Set up SCIM for PAM - Self-Hosted

This topic describes how to set up the CyberArk Identity SCIM server for PAM - Self-Hosted. SCIM is the System for Cross-domain Identity Management, an open standard that simplifies cloud identity management and automates user provisioning across multiple domains.

Integration workflow

Click the image to increase the image size.

Step 1: Prepare for SCIM integration

  • If you intend to create users in PAM - Self-Hosted (as opposed to creating users in the IGA), run the LDAP integration as described in LDAP Integration.

Step 2: Configure CyberArk Identity

CyberArk Identity is the SCIM server, functioning as middleware in the PAM - Self-Hosted-IGA integration. It communicates with the IGA (SCIM client) using the SCIM protocol and relays information to PAM - Self-Hosted using PAM - Self-Hosted REST APIs.

You must integrate CyberArk Identity with both PAM - Self-Hosted and your IGA platform.

  1. Configure the SCIM server. For details, see SCIM server configuration.

    When you add and configure the OAuth2 Client application, make sure to use the Login Name identity-privilege-integration-user$.

  2. Configure the Vault settings in CyberArk Identity. For details, see Manage privileged objects in PAM - Self-Hosted CyberArk .

    While performing this procedure, save the tenant URL you provided for the Vault configuration. You will need it to run the script described in the following step.

Step 3: Configure PAM - Self-Hosted

After you configure CyberArk Identity you need to run two scripts to complete the integration with PAM - Self-Hosted.

To create the SCIM service user:

  1. In PowerShell, run the following command:

    .\CreateSCIMServiceUser.ps1 -PVWAUrl [PAS PVWA URL]
    Command parameter




    The URL to your PVWA.



  2. When prompted, enter your PAM - Self-Hosted admin credentials.

To configure the integration with CyberArk Identity:

  1. Download the Configure SCIM in PAM - Self-Hosted script from CyberArk Marketplace.

  2. In PowerShell, run the following command:

    .\IdentityConfiguration.ps1 -portalUrl [PVWA URL] -cyberArkIdentityMetadataUrl [CyberArk Identity Metadata URL] - cyberArkIdentityClientId [CyberArk Identity Client ID]
    Command parameters




    The URL to your PVWA.


    https://<your subdomain>/PasswordVault


    Tenant URL. Use the following format:


    You save this parameter while configuring CyberArk Identity, as described in Set up SCIM for PAM - Self-Hosted.


    CyberArk Identity's OpenID Connect Client ID (hard-coded)

  3. When prompted, enter your PAM - Self-Hosted admin credentials.

Step 4: Configure the IGA platform

Configure your IGA platform for the integration according to the specific platform instructions.

IGA platform configuration

IGA platform


Sailpoint IdentityNow

Integrating Sailpoint with CyberArkPrivilege Cloud

This topic applies to both Privilege Cloud and PAM.

Sailpoint IdentityIQ Privileged Account Management