User guide
Ask or search…
K
Links

SCIM provisioning

Use System for Cross-domain Identity Management to automate user and group provisioning from your IdP to Colabra.
Who can use this feature?
👤 By default, all Admins (but not Editors and Viewers).
🏢 Available on the Enterprise plan.
If you have SAML SSO enabled with a supported identity provider, you can contact us to get SCIM enabled for your workspace.
Once SCIM is enabled, you will not be able to manage users from within Colabra, and they will be kept up to date through your identity provider.

What you can do with SCIM

User provisioning and management:
  • Create and remove members in your organization.
  • Update a member's profile information.
  • Retrieve the members in your workspace.
    • Find members by name or email.
Group provisioning and management:
  • Create and remove groups in your organization.
  • Add and remove members in a group.
  • Retrieve the groups in your workspace.
    • Find groups by name.
Not supported:
  • Managing external collaborators (guests).

Configuration

Once SAML is configured, you will see the option to enable SCIM in Settings > Security.
Toggle the option to enable SCIM, and click "View configuration" to get your SCIM base connector URL and Bearer Auth token. Keep these values safe as you will need them to configure SCIM in your Identity provider.
Okta
OneLogin
  • In the Okta admin pages, open the Colabra application you have for SAML 2.0
  • In the General tab, click Edit and choose SCIM in the Provisioning section and Save
  • In the Provisioning tab, enter the SCIM Base connector URL you generated from Colabra
  • For the Unique identifier field for users section enter email
  • For Supported provisioning actions you can enable "Import New Users and Profile Updates", "Push New Users" and "Push Profile Updates." Push and Import for Groups are not supported at this time
  • For Authentication mode field, choose HTTP Header and enter your Bearer token generated from Colabra. You can now test the configuration and save
    • In OneLogin's Admin panel > Applications, click Add App
    • Search for the "SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML)" app and add
    • Click on the Configuration tab and add your SCIM base URL and Bearer token
    • Click on the Provisioning tab and Enable Provisioning
    • Save your App
      • In OneLogin's Admin panel > Applications, click Add App
      • Search for the "SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML)" app and add
      • Click on the Configuration tab and add your SCIM base URL and Bearer token
      • Click on the Provisioning tab and Enable Provisioning
      • Save your App
        • In OneLogin's Admin panel > Applications, click Add App
        • Search for the "SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML)" app and add
        • Click on the Configuration tab and add your SCIM base URL and Bearer token
        • Click on the Provisioning tab and Enable Provisioning
        • Save your App
  • In OneLogin's Admin panel > Applications, click Add App
  • Search for the "SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML)" app and add
  • Click on the Configuration tab and add your SCIM base URL and Bearer token
  • Click on the Provisioning tab and Enable Provisioning
  • Save your App

FAQ

Do you support provisioning Groups or Roles?
Not at this time, but we plan to add support for both in the near future.
What identity providers do you support?
SCIM should work with all common identity providers.
What plan is SCIM available on?
SCIM is only available on the Enterprise plan and if you have SAML SSO configured already. If you are interested in upgrading to the Enterprise plan, contact us.
What version of SCIM do you support?
We support SCIM 2.0 (not SCIM 1.1.)
Can guests be provisioned?
We don't currently support provisioning roles. We recommend provisioning them as a member and then converting them to a guest afterwards in the Colabra Settings > Members page.
When do newly provisioned users count as billable?
As soon as they are provisioned, they become billable users even if their accounts haven't been signed into yet.