Welcome! AshScim is a SCIM 2.0
server extension for the Ash Framework. It lets
identity providers (Okta, Azure AD / Entra, OneLogin, JumpCloud, …) provision
users and groups into your application by exposing standards-compliant
SCIM endpoints over your existing Ash resources. This documentation is
best viewed on hexdocs.
AshScim is intentionally orthogonal to authentication: SCIM only describes
how user and group records are synchronized — login itself remains the
responsibility of ash_authentication
(or any other strategy you choose). The two integrate cleanly: AshScim
can authenticate IdP requests using JWTs minted and stored by
AshAuthentication.
Tutorials walk you through a series of steps to accomplish a goal. These are learning-oriented, and are a great place for beginners to start.
Topics provide a high level overview of a specific concept or feature. These are understanding-oriented, and are perfect for discovering design patterns, features, and tools related to a given topic.
Reference documentation is produced automatically from our source code. It comes in the form of module documentation and DSL documentation. This documentation is information-oriented. Use the sidebar and the search bar to find relevant reference information.
- Multi-valued attributes — single-attribute vs relationship-backed multivalueds.
- Filter syntax — operators, dotted paths, security guarantees.
- PATCH operations — what the
router does with each kind of
PatchOp. - Authentication —
StaticBearerand AshAuthentication-backed JWTs. - Policies & the bypass check — letting the router run unimpeded by application policies.
- Multi-tenancy — attribute and context strategies, per-tenant IdPs.
- Limitations — known gaps.
- AshScim.User DSL
- AshScim.Group DSL
- For other reference documentation, see the sidebar & search bar.
A working Phoenix app using AshScim lives at demo/. It wires
AshAuthentication, ash_postgres, and AshScim together with User,
Group, and Membership resources.
To run it locally:
cd demo
mix deps.get
mix ash.setup
mix run priv/repo/seeds.exs # prints a SCIM bearer token
PORT=4002 mix phx.serverTo validate against the
scim2-tester compliance
suite:
pipx install scim2-cli
TOKEN=... # paste from seeds output
scim -u http://localhost:4002/scim/v2 -h "Authorization:Bearer $TOKEN" testCI runs this suite on every push and pull request — see
.github/workflows/scim_compliance.yml. The job fails on any ERROR line.
- Ash Framework
- Ash Authentication | Authenticate users with password, OAuth, and more — pairs naturally with AshScim for JWT-based bearer authentication of SCIM clients.
- Ash Postgres | PostgreSQL data layer — required if you want PATCH atomicity with row-level locking.