Configuring SCIM User Provisioning
ScribbleMaps supports SCIM 2.0 (System for Cross-domain Identity Management) for automated user provisioning and deprovisioning. This allows you to automatically sync users from your Identity Provider (IdP) to ScribbleMaps, ensuring team membership stays in sync with your organization's directory.
SCIM provisioning is available at team.scribblemaps.com and is completely free.
Table of Contents
- What is SCIM?
- Before You Begin
- Step 1: Enable SCIM in ScribbleMaps
- Step 2: Generate a Bearer Token
- Step 3: Configure Your Identity Provider
- Step 4: Set Default Product Assignment
- Step 5: Test and Assign Users
- Provider-Specific Guides
- Supported SCIM Operations
- User Lifecycle Management
- Troubleshooting
What is SCIM?
SCIM (System for Cross-domain Identity Management) is an open standard that allows you to automatically:
- Provision users - Automatically create ScribbleMaps accounts when users are assigned in your IdP
- Update users - Keep user information (name, email) synchronized
- Deprovision users - Automatically deactivate accounts when users are removed from your IdP
- Manage roles - Assign users to Admin or Member roles via group membership
SCIM works alongside SSO (SAML/OIDC) to provide complete identity lifecycle management.
Before You Begin
- You must be a Team Owner to configure SCIM
- You need access to your Identity Provider's admin console
- Your IdP must support SCIM 2.0 (Okta, Microsoft Entra ID, OneLogin, JumpCloud, etc.)
- We recommend configuring SSO before SCIM for the best user experience
Step 1: Enable SCIM in ScribbleMaps
- Log in to team.scribblemaps.com
- Navigate to SCIM Provisioning (left side bar)
- Toggle Enable SCIM to ON
Note: You'll need to generate a bearer token before SCIM can be fully enabled.
Step 2: Generate a Bearer Token
The bearer token authenticates your Identity Provider with ScribbleMaps.
- On the SCIM settings page, click Generate Token
- Copy the token immediately and store it securely
Important Security Notes:
- The token is only displayed once - if you lose it, you'll need to generate a new one
- Treat this token like a password - anyone with the token can manage your team's users
- You can revoke and regenerate the token at any time if it's compromised
- Revoking a token immediately stops all SCIM operations until a new token is configured
Step 3: Configure Your Identity Provider
Use the following details to configure ScribbleMaps as a SCIM application in your IdP:
| Setting | Value |
|---|---|
| SCIM Base URL | https://api.scribblemaps.com/scim/v2 |
| Authentication Method | HTTP Header / Bearer Token |
| Authorization Header | Bearer YOUR_TOKEN_HERE |
| Unique Identifier |
userName (email address) |
SCIM Endpoints Reference
| Endpoint | Purpose |
|---|---|
/scim/v2/Users |
User provisioning and management |
/scim/v2/Groups |
Role/group membership management |
/scim/v2/ServiceProviderConfig |
SCIM capabilities (discovery) |
/scim/v2/ResourceTypes |
Supported resource types (discovery) |
/scim/v2/Schemas |
User and Group schemas (discovery) |
Step 4: Set Default Product Assignment (Optional)
You can automatically assign a product license to users when they're provisioned via SCIM:
- On the SCIM settings page, find Default Product Assignment
- Select a product:
- None - Users are created without a product (assign manually later)
- Viewer - View-only access
- Pro Basic - Standard editing features
- Pro Business - Full feature access
- Click Save
Note: Users will only be assigned a product if seats are available. If no seats are available, the user is created but left unassigned.
