Problem: SOC 2 finding: 34 accounts active 30+ days after employee departure, including 3 former employees in sensitive roles. No automated deprovisioning. New customer IdP onboarding: 3 days of manual CSV import and mapping.
Solution: SCIM 2.0 /Users and /Groups endpoints per tenant. Per-tenant SCIM token scoped to that tenant's user population only. PATCH /Users/ with active:false processed synchronously — account disabled within same API call. Reconciliation cron every 4 hours compared SCIM-reported active users against platform accounts, flagging divergence for manual review. Caught 3 cases of lost SCIM events from misconfigured customer IdPs.
Technology: SCIM 2.0 · Keycloak · Node.js · Postgres · Okta · Entra ID
Optimisation pattern: email-deprovisioning-to-scim-push-with-reconciliation-cron
Outcomes:
Deprovisioning latency: days → under 5 minutes. SOC 2 finding closed. New customer IdP onboarding: 3 days → 4 hours. 15th customer connection took under half a day using the documented configuration template.