Skip to main content

How to configure SCIM

You need to enable SAML before using SCIM. Refer to the SAML configuration guide and enable SAML first.

Obtain your organization’s SCIM credentials

Go to Settings > Security and open the SCIM section to get the tenant URL and secret token required for your IdP. If no secret token exists, click the generate button. Each organization can only have one SCIM secret token at a time. Generating a new token immediately invalidates the previous one. Screenshot

Configure SCIM invitation emails

When provisioning users via SCIM, you can choose whether to send an invitation email to newly added users.

Prerequisites

  • SAML must be configured and enabled.
  • The invitation email toggle appears only after a secret token has been generated.
  • This setting applies to users created after SCIM is configured. Invitation emails are not re-sent to already-provisioned users.

Configuration steps

  1. Go to Settings > Security > SCIM > Secret token and click Regenerate Secret Token.
    Note: Regenerating the token invalidates the previous token. If you are already using the token in your IdP, update the token on the IdP side as well.
  2. Once the token is generated, an Invitation email toggle appears below it.
    Do not send: The user is created without any notification email.
    Send: An invitation email to the service is automatically sent when the user is created.
  3. Use the Invitation email toggle to choose your preference. Screenshot

Enable SCIM in your IdP

Open the application you created in your IdP for SAML.

Entra ID

Entra ID guide
  1. Select Provisioning from the side menu and click the Get Started button. Screenshot
  2. Select Automatic mode. Screenshot
  3. Enter the tenant URL and secret token obtained from the service.
    For Select authentication method, choose Bearer authentication.
    Click Save in the upper left to save the settings.
    (When running Test Connection, SAML must be enabled in the service.)
    Screenshot Screenshot
    You do not need to store the secret token elsewhere.
    You can regenerate it whenever you need a new one.
  4. Open Mappings and disable group provisioning. Screenshot
  5. Select Provision Entra ID Users and configure the Microsoft Entra ID Attribute as shown in the image below. Screenshot
  6. Configure the attributes as shown in the image below.
    Confirm that the Matching precedence for userPrincipalName is set to 1.
    Screenshot
  7. Click Save in the upper left again to complete the setup.
    Users assigned to the application are automatically provisioned to the service.

Okta

The service now supports the Okta Integration Network (OIN), which makes configuration easier. See the setup guide here: SAML/SCIM configuration with Okta Integration Network

Supported features

FeatureDescription
Create new usersWhen a user is created in Okta, a corresponding user is created in the service.
Update user profilesUser information updated in Okta is reflected in the service.
Deactivate (and reactivate) or delete usersDeactivations, reactivations, and deletions in Okta are reflected in the service.

Prerequisites

Configuration steps

  1. Open your application from Applications, go to the Sign on tab, and change Application username format to Email. Screenshot
  2. On the General tab, select Enable SCIM provisioning under Provisioning. Screenshot
  3. Open the Provisioning tab and enter the following information.
    FieldValue
    SCIM connector base URLEnter the Tenant URL obtained from the service
    Unique identifier field for usersEnter userName
    Supported provisioning actionsCheck the following values:
    - Import New Users and Profile Updates
    - Push New Users
    - Push Profile Updates
    Authentication ModeSelect HTTP Header
    AuthorizationEnter the Secret Token obtained from the service
    Screenshot
  4. Click Test Connector Configuration and confirm that everything succeeds except Push groups and Import groups.
  5. After a successful test, click Close and save. Screenshot
  6. In the To App section on the next screen, enable the following:\
    • Create Users\
    • Update User Attributes\
    • Deactivate Users
    Screenshot
  7. Scroll further down on the same screen to the Attribute Mappings section.
    Match the configuration to the screenshot.
    Screenshot
  8. This completes the setup.
    Users assigned to the application are automatically provisioned to the service.

Known issues and troubleshooting

The service does not yet support provisioning from the application to Okta. Leave the To Okta settings at their default (disabled).

OneLogin

OneLogin guide
  1. Open the Configuration page and enter the following values.
    FieldValue
    SCIM Base URLEnter the Tenant URL obtained from the service
    SCIM Bearer TokenEnter the Secret Token obtained from the service
  2. Click Enable to activate. If no errors appear, click Save. Screenshot
  3. Open the Provisioning page.
    Enable Enable provisioning.
    Optionally, change what happens when a user is deleted in OneLogin.
  4. Save the settings. Screenshot
  5. This completes the setup.
    Users assigned to the application are automatically provisioned to the service.
Last modified on July 10, 2026