Get started with Inbound SCIM

Use Inbound SCIM to synchronize user and group data from an external directory to your Google cloud directory. The sync process takes place in the cloud, so there's no need to install a sync client or on-premises software. Inbound SCIM is ideal if you want to set up incremental, real-time updates to keep your directories consistent.

What does Inbound SCIM support?

Inbound SCIM is supported by most Identity Providers (IdPs) and human resources information systems (HRIS). Our APIs can work with any IdP, HRIS, or custom application that supports the SCIM 2.0 standard.

How does Inbound SCIM work?

When you set up an Inbound SCIM connection, the system automatically creates a Google-managed service account with the User Management Admin and Groups Admin roles. You also create API keys that are used to authenticate the service account when syncing from your IdP. Your synced groups are locked by default to help maintain consistency between your directories.

How do Inbound SCIM API keys work?

API keys are created for the SCIM connection and bound to the associated service account. Requests that use the API key to call for directory updates use the service account's permissions. If the connection is deleted, the service account and any associated API keys are also deleted.

Additional things to know about Inbound SCIM API keys:

  • Since the API keys and service accounts are managed in the Google Workspace Admin console, they won't appear in your Google Cloud Admin console.
  • The API keys can only be used for the Cloud Identity SCIM API endpoint.

Admins should also note that Workspace Admin accounts must be synced manually. Service accounts associated with Inbound SCIM connections don't have permission to manage Admin accounts.

How does locking synced groups work?

When you create a new Inbound SCIM connection, the Lock synced groups setting is checked by default. It helps maintain consistency between identity providers by preventing users from making changes to your directory.

  • First-time processing: When a group is created or updated for the first time using a SCIM request, the Lock synced groups setting from your connection is applied. Once this happens, the group is marked as processed.
  • Manual unlocks: If an administrator manually unlocks a processed group, SCIM updates won't re-lock it. The override remains until your SCIM connection settings are updated.
  • Changing connection settings: If you update the Lock synced groups setting for your SCIM connection, the new setting is applied to associated groups on the next SCIM request.

Learn more about locking groups to keep data in sync.

Before you begin

Before you use Inbound SCIM, you need to have:

If you want help managing Inbound SCIM connections, you can give another administrator the Inbound SCIM Directory Sync Settings Management privilege in the Admin console. If you need another administrator to be able to view but not update settings, you can give the Inbound SCIM Directory Sync Settings Read privilege to the administrator.

Set up Inbound SCIM

  1. In the Google Admin console, go to Menu and then Directory and then External directories.

    Requires having the Inbound SCIM Directory Sync Settings Management privilege.

  2. Click Setup Inbound SCIM if you haven't set up any other syncs. If you've already configured Directory sync, open the Inbound SCIM tab and select Add SCIM connector.
  3. Add a Connection name for this sync.

    Note: Choose a short, descriptive name. The first 18 characters of the name—not including spaces—form the email address for the service account created for this SCIM connection.

  4. Copy your SCIM endpoint URL and save it. Add this to your external identity provider to connect.

  5. The Lock synced groups setting is checked by default. Enabling this setting maintains consistency between identity providers.

  6. Click Save and continue.

  7. Click Generate API key.

  8. A pop up displays a generated API key. Copy and paste it somewhere you can access it again. Then click Copy to clipboard and close.

    Note: Once you close the dialog, you won't be able to see the key again. You can generate up to two keys, and delete and re-generate them if you need new ones.

  9. In your external IDP or other SCIM client, use the API Key as a bearer token to authorize SCIM API requests.

  10. When you return to the External directories page, you can review your Directory Sync or Inbound SCIM connections.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.