Use SCIM to automatically provision users from your Identity provider to Teamtailor. We have tested and currently support provisioning from Microsoft Entra ID and Okta, although other SCIM applications might work.
The table below outlines which attributes are currently supported and how they are mapped to Teamtailor users. Only User objects can currently be provisioned, "Groups" are not supported.
Customappsso Attribute | Entra ID attribute | Teamtailor User attribute |
userName | userPrincipalName | Login email |
externalId | mailNickname | external_id (internal attribute used in API and SSO logins as name-id) |
emails[type eq "work"].value | Display email | |
phoneNumbers[type eq "work"].value | telephoneNumber | Phone |
title | jobTitle | Title |
name.formatted | formatted | Full name |
name.givenName | givenName (optional) | First part of name if no name.formatted is used |
name.familyName | surname (optional) | Last part of name if no name.formatted is used |
active | Switch([IsSoftDeleted], , "False", "True", "True", "False") | false sets role "no_acess" true sets role "user" if it was previously "no_access" |
Set up SCIM in Microsoft Entra ID
Follow the Microsoft documentation to set up the SCIM application and user mappings, see: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/how-provisioning-works
The Tenant URL is https://api.teamtailor.com/scim/v2/
The Secret key is an API key that will need to be generated by your main contact at Teamtailor.
The applications should be set up as a "non-gallery" SCIM application.
Set up SCIM in Okta
For Okta, you have two options:
Use one single app for both SSO and SCIM
Download a separate SCIM app within Okta in order to keep the apps separate.
Single App
Follow the Okta documentation here - https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_scim.htm - note that you must create the SAML 2.0 application first.
Add the following settings:
The SCIM connector base URL is https://api.teamtailor.com/scim/v2/ .
The Unique identifier field for users is email.
The Authentication Mode is HTTP Header.
The HTTP Header Authorization is a SCIM API key that will be provided by Teamtailor. Contact Teamtailor for this.
You can then select the Provisioning to App settings, including which events you would like to include.
Separate SCIM app
We recommend downloading the "SCIM 2.0 Test App (OAuth Bearer Token) app from Okta. You then have the following options that allow you to enable SCIM without the mandatory SAML setup:
Use the SWA Connector, enter a default TeamTailor URL, and then enable SCIM.
Use the dedicated SCIM app from the OIN.
(Less clean) Use the SAML connector, but enter dummy info in the SAML settings.