://<your-identitynow-tenant>.api.identitynow.com/oauth/token

Client ID

From the OAuth client created in Step 4

Client Secret

From the OAuth client created in Step 4

This configuration retrieves up to 250 group entitlements starting at offset 0. If your Active Directory source has more than 250 group entitlements, configure pagination in your workflow by incrementing the offset parameter and repeating the request until a page returns no results.

Add Operator: Loop

Add a Loop operator to iterate through each group returned in the response.

Field

Value

Loop Input

$.hTTPRequest.body

Use the variable selector to pick the path: Steps > Get entitlements from Entra > body.

Inside the Loop block, add the following actions:

Add Action: Check Group

Add an HTTP Request action inside the Loop to check if the group already exists in Alation.

Field

Value

Method

GET

Request URL

https://<your-instance>.alationcloud.com/scim/v2/Groups

Authentication Type

Custom Authorization

Header Name

Authorization

Header Value

Bearer <SCIM_TOKEN>

Request Headers

Accept: application/scim+json

Request Content Type

None

Request URL Parameters

count=100, startIndex=1, filter=displayName eq "{{$.loop.loopInput.name}}"

Add Operator: Is New Group?

Add a Choice operator to determine whether to create the group or skip it.

Field

Value

Operator Type

Choice

Input Variable A

$.hTTPRequest1.body.totalResults

Input Variable B

0

Comparator

NumericEquals

If True (A == B)

Go to Create Group

If False (A != B)

Go to Send Email

Add Action: Create Group

Add an HTTP Request action to create the SCIM group in Alation.

Field

Value

Method

POST

Request URL

https://<your-instance>.alationcloud.com/scim/v2/Groups

Authentication Type

Custom Authorization

Header Name

Authorization

Header Value

Bearer <SCIM_TOKEN>

Request Headers

Accept: application/scim+json

Request Content Type

SCIM JSON

Request Body

 
{
  "displayName.$": "$.loop.loopInput.name",
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:Group"
  ]
}

Add Action: Send Email

Add a Send Email action to notify when a group already exists.

Field

Value

Recipient Email List

Enter the email address to notify

Subject

Group already exists

Body

Group {{$.loop.loopInput.name}} already exists in Alation. Skipped create.

Add an End Step after the Loop to complete the workflow.

Note

  • The SCIM bearer token expiration is configurable (typically 1–6 months). Check the configured expiration in the Alation UI (Admin Settings > Authentication > SCIM Token) and regenerate the token before it expires, either from the UI or through the Alation Django shell.

  • If you use basic authentication instead of a bearer token, set the Authentication Type to Basic Authentication and enter the SCIM username and password in the Check Group and Create Group actions.

Step 6: Create Access Profiles

Create access profiles to bundle SCIM group entitlements for user provisioning.

Once groups are populated in Alation, they can be incorporated into SailPoint access profiles. These access profiles are then assigned to applications, where access requests can be enabled. When an administrator approves an access request for a user, SailPoint communicates with the Alation user API to automatically add the user to the corresponding group, completing the lifecycle management process.

  1. Navigate to Admin > Access Model > Access Profiles.

  2. Click Create New > Access Profile and provide a name (for example, Alation – Server Admin).

  3. Select your Alation SCIM source as the source.

  4. Under Entitlements, select the SCIM groups to include in the access profile.

    For example:

    Access Profile

    Entitlements (Alation SCIM Groups)

    Alation – Admin

    ServerAdmin, CatalogAdmin

    Alation – Analyst

    DataAnalyst

    Alation – Steward

    DataSteward

  5. Enable the access profile to make it available for access requests.

  6. Save the access profile.

  7. Repeat for each access profile you need.

Step 7: Test the Configuration

Verify the end-to-end integration by testing group sync and user provisioning.

  1. Run an account aggregation on the Active Directory source (for example, Entra ID) to start the workflow.

  2. Verify that the workflow runs successfully in Admin > Workflow > Executions to check the execution history.

  3. Confirm that the groups appear in Alation under Admin Settings > Groups.

  4. Aggregate entitlements on the Alation SCIM source to import the newly created groups as IdentityNow entitlements.

  5. Provision a test user by requesting an access profile (see User Provisioning).

  6. Verify that the test user appears in Alation with the correct group membership.

User and Group Operations

After completing the configuration, you can perform the following operations.

Group Provisioning

  1. Run an account aggregation on the Active Directory source. The workflow automatically creates new groups in Alation as SCIM groups.

  2. Run an entitlement aggregation on the Alation SCIM source to import the groups as entitlements in IdentityNow.

User Provisioning

  1. In IdentityNow, navigate to Request Center.

  2. Search for the user who needs access to Alation.

  3. Select the appropriate access profile (for example, Alation – Analyst).

  4. Submit the request.

  5. If approval is configured, the request routes to the approver. Once approved, IdentityNow provisions the user in Alation via SCIM.

The user is provisioned in Alation with the roles determined by the SCIM groups in the access profile.

Update Group Membership

  1. Navigate to Request Center.

  2. Search for the user who needs additional group membership.

  3. Select the additional access profile or entitlement (SCIM group).

  4. Submit the request.

Once approved, the user is added to the SCIM group in Alation.

User Suspension

User suspension in IdentityNow removes the user’s SCIM account from Alation, which suspends the user and removes them from all SCIM groups.

Suspend a User

  1. In IdentityNow, navigate to Admin > Identities > Identity List.

  2. Search for and select the user.

  3. Under Accounts, locate the Alation SCIM account.

  4. Select the Alation source account and choose to disable or remove it.

  5. Confirm the action.

Alternatively, change the user’s lifecycle state to an inactive state (for example, inactive or terminated) to automatically disable accounts on connected sources.

Result

  • The SCIM account is deprovisioned from Alation.

  • The user appears under Suspended Users in Alation.

  • The user is removed from all SCIM groups.

Reactivate a Suspended User

  1. Change the user’s lifecycle state back to an active state, or submit a new access request through the Request Center.

  2. Select the appropriate access profile for the Alation SCIM source.

  3. Submit the request.

Result

  • The SCIM account is re-created in Alation.

  • The user is reactivated.

  • The user is automatically re-added to SCIM groups based on the entitlements in the assigned access profile.

User Deprovisioning

To remove a user from a specific SCIM group without suspending the user, use one of the following methods:

Using Request Center

  1. Navigate to Request Center.

  2. Select Request for Others and search for the user.

  3. Select the application (Alation).

  4. Select the access profile mapped to the SCIM group.

  5. Choose Remove Access.

  6. Submit the request. If approval is configured, the request routes to the approver.

Once approved, the entitlement is revoked and the user is removed from the SCIM group in Alation.

Using the Identity Detail View

  1. Navigate to Admin > Identities.

  2. Search for and select the user.

  3. Go to the Access tab.

  4. Locate the access profile or entitlement (SCIM group) to remove.

  5. Remove the access profile or entitlement.

The user is removed from the SCIM group in Alation.

Maintenance Tasks

Run the following tasks on a recurring schedule to keep user and group data synchronized:

Task

Purpose

Account Aggregation (Active Directory)

Runs on the Active Directory source to start the group sync workflow to Alation

Entitlement Aggregation (Alation SCIM)

Runs on the Alation SCIM source to import SCIM groups as IdentityNow entitlements

Workflow Execution Monitoring

Review workflow execution history for errors or failed group creation attempts

Troubleshooting

For error messages and troubleshooting tips, see Troubleshooting SCIM Configuration.

For testing the SCIM configuration, see Testing SCIM Configuration.