diff --git a/src/main/java/sh/libre/scim/core/ScimClient.java b/src/main/java/sh/libre/scim/core/ScimClient.java
index 99f992b737..bb3655a228 100644
--- a/src/main/java/sh/libre/scim/core/ScimClient.java
+++ b/src/main/java/sh/libre/scim/core/ScimClient.java
@@ -23,43 +23,63 @@ import org.keycloak.models.RoleMapperModel;
 import org.keycloak.storage.user.SynchronizationResult;
 import sh.libre.scim.jpa.ScimResource;
 
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 
 
 public class ScimClient {
-    protected final Logger LOGGER = Logger.getLogger(ScimClient.class);
-    protected final ScimRequestBuilder scimRequestBuilder;
-    protected final RetryRegistry registry;
-    protected final KeycloakSession session;
-    protected final String contentType;
-    protected final ComponentModel model;
-    protected final String scimApplicationBaseUrl;
-    protected final Map<String, String> defaultHeaders;
-    protected final Map<String, String> expectedResponseHeaders;
 
-    public ScimClient(ComponentModel model, KeycloakSession session) {
-        this.model = model;
-        this.contentType = model.get("content-type");
+    private static final Logger LOGGER = Logger.getLogger(ScimClient.class);
+
+    private final ScimRequestBuilder scimRequestBuilder;
+
+    private final RetryRegistry registry;
+
+    private final KeycloakSession session;
+
+    private final ComponentModel model;
+
+    private ScimClient(ScimRequestBuilder scimRequestBuilder, RetryRegistry registry, KeycloakSession session, ComponentModel model) {
+        this.scimRequestBuilder = scimRequestBuilder;
+        this.registry = registry;
         this.session = session;
-        this.scimApplicationBaseUrl = model.get("endpoint");
-        this.defaultHeaders = new HashMap<>();
-        this.expectedResponseHeaders = new HashMap<>();
+        this.model = model;
+    }
 
-        switch (model.get("auth-mode")) {
-            case "BEARER":
-                defaultHeaders.put(HttpHeaders.AUTHORIZATION,
-                        BearerAuthentication());
-                break;
-            case "BASIC_AUTH":
-                defaultHeaders.put(HttpHeaders.AUTHORIZATION,
-                        BasicAuthentication());
-                break;
-        }
+    public static ScimClient newScimClient(ComponentModel model, KeycloakSession session) {
+        String authMode = model.get("auth-mode");
+        String authorizationHeaderValue = switch (authMode) {
+            case "BEARER" -> "Bearer " + model.get("auth-pass");
+            case "BASIC_AUTH" -> {
+                BasicAuth basicAuth = BasicAuth.builder()
+                        .username(model.get("auth-user"))
+                        .password(model.get("auth-pass"))
+                        .build();
+                yield basicAuth.getAuthorizationHeaderValue();
+            }
+            default -> throw new IllegalArgumentException("authMode " + authMode + " is not supported");
+        };
 
-        defaultHeaders.put(HttpHeaders.CONTENT_TYPE, contentType);
+        Map<String, String> httpHeaders = new HashMap<>();
+        httpHeaders.put(HttpHeaders.AUTHORIZATION, authorizationHeaderValue);
+        httpHeaders.put(HttpHeaders.CONTENT_TYPE, model.get("content-type"));
 
-        scimRequestBuilder = new ScimRequestBuilder(scimApplicationBaseUrl, genScimClientConfig());
+        ScimClientConfig scimClientConfig = ScimClientConfig.builder()
+                .httpHeaders(httpHeaders)
+                .connectTimeout(5)
+                .requestTimeout(5)
+                .socketTimeout(5)
+                .expectedHttpResponseHeaders(Collections.emptyMap()) // strange, useful?
+                .hostnameVerifier((s, sslSession) -> true)
+                .build();
+
+        String scimApplicationBaseUrl = model.get("endpoint");
+        ScimRequestBuilder scimRequestBuilder =
+                new ScimRequestBuilder(
+                        scimApplicationBaseUrl,
+                        scimClientConfig
+                );
 
         RetryConfig retryConfig = RetryConfig.custom()
                 .maxAttempts(10)
@@ -67,30 +87,8 @@ public class ScimClient {
                 .retryExceptions(ProcessingException.class)
                 .build();
 
-        registry = RetryRegistry.of(retryConfig);
-    }
-
-    protected String BasicAuthentication() {
-        return BasicAuth.builder()
-                .username(model.get("auth-user"))
-                .password(model.get("auth-pass"))
-                .build()
-                .getAuthorizationHeaderValue();
-    }
-
-    protected ScimClientConfig genScimClientConfig() {
-        return ScimClientConfig.builder()
-                .httpHeaders(defaultHeaders)
-                .connectTimeout(5)
-                .requestTimeout(5)
-                .socketTimeout(5)
-                .expectedHttpResponseHeaders(expectedResponseHeaders)
-                .hostnameVerifier((s, sslSession) -> true)
-                .build();
-    }
-
-    protected String BearerAuthentication() {
-        return "Bearer " + model.get("auth-pass");
+        RetryRegistry retryRegistry = RetryRegistry.of(retryConfig);
+        return new ScimClient(scimRequestBuilder, retryRegistry, session, model);
     }
 
     protected EntityManager getEM() {
diff --git a/src/main/java/sh/libre/scim/core/ScimDispatcher.java b/src/main/java/sh/libre/scim/core/ScimDispatcher.java
index 98437c1372..bf7757d7c1 100644
--- a/src/main/java/sh/libre/scim/core/ScimDispatcher.java
+++ b/src/main/java/sh/libre/scim/core/ScimDispatcher.java
@@ -33,7 +33,7 @@ public class ScimDispatcher {
 
     public void runOne(ComponentModel m, Consumer<ScimClient> f) {
         LOGGER.infof("%s %s %s %s", m.getId(), m.getName(), m.getProviderId(), m.getProviderType());
-        ScimClient client = new ScimClient(m, session);
+        ScimClient client = ScimClient.newScimClient(m, session);
         try {
             f.accept(client);
         } catch (Exception e) {