Assess your customer's requirements: if they need immediate deprovisioning on termination (required for SOC 2 and most enterprise security policies), SCIM is necessary; if they only need simple onboarding, JIT may suffice.
For JIT: parse user attributes from the SAML assertion or OIDC ID token on first login (name, email, groups) and create or update the user record in your application at login time.
For SCIM: implement a SCIM 2.0 endpoint and register it with the customer's IdP (Okta, Entra, etc.); the IdP will push creates, updates, and deletes proactively regardless of whether the user logs in.
If supporting both (recommended): use SCIM for lifecycle management and JIT as a fallback for first login to handle the window between SCIM provisioning and the user's first actual login.
For deprovisioning with JIT-only: implement a background job that periodically cross-checks active users against the customer's directory or rely on session expiration, but document to customers that access removal is not immediate.
When implementing SCIM, handle the userName attribute carefully — IdPs use it as the stable identifier for upserts; mismatches between SCIM userName and your app's user identifier cause duplicate account creation.
Known gotchas
JIT provisioning alone cannot deprovision users proactively — a terminated employee whose SSO account is disabled can never trigger a JIT deprovision because they will never log in again; SCIM is required for real-time deprovisioning.
SCIM provisioning can race with JIT: a user provisioned via SCIM but whose account has not been fully set up when they first log in may encounter an incomplete profile; implement upsert semantics, not insert-only, in your JIT handler.
Enterprise customers with thousands of users will send large SCIM bulk syncs on initial connection; your SCIM endpoint must handle high concurrency and be idempotent on repeated provisioning of the same user.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp