SCIM Provisioning

Automate user lifecycle management with SCIM 2.0

Overview

SCIM (System for Cross-domain Identity Management) automates user provisioning and deprovisioning between your identity provider and IdeaLift. When you add or remove a user in your IdP, the change is automatically reflected in IdeaLift — no manual workspace management needed.

IdeaLift implements the SCIM 2.0 standard (RFC 7643 / RFC 7644), ensuring compatibility with all major identity providers.

Auto-provisioning

Add users from your IdP

Auto-deprovisioning

Revoke access instantly

Continuous sync

Keep directories aligned

Requirements

✓Enterprise plan — SCIM provisioning is exclusively available on the Enterprise plan
✓SSO configured — SAML or OAuth SSO must be set up before enabling SCIM
✓Admin or Owner role — Only workspace Admins and Owners can configure SCIM
✓IdP with SCIM support — Your identity provider must support SCIM 2.0 (Okta, Azure AD, OneLogin, JumpCloud, etc.)

Not on Enterprise? Contact sales to discuss Enterprise plan pricing and features.

Setting Up SCIM

Follow these steps to connect your identity provider to IdeaLift via SCIM.

Step 1: Generate a SCIM token in IdeaLift

Go to Dashboard → Settings → Security
Scroll to "SCIM Provisioning"
Click "Enable SCIM"
Copy the SCIM Base URL and Bearer Token

Important: The bearer token is only shown once. Store it securely. If you lose it, you can regenerate a new token, but you will need to update it in your IdP.

Step 2: Configure your identity provider

In your IdP admin panel, add a new SCIM provisioning integration with these values:

SCIM Base URL

https://idealift.app/api/scim/v2

Authentication

Bearer Token (OAuth Bearer)

Step 3: Assign users and groups

In your IdP, assign users or groups to the IdeaLift SCIM application
Trigger an initial sync (most IdPs do this automatically)
Verify in IdeaLift that users appear in your workspace team list

Step 4: Test provisioning

Add a test user in your IdP and assign them to the IdeaLift application
Wait a few moments for the sync (typically under 60 seconds)
Verify the user appears in Dashboard → Team
Remove the test user from the IdeaLift application in your IdP
Verify the user is deactivated in your IdeaLift workspace

Supported Operations

IdeaLift's SCIM 2.0 endpoint supports the following operations on the /Users resource.

Create UserPOST /Users

Creates a new user in the workspace with the Member role. The user can immediately log in via SSO.

Get UserGET /Users/{id}

Retrieves a single user by their SCIM ID, including their current role and active status.

List UsersGET /Users

Returns all provisioned users in the workspace. Supports filtering by email and pagination.

Update UserPUT /Users/{id}

Updates user attributes such as name and active status. Replaces the full user resource.

Patch UserPATCH /Users/{id}

Partially updates user attributes. Commonly used by IdPs to activate or deactivate users.

Delete UserDELETE /Users/{id}

Deactivates the user and removes them from the workspace. Their historical data is preserved.

User Attributes

The following SCIM attributes are supported when creating or updating users.

SCIM Attribute	IdeaLift Field	Required	Notes
`userName`	Email	Yes	Must be a valid email address. Used as the primary identifier.
`name.givenName`	First Name	No	User display name in IdeaLift.
`name.familyName`	Last Name	No	User display name in IdeaLift.
`displayName`	Display Name	No	Falls back to givenName + familyName if not set.
`active`	Active Status	No	Set to false to deactivate. Deactivated users cannot log in.
`externalId`	External ID	No	Your IdP's internal user ID. Stored for reconciliation.

Group Mapping

IdeaLift maps SCIM groups to workspace roles. This allows you to manage role assignments from your identity provider instead of manually configuring them in IdeaLift.

IdP Group Name	IdeaLift Role	Description
`Admins`	Admin	Full workspace management, integrations, and settings
Any other group	Member	View dashboard, capture ideas, vote, and search

Group mapping notes

• Group names are case-sensitive — "Admins" works, "admins" does not
• The Owner role cannot be assigned via SCIM — it is set manually in IdeaLift
• Users in multiple groups receive the highest-privilege role
• Users not in any group default to the Member role

Troubleshooting

SCIM provisioning returns 401 Unauthorized

Your SCIM bearer token may have expired or been rotated. Generate a new token in IdeaLift settings and update it in your identity provider.

Users are created but cannot log in

SCIM creates user accounts, but users still need to authenticate via SSO. Ensure SSO is configured and the user's email domain matches your verified domain.

Deprovisioned users still have access

SCIM deactivation is processed in real time, but active sessions may persist until they expire. To force immediate revocation, remove the user from the workspace in IdeaLift settings.

Group assignments are not syncing

IdeaLift maps SCIM groups to workspace roles. Ensure your group names match exactly: "Admins" for Admin role, all others map to Member. Group names are case-sensitive.

Rate limit errors (429) from SCIM endpoint

The SCIM API is rate-limited to 100 requests per minute per workspace. If you are doing a bulk sync, configure your IdP to use a lower concurrency or add retry logic with exponential backoff.

Need Help?

Need assistance setting up SCIM for your organization?

Open SCIM Settings Email Support