--- title: Netskope SCIM API Integration on Truto slug: netskope category: Default canonical: "https://truto.one/integrations/detail/netskope/" --- # Netskope SCIM API Integration on Truto **Category:** Default **Status:** Beta ## Unified APIs ### Unified User Directory API - **Groups** — Groups are a collection of users in the source application. In some applications, they might also be called Teams. - **Users** — The User object represents a User. ## How it works 1. **Link your customer's Netskope SCIM account.** Use Truto's frontend SDK; we handle every OAuth and API key flow so you don't need to create the OAuth app. 2. **Authentication is automatic.** Truto refreshes tokens, stores credentials securely, and injects them into every API request. 3. **Call Truto's API to reach Netskope SCIM.** The Proxy API is a 1-to-1 mapping of the Netskope SCIM API. 4. **Get a unified response format.** Every response uses a single shape, with cursor-based pagination and data in the `result` field. ## Use cases - **Automate zero-day offboarding across SASE infrastructure** — IGA and IT lifecycle automation platforms can instantly deactivate terminated employees in Netskope by pushing user suspension via SCIM, ensuring former staff lose access to private apps and web gateways within milliseconds of HR action. - **Enforce dynamic, risk-based network policies from security platforms** — XDR and threat management products can move compromised users into quarantine groups in Netskope via SCIM, triggering real-time policy changes that isolate risky users from sensitive SaaS apps and cloud environments without manual intervention. - **Reclaim unused Netskope licenses through identity reconciliation** — SaaS management platforms can read provisioned users and groups from Netskope and cross-reference them against the HR roster and IdP, identifying orphan accounts and de-provisioning them to recover per-user SASE license costs. - **Sync organizational context to power granular security policies** — HR and workforce planning tools can push rich user attributes—department, division, manager—into Netskope via SCIM so that security teams can build fine-grained DLP and access policies based on real-time org structure, not stale spreadsheets. - **Pre-provision identities ahead of endpoint client deployment** — Unified endpoint management and onboarding platforms can create user records in Netskope before the Netskope client is pushed via MDM, eliminating authentication failures on day one and ensuring new hires are productive immediately. ## What you can build - **Instant user deactivation on termination** — Ship a workflow that patches Netskope users to inactive the moment an offboarding event fires in your product, cutting private app and web access in real time. - **Automated group-based policy orchestration** — Let your customers create rules that add or remove users from Netskope SCIM groups—like Quarantine_HighRisk or VPN_Allowed—based on signals from your platform. - **Netskope user and group inventory dashboard** — Build a read-only view that pulls all provisioned users and groups from Netskope so customers can audit who has access and which policies apply. - **Orphan account detection and cleanup** — Compare Netskope's provisioned identities against your product's source of truth and surface ghost accounts that should be deleted to save license costs. - **Day-one identity pre-provisioning for new hires** — Automatically create user records in Netskope during onboarding so the endpoint client authenticates successfully the first time it connects. - **Attribute enrichment sync for department and division** — Push enterprise user metadata like department, organization, and manager into Netskope so security teams can write context-aware DLP and access policies. ## FAQs ### How does authentication work for Netskope SCIM? Netskope SCIM uses a Bearer Token generated in the Netskope Admin Console under Settings > Security Cloud Platform > SCIM (or Settings > Tools > REST API v2). The token is scoped strictly to the /api/v2/scim/Users and /api/v2/scim/Groups endpoints. Truto manages token storage and injection so your end users just need to paste the token once during setup. ### What resources can I interact with through this integration? Netskope SCIM exposes two core SCIM 2.0 resources: /Users and /Groups. You can create, read, update (full or partial via PATCH), and delete users, as well as create groups and manage their memberships. These map to Truto's Unified User Directory API models for Users and Groups. ### What happens to Netskope group management in the UI when I use SCIM? Once you manage group memberships through SCIM, Netskope locks manual group editing in its admin UI for those groups to prevent sync conflicts. This is important to communicate to your end users so they understand group changes must flow through SCIM (and therefore your integration) going forward. ### Does Netskope SCIM support custom attributes beyond the standard schema? Yes. In addition to standard SCIM 2.0 core attributes and the Enterprise User extension (department, division, manager, organization), Netskope supports custom tenant schemas with keys up to 32 characters and string values up to 64 characters. These can be used to drive custom security policies. ### Are there specific Truto tools available for Netskope SCIM today? Netskope SCIM is available through Truto's Unified User Directory API covering Users and Groups. Additional tools or custom operations can be built on request—reach out to the Truto team if you need capabilities beyond the standard unified models. ### How do I deactivate a user versus deleting them? To deactivate a user, send a PATCH with {"active": false}. This immediately terminates their web and private app access through Netskope while preserving the user record. To fully remove a user and reclaim the license, use a DELETE operation on the user resource.