Thycotic Secret Server

Secret Server is Delinea’s Privileged Access Management (PAM) vault with session brokering/recording. It supports SAML 2.0 and OpenID Connect (OIDC) for SSO to Secret Server (SP/RP role), and offers inbound SCIM 2.0 provisioning via a Delinea SCIM Connector.

Key Capabilities

  • Vault & automation: Encrypted vault with role-based access, automatic password rotation and heartbeat, Active Directory integration, and granular policy controls across on-prem and cloud SKUs.

  • Session brokering & recording: Proxies SSH/RDP sessions with keystroke search and playback to support audit and compliance.

  • SCIM provisioning (inbound): A Delinea SCIM Connector exposes SCIM 2.0 endpoints so upstream IdPs (SCIM clients) can provision users and groups into Secret Server.

  • Platform integration: Delinea Platform documentation confirms SAML/OIDC federation patterns and SCIM directionality when Secret Server is integrated with the broader Delinea tenant.

Limitations

  • Not an IdP for your apps: SAML/OIDC features are only for logging into Secret Server; it does not issue tokens/assertions to third-party applications.

  • OIDC user matching: OIDC requires pre-created users in Secret Server—there is no native JIT user provisioning from claims.

  • SCIM deployment model: SCIM is delivered via a separate connector web app that you deploy and operate; scale/HA should be validated for large directories.

  • Advanced OAuth profiles: Public materials focus on core OIDC; there is not enough information to confirm support for PAR, DPoP, or mTLS/FAPI.

Customer Identity, Simplified.

No Complexity. No Limits.
Thousands of businesses trust LoginRadius for reliable customer identity. Easy to integrate, effortless to scale.

See how simple identity management can be. Start today!
Free Trial
Contact Sales