Skip to main content

Crossbeam SCIM Integration Guide

Technical guide for implementing Crossbeam’s SCIM integration.

Joy Rudnick avatar
Written by Joy Rudnick
Updated over 2 months ago

Overview

Crossbeam supports SCIM (System for Cross-domain Identity Management) to automate user provisioning and deprovisioning between your identity provider (such as Okta, Azure AD, or OneLogin) and Crossbeam.

Using SCIM, your identity provider automatically keeps your Crossbeam user directory up to date by creating, updating, or deactivating users based on changes in your organization’s directory.

What Crossbeam’s SCIM Enables

  • Automatic provisioning: Create new users in Crossbeam when they’re added in your identity provider

  • Automatic updates: Sync user attributes (name, email, roles) whenever they change in your IdP

  • Automatic deprovisioning: Deactivate users in Crossbeam when they’re removed from your IdP

  • Role-based access enforcement: Ensure users can only access Crossbeam if they’ve been properly provisioned and assigned roles

‼️ Important

This feature is currently available for Enterprise plan only.

SCIM setup cannot be completed through the Crossbeam application interface. You must contact Crossbeam support.

Getting Started

Crossbeam’s current SCIM implementation supports user provisioning and allows roles to be assigned directly in the SCIM payload using the core_role and sales_role attributes.


Role management through groups (SCIM Groups API) is not yet supported.

Before you Begin

  • Confirm SCIM availability with Crossbeam Support. SCIM must be enabled for your organization.

  • Obtain your SCIM endpoint and token from Crossbeam Support. These credentials are required for authentication.

  • Identify your available roles using the /roles endpoint so that user provisioning requests include valid role IDs.

  • Test with a small user group before enforcing SCIM for your entire organization.

  • Enable SCIM enforcement: Once setup is verified, Crossbeam can enforce SCIM-only user management.

    • After enforcement, users can only access Crossbeam if provisioned through SCIM.

    • Manual user management in the Crossbeam UI will be disabled.

✍️ Note

Role management through groups (SCIM Groups API) is not yet supported, but may be added in a future version.

What is Supported and How it Works

Crossbeam requires the following attributes in SCIM user objects:

Required Attributes

  • userName (string): The user's email address - used as the primary identifier

  • active (boolean): Whether the user account is active (true) or inactive (false)

  • externalId (string): External identifier from your identity provider

  • displayName (string): User's display name

  • name (object): User's name information

    • givenName (string): First name

    • familyName (string): Last name

  • emails (array): Array of email objects

    • value (string): Email address

    • type (string): Email type (e.g., "work")

    • primary (boolean): Whether this is the primary email

Crossbeam-Specific Attributes

  • urn:ietf:params:scim:schemas:extension:crossbeam:2.0:User (object): Crossbeam-specific user configuration

    • core_role (UUID, optional): ID of the core role to assign to the user

    • sales_role (string, optional): Sales edge role to assign to the user

‼️ Important

Each user must have either a core_role OR a sales_role (or both), but at least one is required. You cannot create a user with no role assigned.

Available Roles

The /v1/scim/{sso-config-id}/roles endpoint returns all available roles for your organization, including both core roles and sales edge roles:

{
  "core_roles": [
    {
      "label": "Role Name",
      "description": "Role description",
      "value": "role-uuid-string"
    }
  ],
  "sales_roles": [
    {
      "label": "Manager",
      "description": "Configures Crossbeam for Sales, manages other users' access to Crossbeam for Sales",
      "value": "partner-manager"
    }
  ]
}

Core Roles

Core roles are organization-specific and returned in the core_roles array.
These roles are managed within the Crossbeam app and cannot be managed via SCIM.

Sales Roles

Sales roles are predefined and returned in the sales_roles array.

Sales roles are predefined and returned in the sales_roles array of the roles endpoint.

  • Manager (partner-manager): Configures Crossbeam for Sales, manages other users' access to Crossbeam for Sales

  • Standard (co-seller): Full access to Crossbeam for Sales features, make partner requests, use Chrome extension, full access to Crossbeam Copilot, gets alerts, access to lists, access to Deal Navigator, reply to conversations, complete conversations and mark Attribution, does not have Crossbeam Core Access

  • Limited (viewer): Full access to Crossbeam for Sales features listed for the Standard role (including access to Crossbeam Copilot), but cannot make partner requests or access lists, does not have Crossbeam Core Access

Seat Quota Validation

Crossbeam enforces seat quotas during user provisioning:

  • Core seat: Users with a core_role (with or without a sales role) consume one core seat

  • Sales seat: Users with only a sales_role consume one sales seat

If your organization exceeds its quota, SCIM returns an error:

{
  "scimType": "overquota",
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
  "detail": "No more core seats available: you need to get more seats",
  "status": "400"
}

SCIM Endpoints

Crossbeam provides the following SCIM endpoints that comply with the SCIM 2.0 specification:

User Management

  • GET /v1/scim/{sso-config-id}/users - List users

  • POST /v1/scim/{sso-config-id}/users - Create user

  • GET /v1/scim/{sso-config-id}/users/{user-id} - Get specific user

  • PUT /v1/scim/{sso-config-id}/users/{user-id} - Replace user

  • PATCH /v1/scim/{sso-config-id}/users/{user-id} - Update user

  • DELETE /v1/scim/{sso-config-id}/users/{user-id} - Delete user

Role Management

  • GET /v1/scim/{sso-config-id}/roles - List available roles (not a SCIM endpoint, but metadata to help provide valid values for roles in the Crossbeam user extension)

Note: Endpoints are case-insensitive (/Users, /USERS, etc.).

Test endpoints using the Postman collection:

SCIM 2.0 CROSSBEAM.postman_collection.json

Authentication

All SCIM requests require a Bearer token in the Authorization header:

Authorization: Bearer <your-scim-token>

Example SCIM User Creation

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:extension:crossbeam:2.0:User"
  ],
  "userName": "john.doe@company.com",
  "active": true,
  "displayName": "John Doe",
  "name": {
    "givenName": "John",
    "familyName": "Doe"
  },
  "emails": [
    {
      "value": "john.doe@company.com",
      "type": "work",
      "primary": true
    }
  ],
  "urn:ietf:params:scim:schemas:extension:crossbeam:2.0:User": {
    "core_role": "12345678-1234-1234-1234-123456789abc",
    "sales_role": "co-seller"
  }
}

Error Handling

Crossbeam returns standard SCIM-compliant error codes:

Status

Description

400 Bad Request

Invalid data, missing attributes, or exceeded seat quota

401 Unauthorized

Invalid or missing SCIM token

404 Not Found

User or organization not found

409 Conflict

User already exists

Audit Logging

All SCIM operations are logged in Crossbeam’s audit system for transparency and compliance.

Field

Description

User

Logged as “System (SCIM)” (system@SCIM)

Actions

Create, update, delete

Details

Before/after user states, including active status and roles

Related Articles
Crossbeam for Sales
Crossbeam for Sales FAQs
Installation Guide: Crossbeam for Salesforce (v2)
Installation Guide: Crossbeam for Salesforce (v1)
Crossbeam Overview for Compliance Teams
Did this answer your question?