Skip to main content
Beta Feature - SCIM Provisioning is currently in beta. We’re actively improving the feature and welcome your feedback.

Overview

SCIM (System for Cross-domain Identity Management) enables your identity provider to automatically provision and deprovision users in env zero. Instead of relying on login-time syncing, SCIM keeps your user directory in sync continuously, so access is granted or revoked as soon as changes happen in your IdP.

Prerequisites

  • SSO must be configured - SCIM provisioning is only available after you set up an SSO connection (SAML or Azure AD)
  • Edit Organization Settings permission is required

Setting Up SCIM

1

Navigate to SSO Settings

Go to Organization Settings > SSO. Below your SSO connection, you’ll see the SCIM Provisioning section.
SCIM Provisioning section showing the Generate SCIM Token button
2

Generate a SCIM Token

Click Generate SCIM Token. This creates a bearer token and SCIM endpoint URL for your organization.
3

Copy the Token and Endpoint URL

A dialog displays your SCIM Endpoint URL and Bearer Token. Copy both values immediately.
The bearer token is shown only once. If you lose it, you’ll need to delete the SCIM configuration and generate a new one.
SCIM Token Created dialog showing the endpoint URL and bearer token
Once configured, the SCIM Provisioning section displays your endpoint URL and the date the token was created.
SCIM Provisioning configured state showing endpoint URL and creation date

Configuring Your Identity Provider

Use the SCIM Endpoint URL and Bearer Token to configure provisioning in your identity provider.
Your IdP must map the user’s email address to the SCIM userName attribute. env zero uses this field to match IdP users to organization members. Without a valid email mapping, provisioning will not work correctly.
See your IdP’s documentation for SCIM setup instructions: For other identity providers, refer to their SCIM 2.0 integration documentation and use the endpoint URL and bearer token from the previous step.

Revoking a SCIM Token

To revoke SCIM access, navigate to Organization Settings > SSO and click Delete Configuration in the SCIM Provisioning section. This immediately invalidates the token and stops all SCIM provisioning from your IdP.