Understand how to use the System for Cross-domain Identity Management (SCIM) to integrate an external identity provide, to enable user provisioning, onboarding, and offboarding.

Planning and architectural preparation

Before making your first API call, you must define your architecture and complete initial setup steps.

Establish a System of Record (SoR)

A critical first step is to decide which system is the source for user attributes and entitlements (workspace associations).

  • Sync Strategy: You can choose to synchronize basic attributes (for example, familyName, givenName, userName) while leaving active status or entitlements to be managed manually in Anaplan, or manage everything via the API.
  • Avoid Sync Collisions: If an administrator updates a user profile directly in the Anaplan Administration UI, but your identity provider (IdP) system isn't updated, subsequent sync cycles may overwrite the UI-based changes. Always aim to push updates from your defined SoR.

Access and infrastructure requirements

  • Network allowlists: Configure your firewalls and allowlists according to the Anaplan URL, IP, and Allowlist Requirements.
  • Dedicated API User: Create an active, non-SSO user account in Anaplan. Assign this user the User Admin role. This account will be used to generate tokens and authorize API calls.

Because SCIM actions are executed at the tenant (production) level, use this workflow to test your integration safely before going live:

  1. Create a dedicated test workspace and a test model inside that workspace.
  2. Set up a non-SSO test user account in Anaplan and assign it the USER_ADMIN role.
  3. Call the SCIM API from your staging, or non-production environment to create test users. Note that these test users will be visible at the tenant level in your Anaplan production environment.
  4. Verify user access, permissions, and profile configurations.
  5. Once your tests succeed, disable or deactivate the test users to free up license counts.
  6. Create your production non-SSO user account, assign it USER_ADMIN, and enable the live integration.

Choose and configure an authentication method

Anaplan's SCIM API supports three authentication methods: Basic Authentication, Anaplan Token, and API Keys.

Method A: Basic authentication

Use this for simple integrations. You must pass your Anaplan username and password as a Base64-encoded string in each HTTP header:

  • Header format: Authorization: BASIC <username:password base64 encoded>
  • Example call:

 curl -X GET \
 -H 'Authorization: BASIC dXNlcm5hbWU6cGFzc3dvcmQ=' \
 https://api.anaplan.com/scim/1/0/v2/Users

Method B: Anaplan auth token

This is a two-step process using a temporary bearer token generated by Anaplan's authentication service.

  1. Generate the Token: Get an authentication token using either username/password basic auth or a pre-registered CA certificate.
  2. Call the SCIM API: Pass the returned token in the headers of your subsequent SCIM requests.
  • Header Format: Authorization: AnaplanAuthToken <token_value>
  • Example Call:

curl -X GET \
 -H 'Authorization: AnaplanAuthToken _exampletokenvalue_' \
 https://api.anaplan.com/scim/1/0/v2/Users

Method C: API keys (OAuth bearer)

For enhanced security, configure OAuth Client credentials or register an API key.

  1. Generate the Key: Generate an API Key in the Anaplan Administration panel under Security settings.
  2. Call the SCIM API: Pass the API Key in the header as a bearer token.
  • Header Format: Authorization: Bearer <API key>
  • Example Call:

curl -X GET \
 -H 'Authorization: Bearer my-secure-api-key' \
 https://api.anaplan.com/scim/1/0/v2/Users

Common user provisioning workflows

The following endpoints allow you to query, create, update, and manage users.

Find and Filter Users

Use the GET /Users endpoint to search for users. You can pagination-limit results to 100 users per call using the count parameter.

Supported Filter Fields and Operators

  • Supported Fields: id, externalId, userName, name.familyName, name.givenName, active
  • Supported Operators: Eq (Equal), Ne (Not Equal), Pr (Present), Gt / Ge (Greater Than / Equal), Lt / Le (Less Than / Equal)
  • Note: Wildcard or substring operators (Co [contains], Sw [starts with], Ew [ends with]) and search via POST (/.search) are not supported.

Example: Search for users named "John"

curl -X GET \
 -H 'Authorization: Bearer <token>' \
 'https://api.anaplan.com/scim/1/0/v2/Users?filter=name.givenName+Eq+"John"&startIndex=1&count=50'

Create and Provision a New User

To add a new user and map their workspace privileges simultaneously, send a POST request to /Users.

Understanding Workspace Entitlements

Anaplan manages access using the entitlements complex attribute block. There are three formats you can use to grant access. Select the one that matches your IdP's capabilities:

  • WORKSPACE (Preferred): Uses an array of complex objects targeting the unique Workspace GUID.
  • WORKSPACE_IDS: Uses a single entry containing a comma-delimited list of Workspace GUIDs. Great for integrations that do not support arrays of complex objects.
  • WORKSPACE_NAMES: Uses a single entry containing a comma-delimited list of escaped workspace names.

Example payload using the standard WORKSPACE format:

POST /Users
Host: https://api.anaplan.com/scim/1/0/v2
Content-Type: application/scim+json
Accept: application/scim+json

{
 "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
 "userName": "bjensen@company.com",
 "externalId": "bjensen_01",
 "active": true,
 "name": {
   "formatted": "Barbara Jensen",
   "familyName": "