Skip to main content

Provision users with SCIM

How to set up SCIM user provisioning.

Richard Tifelt avatar
Written by Richard Tifelt
Updated this week

Use SCIM to automatically provision users from your Identity provider to Teamtailor. We have tested and currently support provisioning from Microsoft Entra ID and Okta, although other SCIM applications might work.

The table below outlines which attributes are currently supported and how they are mapped to Teamtailor users. Only User objects can currently be provisioned, "Groups" are not supported.

Customappsso Attribute

Entra ID attribute

Teamtailor User attribute

userName

userPrincipalName

Login email

externalId

mailNickname

external_id (internal attribute used in API and SSO logins as name-id)

emails[type eq "work"].value

mail

Display email

phoneNumbers[type eq "work"].value

telephoneNumber

Phone

title

jobTitle

Title

name.formatted

formatted

Full name

name.givenName

givenName (optional)

First part of name if no name.formatted is used

name.familyName

surname (optional)

Last part of name if no name.formatted is used

active

Switch([IsSoftDeleted], , "False", "True", "True", "False")

false sets role "no_acess"

true sets role "user" if it was previously "no_access"

How to set up SCIM in Microsoft Entra ID

Follow the Microsoft documentation to set up the SCIM application and user mappings, see: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/how-provisioning-works

The Tenant URL is https://api.teamtailor.com/scim/v2/

The Secret key is an API key that will need to be generated by your main contact at Teamtailor.

The applications should be set up as a "non-gallery" SCIM application.

How to set up SCIM in Okta

Follow the Okta documentation here - https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_scim.htm - note that you must create the SAML 2.0 application first.

Add the following settings:

  • The SCIM connector base URL is https://api.teamtailor.com/scim/v2/ .

  • The Unique identifier field for users is email.

  • The Authentication Mode is HTTP Header.

  • The HTTP Header Authorization is a SCIM API key that will be provided by Teamtailor. Contact Teamtailor for this.

You can then select the Provisioning to App settings, including which events you would like to include.

Related Articles
Use SSO (Single Sign-On) with Teamtailor
How to set up SSO with Google Apps
How to set up SSO with Okta
How to set up SSO with OneLogin
Did this answer your question?