> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cloudthinker.io/llms.txt
> Use this file to discover all available pages before exploring further.
# Set Up SCIM Provisioning
> Automate user and group provisioning from your identity provider with SCIM 2.0
SCIM provisioning is available on **Business** and **Enterprise** plans. It requires an active SSO connection.
This guide covers how to enable SCIM directory sync, configure group-to-workspace mappings, manage tokens, and monitor sync activity.
**Before you begin:** Complete the steps in [Set up single sign-on (SSO)](/guide/security/sso) first. SCIM builds on top of an active SSO connection — you'll need domain verification and SSO configured with your identity provider before proceeding.
***
## How SCIM works in CloudThinker
SCIM (System for Cross-domain Identity Management) is an industry standard that lets your identity provider automatically keep CloudThinker in sync with your company directory. Instead of manually inviting and removing users, your IdP handles it for you.
When SCIM is enabled:
* **Users assigned** to your CloudThinker application in your IdP are automatically added to your organization
* **Users removed** from your IdP application are automatically deactivated in CloudThinker
* **Groups pushed** from your IdP appear in CloudThinker and can be mapped to specific workspaces and roles
* **Group membership changes** in your IdP automatically update workspace access in CloudThinker
Behind the scenes, your IdP calls CloudThinker's SCIM 2.0 API using a bearer token whenever it needs to create, update, or remove users and groups.
***
## Step 1: Enable SCIM in CloudThinker
Go to **Admin Settings → Identity and access**. The **Provisioning & directory sync** card appears below the SSO card when your SSO connection is active.
Click the **SCIM** option in the provisioning mode selector. CloudThinker generates a bearer token and a SCIM endpoint URL.
A dialog appears with two values you'll need to paste into your identity provider:
* **Bearer token** — the secret token your IdP uses to authenticate with CloudThinker's SCIM API
* **SCIM base URL** — the endpoint your IdP will send requests to (format: `https:///api/v1/scim/{org_id}/v2`)
Copy both values now — the bearer token is only shown once.
Copy the bearer token immediately — it cannot be retrieved after you close the dialog. If you lose it, you'll need to rotate the token.
***
## Step 2: Configure SCIM in your identity provider
Now switch to your identity provider's admin console and set up SCIM provisioning for your CloudThinker application. The exact steps vary by provider (Okta, Azure AD / Microsoft Entra, OneLogin, etc.), but the values you need are the same.
### General configuration
In your IdP's SCIM or provisioning settings for the CloudThinker application, enter:
| Field | Value |
| --------------------------- | -------------------------------------------------- |
| **SCIM connector base URL** | The SCIM base URL from Step 1 |
| **Authentication mode** | HTTP Header / Bearer Token |
| **Bearer token** | The token from Step 1 |
| **Unique identifier field** | `userName` (this maps to the user's email address) |
### What your IdP can sync
| Operation | Supported | What it does |
| ---------------------- | --------- | ------------------------------------------------------------- |
| Create Users | Yes | Adds new user accounts to your CloudThinker organization |
| Update User Attributes | Yes | Keeps name, email, and active status in sync |
| Deactivate Users | Yes | Disables access when a user is deactivated in your IdP |
| Delete Users | Yes | Removes the user from your organization |
| Push Groups | Yes | Syncs your IdP groups to CloudThinker for workspace mapping |
| Group Membership | Yes | Keeps group members in sync between your IdP and CloudThinker |
CloudThinker supports filtering by `userName` for user lookups and `displayName` for group lookups. Bulk operations are not currently supported.
***
## Step 3: Map groups to workspaces and roles
Once your IdP starts pushing groups via SCIM, they appear automatically in the **Group mappings** section on the Identity and access page. Group mappings let you control which workspaces users land in and what role they get, based on their group membership in your IdP.
