Skip to main content
SCIM provisioning is available on Business and Enterprise plans. It requires an active SSO connection. This guide covers how to enable SCIM directory sync, configure group-to-workspace mappings, manage tokens, and monitor sync activity. Before you begin: Complete the steps in Set up single sign-on (SSO) first. SCIM builds on top of an active SSO connection — you’ll need domain verification and SSO configured with your identity provider before proceeding.

How SCIM works in CloudThinker

SCIM (System for Cross-domain Identity Management) is an industry standard that lets your identity provider automatically keep CloudThinker in sync with your company directory. Instead of manually inviting and removing users, your IdP handles it for you. When SCIM is enabled:
  • Users assigned to your CloudThinker application in your IdP are automatically added to your organization
  • Users removed from your IdP application are automatically deactivated in CloudThinker
  • Groups pushed from your IdP appear in CloudThinker and can be mapped to specific workspaces and roles
  • Group membership changes in your IdP automatically update workspace access in CloudThinker
Behind the scenes, your IdP calls CloudThinker’s SCIM 2.0 API using a bearer token whenever it needs to create, update, or remove users and groups.

Step 1: Enable SCIM in CloudThinker

1

Navigate to Identity and access settings

Go to Admin Settings → Identity and access. The Provisioning & directory sync card appears below the SSO card when your SSO connection is active.
2

Select SCIM

Click the SCIM option in the provisioning mode selector. CloudThinker generates a bearer token and a SCIM endpoint URL.
3

Copy your credentials

A dialog appears with two values you’ll need to paste into your identity provider:
  • Bearer token — the secret token your IdP uses to authenticate with CloudThinker’s SCIM API
  • SCIM base URL — the endpoint your IdP will send requests to (format: https://<your-domain>/api/v1/scim/{org_id}/v2)
Copy both values now — the bearer token is only shown once.
Copy the bearer token immediately — it cannot be retrieved after you close the dialog. If you lose it, you’ll need to rotate the token.

Step 2: Configure SCIM in your identity provider

Now switch to your identity provider’s admin console and set up SCIM provisioning for your CloudThinker application. The exact steps vary by provider (Okta, Azure AD / Microsoft Entra, OneLogin, etc.), but the values you need are the same.

General configuration

In your IdP’s SCIM or provisioning settings for the CloudThinker application, enter:
FieldValue
SCIM connector base URLThe SCIM base URL from Step 1
Authentication modeHTTP Header / Bearer Token
Bearer tokenThe token from Step 1
Unique identifier fielduserName (this maps to the user’s email address)

What your IdP can sync

OperationSupportedWhat it does
Create UsersYesAdds new user accounts to your CloudThinker organization
Update User AttributesYesKeeps name, email, and active status in sync
Deactivate UsersYesDisables access when a user is deactivated in your IdP
Delete UsersYesRemoves the user from your organization
Push GroupsYesSyncs your IdP groups to CloudThinker for workspace mapping
Group MembershipYesKeeps group members in sync between your IdP and CloudThinker
CloudThinker supports filtering by userName for user lookups and displayName for group lookups. Bulk operations are not currently supported.

Step 3: Map groups to workspaces and roles

Once your IdP starts pushing groups via SCIM, they appear automatically in the Group mappings section on the Identity and access page. Group mappings let you control which workspaces users land in and what role they get, based on their group membership in your IdP. For each synced group, you can configure:
SettingDescription
Auto-assigned workspacesWhich workspaces members of this group are automatically added to
Auto-assigned organization roleThe organization role for members of this group — choose Viewer, Developer, or Admin. Select “Use connection role” to use the default role from your SSO connection settings.
1

Wait for groups to appear

After configuring SCIM in your IdP, assign groups to your CloudThinker application. Groups show up in the Group mappings table once your IdP pushes them — this may take a few minutes depending on your IdP’s sync interval.
2

Choose workspaces

For each group, select which workspaces its members should have access to using the workspace dropdown.
3

Set roles (optional)

Optionally choose a specific role for each group. If you leave it as “Use connection role,” members get the default role from your SSO connection settings.
4

Save

Click Save for each group row to apply the mapping.
If no groups have synced yet, the Group mappings section shows a message: “No groups synced yet. Groups will appear here automatically once your identity provider pushes them via SCIM.”

Managing SCIM tokens

Rotate a token

If your token is compromised or your security policy requires periodic rotation, you can rotate it without downtime:
  1. In the Directory sync (SCIM) section, click Rotate token
  2. Confirm the rotation — the old token stays valid for 24 more hours, giving you time to update your IdP
  3. Copy the new token and update it in your IdP’s SCIM configuration
Both the old and new tokens work during the 24-hour overlap window, so your IdP won’t experience any sync failures while you make the switch.

Revoke a token

Switching away from SCIM (to Manual or JIT) automatically revokes the SCIM token and stops all directory sync. Your IdP will no longer be able to create, update, or remove users in CloudThinker.

Monitoring sync activity

Click View sync logs in the Directory sync section to see a history of all SCIM operations. This is useful for verifying that your IdP is pushing changes correctly and for troubleshooting provisioning issues. Each log entry shows:
FieldDescription
TimestampWhen the operation occurred
ActionWhat happened (e.g., CREATE, UPDATE, DELETE)
ResourceWhich user or group was affected
StatusWhether it succeeded (SUCCESS), was skipped (SKIPPED), or failed (FAILED)

Disabling SCIM

If you no longer need directory sync, you can disable SCIM:
  1. In the Provisioning & directory sync card, select Manual or Just-in-time
  2. Confirm the action — this immediately revokes your SCIM token and stops all directory sync
  3. Existing users remain in your organization, but your IdP can no longer add or remove users automatically
Disabling SCIM takes effect immediately. Your identity provider will start receiving authentication errors on its next sync cycle. Update or disable SCIM provisioning in your IdP to avoid unnecessary error alerts.

Troubleshooting

Groups aren’t appearing in CloudThinker

Make sure groups are assigned to your CloudThinker application in your IdP’s provisioning settings. CloudThinker doesn’t pull groups from your IdP — your IdP needs to push them. Check View sync logs to see if any group sync attempts have been made.

Users aren’t being provisioned

  1. Verify the user is assigned to your CloudThinker application in your IdP
  2. Check that the SCIM token hasn’t been rotated or revoked — if in doubt, rotate the token and update your IdP
  3. Open View sync logs and look for FAILED entries — these often include details about what went wrong
  4. Make sure the user’s email address is valid and not already associated with a different CloudThinker organization

Users aren’t being deprovisioned

  1. Make sure the user was removed from the CloudThinker application in your IdP (removing them from a group alone isn’t enough — they need to be unassigned from the application)
  2. Check sync logs for a DELETE or DEACTIVATE action for that user
  3. Some IdPs don’t sync changes instantly — for example, Microsoft Entra syncs approximately every 40 minutes. Wait for the next cycle and check again.

SCIM token stopped working

The token may have been rotated or revoked by another admin. Generate a new token in CloudThinker and update your IdP’s SCIM configuration with the new value.

”Cannot enable JIT provisioning while SCIM is active”

JIT (Just-in-Time) provisioning and SCIM can’t be used at the same time. To switch to JIT, first select a different provisioning mode (Manual or JIT) — this will revoke the SCIM token and stop directory sync.

Set Up SSO

Configure SAML or OIDC single sign-on (prerequisite for SCIM)

Security Overview

MFA, RBAC, API keys, and data security

Organizations

Manage organization members and roles

Workspace Users

Workspace-level access control