Configuring SCIM involves some network and infrastructure preparation but is otherwise fairly simple. In many cases you may already have the required infrastructure in place:
Kantega SSO: Create a SCIM directory and tenant configuration in Kantega SSO.
This gives you a bearer token and a unique tenant URL, e.g. http://jira-internal.example.local:5501/scim/zbs848185728/v2. The IDP will use this URL to send users and groups to the Atlassian app.
Network: Set up a load balancer, gateway or reverse proxy to make the internal endpoint accessible from the Internet, and provide HTTPS termination.
HTTPS is an absolute requirement externally. Use an existing host name and certificate package, or register new ones. Certificate requirements are IDP-dependent, and self-signed certs are generally not accepted.
Configure the gateway to proxy requests to the internal tenant URL (see above). You should now have an external tenant URL e.g. https://scim.example.com/scim/zbs848185728/v2 which gets proxied to e.g. http://jira.example.local:5501/scim/zbs848185728/v2.
Configure SCIM in the IDP:
Set the external tenant URL as the SCIM endpoint address.
Add the bearer token from #1
Do any additional configuration (user assignment, attribute mapping)
The first time you create a SCIM diretory, it needs to sync. This can take a while. Once sync has been established, the identity provider will only send change events.