Configuring SCIM User Provisioning via Entra

Introduction

This article is designed to help you setup SCIM integration via Entra for your Cake Cluster.

Overview

SCIM is a REST protocol for automatic user and group provisioning between services. A SCIM server hosts the SCIM endpoints and a SCIM client calls the server’s endpoints in order to configure users and groups. Some example SCIM clients are Microsoft Entra and Okta. SCIM servers are usually applications with their own user or group systems. Using SCIM, identity providers and other tools can communicate with each other for automatic user provisioning.

Cake implements SCIM as of January 2026. Using SCIM, Entra can create or delete users within Cake. This allows access to your Cake cluster to be controlled via centralized tooling.

Requirements

Microsoft Entra Permissions

• Create and manage enterprise applications

Cake permissions:

• Administrator access in order to sync ArgoCD

• Git access in order to change configuration

Instructions

Break down the process into clear, concise steps. Use headings and subheadings to organize the content, and use Scribe to auto-generate your guide for each task.  

Step 1 Generate an API token

First, generate a new API token for SCIM using the following script. It should output an API token as well as a hash of the token.

Note: In the future, we plan to add an internal endpoint for generating these tokens automatically.

random=$(openssl rand -base64 32 | tr '+/' '-_' | tr -d '=')
body="ckmz_${random}"
checksum=$(printf '%s' "$body" | python3 -c "import sys,zlib; print('{:08x}'.format(zlib.crc32(sys.stdin.buffer.read()) & 0xffffffff))")
token="${body}_${checksum}"
echo "Token: $token"
echo "Hash: sha256:$(printf '%s' "$token" | shasum -a 256 | cut -d' ' -f1)"

Step 2 Configure Cake

Insert the following section into your Cluster’s vars/<cluster-name>-<region>.yaml file under app_config. Insert the Hash as a key under app_config.marzipan.scim.tokens and ensure that you assign it a client id. DO NOT commit the API token itself into any git repo, as it is sensitive.

app_config:
  marzipan:
    enabled: true
    scim:
      tokens:
        # The token hash should begin with `sha256:`
        <token_hash>:
          client_id: entra # The client id can be changed

Reconcile your repository with uv run scripts/reconcile_existing_deploys.sh --force; commit and push your changes. Sync the “platform” application with ArgoCD. After it is finished syncing, sync the “marzipan” application.

This causes a secret to be created in your Cake cluster with an allowlist of hashed API keys.

Step 3 Configure an Enterprise Application within Entra

1. Navigate to Microsoft Entra ID

2. Navigate to Enterprise Apps

3. Click “+ New Application”

4. Click “+ Create Your Own Application”

5. For “What's the name of your app?”, use “Cake”. For “What are you looking to do with your application?”, use “Integrate any other application you don't find in the gallery (Non-gallery)”

6. After the app is created, navigate to “Provisioning” within the app.

7. Click “+ New Configuration”

8. For “Select authentication method:”, select “Bearer Authentication”. For “Tenant URL”, use https://marzipan.<cluster base domain>/scim/v2/ . For “Secret Token”, paste the API key created in step 1.

9. Ensure that “Test connection” succeeds before completing the provisioning.

Step 4 Configure Attribute Mappings

1. Within the provisioning menu, navigate to “Attribute mapping”

2. Click “Provision Microsoft Entra ID Users”

3. Use the following table for the attributes.

4. (optional) Navigate to “Provision Microsoft Entra ID Groups” and use the following table for its attributes: