Skip to content

Using SCIM with OIDC #10630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Karuna-Mendix wants to merge 11 commits into
base: development
Choose a base branch
from
Open

Using SCIM with OIDC #10630

Karuna-Mendix wants to merge 11 commits into from

Conversation

@Karuna-Mendix
Copy link
Collaborator

@Karuna-Mendix Karuna-Mendix commented Jan 21, 2026
edited
Loading

@Karuna-Mendix Karuna-Mendix self-assigned this Jan 21, 2026
JaapF
JaapF reviewed Jan 30, 2026
View reviewed changes
...nt/en/docs/marketplace/platform-supported-content/modules/scim/using-scim-with-sso-module.md
The typical example of this scenario includes Okta as an IdP and using `sub` as a unique identifier. In the OIDC **Attribute Mapping** configuration, the unique IdP claim `sub` is stored in the `System.User.Name` attribute of the Mendix user entity, and the `Name` attribute is configured as the OIDC principal attribute. This establishes the `sub` value as the authoritative identifier for the user in Mendix.

{{% alert color="info" %}}
This scenario also applies if you are using Entra ID as IdP. The unique IdP claim `oid` is stored in the `System.User.Name` attribute of the Mendix user entity, the `Name` attribute is configured as the OIDC principal attribute. By mapping the SCIM `externalId` to the `System.User.Name` attribute and configuring `Name` as the SCIM principal attribute enable Mendix to correctly correlate SCIM provisioning.
Copy link

@JaapF JaapF Jan 30, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we lost a nuance.

it should say:

"...using Entra ID as IdP AND you have mapped the unique idP claim..."

because if the 'and condition' is not met, another scenario applies

JaapF
JaapF reviewed Jan 30, 2026
View reviewed changes
...nt/en/docs/marketplace/platform-supported-content/modules/scim/using-scim-with-sso-module.md

#### Transitioning to a Long-Term Standard Identifier (`oid`)

If the organization decides to standardize on `oid` as the long-term unique identifier across both OIDC and SCIM, both configurations must be updated to use this identifier consistently. To implement this change, follow scenario 2 and do the following:
Copy link

@JaapF JaapF Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's mention Entra ID again here.
The 'oid' cliam only exists with Entra ID.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@JaapF JaapF JaapF left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@Karuna-Mendix Karuna-Mendix

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Karuna-Mendix @JaapF