Skip to main content

Configuring SCIM

How to configure System for Cross-domain Identity Management (SCIM) for your SmartSuite workspace

Peter Novosel avatar
Written by Peter Novosel
Updated this week

SmartSuite supports System for Cross-domain Identity Management (SCIM) — a standards-based protocol that simplifies user provisioning and synchronization between your identity provider (IdP) and SmartSuite.

This feature enhances security, reduces administrative overhead, and ensures that user access stays aligned with your organization’s policies.

Plan Availability

Enterprise, Signature

Permissions

Administrators

Related Reading

Configuring Single Sign-On (SSO)

Overview

SCIM automates:

  • User provisioning – Automatically creates user accounts in SmartSuite from your IdP.

  • User lifecycle management – Automatically disables or removes users when they leave your organization.

  • Team assignments – Automatically assigns users to SmartSuite Teams based on IdP attributes.

  • Role mapping – Assigns SmartSuite roles (admin, solution_manager, general, guest) directly from your IdP.

  • Profile synchronization – Keeps user details and team memberships consistent between SmartSuite and your IdP.

  • Audit & monitoring – Provides logs and visibility into SCIM activity for transparency and troubleshooting.

What Is App Provisioning?

App provisioning is the process of automatically creating, managing, and removing user identities and roles based on changes in user status or attributes.
This ensures users always have appropriate access while maintaining security and compliance.

Without automation, admins must manually manage user accounts across systems — a time-consuming and error-prone process.

What Is SCIM?

The System for Cross-domain Identity Management (SCIM) standard defines a common API and data schema for user and group management.


It provides a unified way to manage users across multiple applications using REST APIs.

SCIM integrates seamlessly with authentication protocols like SAML or OpenID Connect (OIDC) to deliver a complete, standards-based identity solution (Figure 1).

How SCIM Works

SCIM uses standardized REST endpoints to:

  • Create, update, or delete users and groups.

  • Synchronize user and group attributes across systems.

  • Handle large-scale updates efficiently through bulk operations.

Each user or group is represented as a resource with attributes like id, externalId, and meta.

Setting Up SCIM Provisioning for SmartSuite

Step 1: Plan Your Provisioning Deployment

  1. Identify which users and groups will be in scope for provisioning.

  2. Determine which IdP groups should synchronize with SmartSuite Teams.

  3. Start small — test provisioning with a limited group before rolling out organization-wide.

Step 2: Obtain Your SmartSuite Provisioning Authorization Token

  1. Log in to your SmartSuite workspace.

  2. Navigate to Workspace Administration → SSO Configuration.

  3. Copy the Provisioning Authorization Token.

You’ll use this token when configuring your IdP to connect with SmartSuite.

Step 3: Define Who Will Be in Scope

Most IdPs allow you to define who is provisioned to SmartSuite using:

  • Assignment-based scoping: Manually assign users or groups to the SmartSuite app.

  • Attribute-based scoping: Automatically provision users based on attributes (e.g., department, role).

💡 Tip: Use attribute-based scoping for automation but start small with manual assignment for testing.

Step 4: Configure Automatic Provisioning in Your IdP

While steps vary by identity system, the general process includes:

  1. Configure provisioning: Enable SCIM provisioning (automatic or manual).

  2. Enter SmartSuite SCIM details:

    • Tenant URL: https://app.smartsuite.com/authentication/scim

    • Secret Token: Your Provisioning Authorization Token.

  3. Test the connection to ensure successful communication.

Step 5: Configure SCIM Attributes

Make sure the following attributes are mapped in your IdP to match SmartSuite’s schema:

SmartSuite Field

SCIM Attribute

Required

id

id

No

email

userName

✅ Yes

full_name.first_name

givenName

No

full_name.last_name

familyName

No

full_name.title

honorificPrefix

No

status

active (boolean)

No

Enterprise User Schema Extensions:

SmartSuite Field

SCIM Attribute

Required

company_name

organization

No

department

department

No

manager_id

manager

No

Role Mapping

SmartSuite roles can also be managed through SCIM using the roles attribute.
Supported values are:

  • admin

  • solution_manager

  • general

  • guest

Step 6: Enable Provisioning

  1. In your IdP, turn Provisioning Status to On.

  2. Define the users and groups in the Scope settings.

  3. Save your configuration to begin synchronization.

The initial sync may take longer than subsequent cycles (typically runs every 30–60 minutes, depending on your IdP).

Platform-Specific Configuration

Okta

  1. Navigate to Applications → Add Application → SCIM Provisioning.

  2. Map all SmartSuite attributes listed above.

  3. Enable lifecycle operations (activate/deactivate users).

  4. Add optional enterprise schema attributes as needed.

Microsoft Entra (Azure AD)

  1. In Enterprise Applications, configure the SCIM URL and token.

  2. Add custom mappings for fields such as department or organization.

  3. Map the active attribute for user enablement/deactivation.

  4. Configure group assignments if using Teams-based provisioning.

Ping Federate

  1. Go to Provisioning → Connections and enable SCIM.

  2. Map source fields to SmartSuite SCIM attributes.

  3. Set sync frequency to regularly update SmartSuite.

  4. Test with sample users to confirm correct mappings.

API Endpoints

For organizations using direct API integration or testing via Postman, SmartSuite provides SCIM 2.0-compliant endpoints.

Users

  • List Users: GET /authentication/scim/Users

  • Get User: GET /authentication/scim/Users/{userId}

  • Create User: POST /authentication/scim/Users

  • Update User (PUT/PATCH): PUT or PATCH /authentication/scim/Users/{userId}

  • Delete User: DELETE /authentication/scim/Users/{userId}

⚠️ Note: You cannot delete the last admin user in a workspace.

Role Provisioning

Example SCIM user creation request with role mapping:

POST {{baseUrl}}/authentication/scim/Users
{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "userName": "guestq1a@example.com",
  "name": {
    "givenName": "Guest134",
    "familyName": "User42"
  },
  "emails": [
    {
      "value": "guestq1a@example.com",
      "primary": true
    }
  ],
  "roles": ["guest"]
}

💡 You can assign any of the four role values below to define the user’s permissions in SmartSuite:

  • admin

  • solution_manager

  • general

  • guest

Groups

  • List Groups: GET /authentication/scim/Groups

  • Get Group: GET /authentication/scim/Groups/{groupId}

  • Create Group: POST /authentication/scim/Groups

  • Update Group: PUT or PATCH /authentication/scim/Groups/{groupId}

  • Delete Group: DELETE /authentication/scim/Groups/{groupId}

Best Practices

  • Test synchronization with a small user set first.

  • Use SCIM API testing tools (e.g., Postman) to validate payloads.

  • Regularly monitor IdP logs for failed syncs or mapping issues.

  • Document your attribute mappings for future maintenance.

Summary

By integrating SCIM, SmartSuite automates user provisioning, team management, and lifecycle operations — all while maintaining security and compliance through standard protocols.

Once configured, your users and teams will stay synchronized automatically, reducing admin effort and ensuring consistent access management.

Related Articles
Configuring Single Sign-On (SSO)
Plans & Billing Settings
Integrating SmartSuite with Skyvia
Did this answer your question?