Step 5: Test and Assign Users
- In your Identity Provider, use the Test Connection feature to verify SCIM connectivity
- Assign a test user to the ScribbleMaps application in your IdP
- Verify the user appears in your ScribbleMaps team members list
- Once confirmed, assign additional users or groups as needed
Provider-Specific Guides
Okta
- In Okta Admin Console, go to Applications > Browse App Catalog
- Search for "SCIM 2.0 Test App (Header Auth)" or create a custom SCIM app
- Go to the Provisioning tab > Configure API Integration
- Check Enable API integration
- Configure:
-
SCIM 2.0 Base URL:
https://api.scribblemaps.com/scim/v2 - OAuth Bearer Token: Paste your ScribbleMaps SCIM token
-
SCIM 2.0 Base URL:
- Click Test API Credentials to verify
- Go to Provisioning > To App and enable:
- Create Users
- Update User Attributes
- Deactivate Users
- Go to Assignments tab to assign users or groups
Microsoft Entra ID (Azure AD)
- In Azure Portal, go to Microsoft Entra ID > Enterprise Applications
- Select your ScribbleMaps application (or create one)
- Go to Provisioning > Get Started
- Set Provisioning Mode to Automatic
- Under Admin Credentials:
-
Tenant URL:
https://api.scribblemaps.com/scim/v2 - Secret Token: Paste your ScribbleMaps SCIM token
-
Tenant URL:
- Click Test Connection to verify
- Configure Mappings for user attributes
- Set Provisioning Status to On
- Go to Users and groups to assign users
OneLogin
- In OneLogin Admin, go to Applications > Add App
- Search for "SCIM Provisioner with SAML (SCIM v2 Core)" or similar
- Go to Configuration tab
- Configure:
-
SCIM Base URL:
https://api.scribblemaps.com/scim/v2 - SCIM Bearer Token: Paste your ScribbleMaps SCIM token
-
SCIM Base URL:
- Go to Provisioning tab and enable provisioning
- Go to Users tab to assign users
JumpCloud
- In JumpCloud Admin, go to SSO Applications
- Click + to add a new application
- Select Custom SCIM
- Configure:
-
Base URL:
https://api.scribblemaps.com/scim/v2 - Token Key: Paste your ScribbleMaps SCIM token
- Authentication: Bearer Token
-
Base URL:
- Click Test Connection
- Configure attribute mappings
- Assign user groups to the application
Supported SCIM Operations
User Operations
| Operation | Method | Supported | Description |
|---|---|---|---|
| List Users | GET /Users | Yes | Retrieve all users with pagination and filtering |
| Get User | GET /Users/{id} | Yes | Retrieve a specific user by ID |
| Create User | POST /Users | Yes | Provision a new user |
| Replace User | PUT /Users/{id} | Yes | Full update of user attributes |
| Update User | PATCH /Users/{id} | Yes | Partial update of user attributes |
| Delete User | DELETE /Users/{id} | Yes | Deactivate user (soft delete) |
Group Operations
| Operation | Method | Supported | Description |
|---|---|---|---|
| List Groups | GET /Groups | Yes | Returns Admin and Member role groups |
| Get Group | GET /Groups/{id} | Yes | Retrieve group with member list |
| Update Group | PATCH /Groups/{id} | Yes | Add/remove members from role groups |
| Create Group | POST /Groups | No | Not supported (roles are fixed) |
Supported User Attributes
| SCIM Attribute | ScribbleMaps Field | Required |
|---|---|---|
userName |
Email address | Yes |
externalId |
External IdP identifier | No |
name.givenName |
First name | No |
name.familyName |
Last name | No |
displayName |
Display name | No |
active |
Account status | No |
emails[].value |
Email address | No |
Supported Filters
| Filter | Example |
|---|---|
| Filter by email | userName eq "user@example.com" |
| Filter by external ID | externalId eq "12345" |
| Filter by status | active eq true |
User Lifecycle Management
When a User is Provisioned
- A new team member account is created in ScribbleMaps
- User information (name, email) is populated from your IdP
- If a default product is configured and seats are available, a license is automatically assigned
- The user can immediately log in via SSO (if configured)
When a User is Updated
- User attributes (name, display name) are updated to match your IdP
- Email changes are synchronized (unless the user has linked their account)
When a User is Deprovisioned
- The user's account is deactivated (soft delete)
- All product licenses are removed, freeing up seats
- All active sessions are immediately invalidated
- The user can no longer log in
- User data and maps are preserved (not deleted)
- The account can be reactivated if the user is re-provisioned
Role Management via Groups
ScribbleMaps exposes two role groups via SCIM:
| Group ID | Role | Permissions |
|---|---|---|
admin |
Administrator | Manage team settings, users, and billing |
member |
Member | Standard team member access |
To assign a user as an admin, add them to the admin group via SCIM PATCH. The Owner role cannot be modified via SCIM.
Troubleshooting
Common Issues
"401 Unauthorized" or "Invalid token"
- Verify the bearer token is correct and hasn't been revoked
- Ensure the token is passed in the Authorization header as
Bearer YOUR_TOKEN - Check if the token has expired (if expiry was set)
- Generate a new token if needed
"409 Conflict" - User already exists
- A user with that email already exists in your team
- If the existing user was deactivated, SCIM will automatically reactivate them
- Check for duplicate email addresses in your IdP
"400 Bad Request" - Missing required field
- Ensure
userName(email) is included in the request - Verify email format is valid
- Check your IdP's attribute mapping configuration
Users created but no product assigned
- Check if a default product is configured in SCIM settings
- Verify you have available seats for the default product
- Users can be assigned products manually in Team Settings
User changes not syncing
- Some IdPs sync on a schedule (e.g., every 40 minutes for Azure AD)
- Try forcing a manual sync in your IdP
- Verify SCIM is still enabled and the token is valid
Test connection fails
- Verify the SCIM Base URL is exactly
https://api.scribblemaps.com/scim/v2 - Ensure there are no trailing slashes or typos
- Check that your network/firewall allows outbound HTTPS to api.scribblemaps.com
Need Help?
If you're experiencing issues with SCIM provisioning, please contact our support team with:
- Your Team name
- The Identity Provider you're using
- Any error messages from your IdP's provisioning logs
- Screenshots of your SCIM configuration (with token redacted)
We're here to help you get SCIM provisioning configured for your organization.
Comments
0 comments
Please sign in to leave a comment.