SCIM Integration

Overview

As companies grow, managing user accounts and software applications becomes increasingly complex. Tasks like adding or removing users, resetting passwords, and modifying permissions consume valuable time and resources.

SCIM addresses these challenges by:

  • Storing user data consistently.
  • Sharing data seamlessly across applications.
  • Automating workflows to minimize errors and complexity.

By using SCIM with a single identity provider (IdP) as the centralized user management platform, organizations enhance security and consistency. SCIM ensures that changes in team structures and security policies are reflected across all connected platforms, maintaining compliance and efficiency.


SCIM is a feature available for Enterprise plans . Contact your Customer Success Manger if interested in upgrading.

  1. It allows organizations to automatically create, update, and delete user accounts across various cloud and on-premises applications.
  2. It ensures consistency by synchronizing identity information (like names, emails, roles, or permissions) between identity providers (Okta, Azure AD..etc) and connected applications.
  3. When employees leave or roles change, SCIM helps ensure system access is revoked or modified promptly.
  4. It eliminates the need to manually manage user accounts in different applications by automating workflows.

Prerequisites

  1. The user must be a Userpilot Account Owner, or possess the permission to manage authentication.
  2. Configure SSO.
  3. Have an active subscription with an IdP.
  4. You are on the Userpilot Enterprise plan.

Enable SCIM for the Organization

Set up SSO

  1. Navigate to Settings > Team > Authentication.

  2. Click on “Setup SSO".

  3. Select your identity provider and follow the steps listed in the window.

  1. You will then see a success message and SSO will appear as enabled.

Set up SCIM

  1. Click on "Set up SCIM".
  2. Follow IdP-specific instructions for adding SCIM provisioning.
  3. Select the IdP groups they want to give access to the organization.

  1. Then Map the IdP groups with application roles.

  1. In the case of setting up SCIM for an organization with multi applications, you can map the groups and roles for each application.

Notes

  1. Userpilot will reject the mapping if the user tries to assign all groups from IdP without assigning at least one group as “Account Owner”
  2. If users belong to multiple groups in the IdP, Userpilot will reject the mapping process. The user must assign them to one group only in the IdP and try again

  1. The mapping is now complete and you will see the list of users displayed under the Teammates tab.

Notes

  1. Once the SCIM setup is complete, Userpilot will start processing events from IdP. For group changes, Userpilot will show a banner on the team page to inform the admin about updates made in the IdP
  2. After SCIM is successfully configured between Userpilot and the IdP, SSO Mandatory Login will be enforced for all organization members .

Creating A Custom Role


  1. You are able to create a new role while mapping groups by clicking on the "Create Role" button that appears on the top right.
  2. Then you can enable the permissions you would like to give for this role by selecting the checkbox for each area in the product.

  1. Click on "Create" and the new role will be saved.

Notes:

  1. For user-specific changes, such as adding users to a mapped group (e.g., "Admins"), they’ll be automatically added to the system with the assigned role, with no web app notifications or remapping required
  2. After mapping, invalid actions like assigning a user to multiple groups or altering the last Account Owner will be ignored, leaving the user's status unchanged without notification

Real-Time Events Sync

Userpilot monitors the following IdP Events:

  1. Group Created Event: When new groups are pushed from the IdP, Userpilot is notified of the group creation. A notification banner will be displayed to inform the administrator of the IdP changes. The newly created groups must be mapped to corresponding roles within Userpilot.
  2. Group Deleted Event: When a group is deleted from the IdP, Userpilot will promptly remove the group and all associated users from the application.
  3. User Removed From Group Event: When a user is removed from a mapped IdP group, Userpilot will remove the user from the corresponding application group.
  4. User Added Event: When a new user is added to a specific IdP group, Userpilot will create the user with the role already mapped to that group during the initial setup. The user will receive a welcome email with instructions to sign in via SSO.
  5. User Deleted Event: When a user is deleted from the IdP, Userpilot will promptly remove the user from the organization.

Disable SCIM

Upon disabling the SCIM integration, the following effects will occur:

  1. SCIM configurations will be deleted from Userpilot.
  2. Integration with your IdP will be disconnected.
  3. Manual team management features will be unlocked.
  4. Users who have been provisioned through the SCIM will retain their access to the application.
  5. SSO Mandatory Login will remain enforced.

Important note

While SCIM is enabled, users created through the IdP are provisioned without passwords, and Userpilot recognizes them accordingly. If the admin disables SSO, these users will no longer have access to Userpilot. A notification email will be sent to these password-less users, guiding them to set up their passwords in order to regain access to the platform.


For any issues or inquiries please contact support@userpilot.co

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.