For each synced group, you can configure:
| Setting | Description |
| ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Auto-assigned workspaces** | Which workspaces members of this group are automatically added to |
| **Auto-assigned organization role** | The organization role for members of this group — choose Viewer, Developer, or Admin. Select "Use connection role" to use the default role from your SSO connection settings. |
After configuring SCIM in your IdP, assign groups to your CloudThinker application. Groups show up in the **Group mappings** table once your IdP pushes them — this may take a few minutes depending on your IdP's sync interval.
For each group, select which workspaces its members should have access to using the workspace dropdown.
Optionally choose a specific role for each group. If you leave it as "Use connection role," members get the default role from your SSO connection settings.
Click **Save** for each group row to apply the mapping.
If no groups have synced yet, the Group mappings section shows a message: "No groups synced yet. Groups will appear here automatically once your identity provider pushes them via SCIM."
***
## Managing SCIM tokens
### Rotate a token
If your token is compromised or your security policy requires periodic rotation, you can rotate it without downtime:
1. In the **Directory sync (SCIM)** section, click **Rotate token**
2. Confirm the rotation — the old token stays valid for 24 more hours, giving you time to update your IdP
3. Copy the new token and update it in your IdP's SCIM configuration
Both the old and new tokens work during the 24-hour overlap window, so your IdP won't experience any sync failures while you make the switch.
### Revoke a token
Switching away from SCIM (to Manual or JIT) automatically revokes the SCIM token and stops all directory sync. Your IdP will no longer be able to create, update, or remove users in CloudThinker.
***
## Monitoring sync activity
Click **View sync logs** in the Directory sync section to see a history of all SCIM operations. This is useful for verifying that your IdP is pushing changes correctly and for troubleshooting provisioning issues.
Each log entry shows:
| Field | Description |
| ------------- | ------------------------------------------------------------------------- |
| **Timestamp** | When the operation occurred |
| **Action** | What happened (e.g., CREATE, UPDATE, DELETE) |
| **Resource** | Which user or group was affected |
| **Status** | Whether it succeeded (SUCCESS), was skipped (SKIPPED), or failed (FAILED) |
***
## Disabling SCIM
If you no longer need directory sync, you can disable SCIM:
1. In the **Provisioning & directory sync** card, select **Manual** or **Just-in-time**
2. Confirm the action — this immediately revokes your SCIM token and stops all directory sync
3. Existing users remain in your organization, but your IdP can no longer add or remove users automatically
Disabling SCIM takes effect immediately. Your identity provider will start receiving authentication errors on its next sync cycle. Update or disable SCIM provisioning in your IdP to avoid unnecessary error alerts.
***
## Troubleshooting
### Groups aren't appearing in CloudThinker
Make sure groups are assigned to your CloudThinker application in your IdP's provisioning settings. CloudThinker doesn't pull groups from your IdP — your IdP needs to push them. Check **View sync logs** to see if any group sync attempts have been made.
### Users aren't being provisioned
1. Verify the user is assigned to your CloudThinker application in your IdP
2. Check that the SCIM token hasn't been rotated or revoked — if in doubt, rotate the token and update your IdP
3. Open **View sync logs** and look for FAILED entries — these often include details about what went wrong
4. Make sure the user's email address is valid and not already associated with a different CloudThinker organization
### Users aren't being deprovisioned
1. Make sure the user was removed from the CloudThinker application in your IdP (removing them from a group alone isn't enough — they need to be unassigned from the application)
2. Check sync logs for a DELETE or DEACTIVATE action for that user
3. Some IdPs don't sync changes instantly — for example, Microsoft Entra syncs approximately every 40 minutes. Wait for the next cycle and check again.
### SCIM token stopped working
The token may have been rotated or revoked by another admin. Generate a new token in CloudThinker and update your IdP's SCIM configuration with the new value.
### "Cannot enable JIT provisioning while SCIM is active"
JIT (Just-in-Time) provisioning and SCIM can't be used at the same time. To switch to JIT, first select a different provisioning mode (Manual or JIT) — this will revoke the SCIM token and stop directory sync.
***
## Related guides
Configure SAML or OIDC single sign-on (prerequisite for SCIM)
MFA, RBAC, API keys, and data security
Manage organization members and roles
Workspace-level access control