SCIM (System for Cross-domain Identity Management) automates user provisioning — creating, updating, and deactivating Chamilo accounts based on changes in your identity provider. Unlike OAuth2 or LDAP, SCIM handles provisioning, not login.
A new employee joins
Creates a Chamilo account
An employee's name or role changes
Updates the Chamilo account
An employee leaves
Deactivates or deletes the Chamilo account
In your .env (or .env.local) file, define a secure random token:
SCIM_TOKEN=your-secure-random-tokenThis token is used by your identity provider to authenticate its requests to Chamilo's SCIM endpoints.
authentication:
1:
scim:
main:
enabled: true
auth_source: platformClear and warm the cache after editing:
In your identity provider (Azure AD, Okta, etc.):
Add Chamilo as a SCIM application
Set the SCIM base URL to https://your-chamilo-url/scim/v2/
Enter the token from step 1 as the bearer token
Map provider attributes to SCIM standard fields (userName, name.givenName, name.familyName, emails)
Enable automatic provisioning
Chamilo implements SCIM 2.0:
/scim/v2/Users
GET
List users
/scim/v2/Users
POST
Create a user
/scim/v2/Users/{id}
GET
Get a user
/scim/v2/Users/{id}
PUT
Replace a user
/scim/v2/Users/{id}
PATCH
Update a user
/scim/v2/Users/{id}
DELETE
Remove a user
Start with a test group — provision a small set of users before enabling SCIM for the whole organization.
Combine with OAuth2 — a common setup uses Azure AD OAuth2 for login and Azure AD SCIM for provisioning.
Monitor logs — check both Chamilo (var/log/) and your identity provider's provisioning logs for errors.
Last updated
Was this helpful?
Was this helpful?
php bin/console cache:clear && php bin/console cache:warmup