--- title: KnowBe4 SCIM API Integration on Truto slug: knowbe4scim category: Knowledge Management canonical: "https://truto.one/integrations/detail/knowbe4scim/" --- # KnowBe4 SCIM API Integration on Truto **Category:** Knowledge Management **Status:** Generally available ## Unified APIs ### Unified User Directory API - **Users** — The User object represents a User. ## How it works 1. **Link your customer's KnowBe4 SCIM account.** Use Truto's frontend SDK; we handle every OAuth and API key flow so you don't need to create the OAuth app. 2. **Authentication is automatic.** Truto refreshes tokens, stores credentials securely, and injects them into every API request. 3. **Call Truto's API to reach KnowBe4 SCIM.** The Proxy API is a 1-to-1 mapping of the KnowBe4 SCIM API. 4. **Get a unified response format.** Every response uses a single shape, with cursor-based pagination and data in the `result` field. ## Use cases - **Automate security training enrollment from your HRIS** — HR platforms can push new hires directly into KnowBe4 the moment they're marked active, ensuring Day 1 security awareness training without IT intervention. This eliminates manual CSV uploads and makes your platform the single source of truth for employee lifecycle events. - **Offer KnowBe4 provisioning in your IdP app catalog** — Identity providers and access management platforms can add KnowBe4 as a supported SCIM application, giving IT admins the ability to sync their central directory into KnowBe4 automatically. This helps emerging IdPs compete for enterprise deals where app-catalog breadth is a deciding factor. - **Centralize multi-tenant KnowBe4 management for MSPs** — SaaS platforms built for Managed Service Providers can provision and deprovision users across dozens of client KnowBe4 tenants from a single pane of glass, replacing the tedious process of logging into each instance individually. - **Keep department-based phishing simulations accurate in real time** — Workforce management and org-chart tools can push role and department changes to KnowBe4 via SCIM, ensuring users are always assigned to the correct groups powering targeted phishing simulations — critical for regulated industries that need audit-ready training records. - **Automate license reclamation on employee offboarding** — IT lifecycle management platforms can send deactivation signals to KnowBe4 when employees leave, archiving users to free up licenses while preserving historical training data for compliance audits. ## What you can build - **Zero-touch new hire training enrollment** — Automatically create users in KnowBe4 and assign them to a 'New Hires' group the instant an employee record becomes active in your platform. - **Real-time department and role sync** — Push attribute changes like job title, department, and manager to KnowBe4 so that group-based training assignments always reflect the current org structure. - **Automated user archiving on offboarding** — Deactivate users in KnowBe4 when they're terminated in your system, preserving their training history for compliance while revoking access and freeing licenses. - **Group-to-KnowBe4 group mapping engine** — Let your customers map their internal teams, departments, or contractor pools to KnowBe4 Groups that drive Smart Group-powered phishing simulations. - **Multi-tenant SCIM provisioning dashboard** — Give MSP users a centralized interface to manage user provisioning across multiple client KnowBe4 tenants without switching between accounts. - **Compliance-ready user directory audit log** — Surface a log of every user create, update, and archive event synced to KnowBe4, giving security teams a provable record of identity lifecycle management. ## FAQs ### What authentication method does KnowBe4 SCIM use? KnowBe4 SCIM uses a Bearer token (SCIM API token) generated from the KSAT admin console. Your end users will provide this token when connecting their KnowBe4 account through Truto. ### Is the KnowBe4 SCIM integration bidirectional? No. KnowBe4 SCIM is strictly inbound (one-way). Your platform acts as the identity source and pushes data into KnowBe4. Any manual changes made inside the KnowBe4 console will be overwritten on the next sync from the SCIM provider. ### What happens when a user is deprovisioned via SCIM? KnowBe4 archives the user rather than permanently deleting them. This preserves all historical training and phishing simulation data for compliance audits while revoking platform access and freeing the license seat. ### Does KnowBe4 SCIM support email aliases? No. KnowBe4 SCIM strips email aliases and only supports a single primary email address as the userName identifier for each user. ### What user attributes can be synced to KnowBe4 via SCIM? Supported attributes include userName (primary email), first name, last name, job title, department, manager, location, and active status. Group memberships are managed via the /Groups endpoint. ### Are there specific Truto tools available for KnowBe4 SCIM today? KnowBe4 SCIM tools are built on request. Truto supports the Unified User Directory API (Users) for this integration. Contact Truto to initiate the build for your specific use case and get the integration live quickly.