Skip to main content

SCIM Provisioning

  • Updated

Configuring SCIM User Provisioning

ScribbleMaps supports SCIM 2.0 (System for Cross-domain Identity Management) for automated user provisioning and deprovisioning. This allows you to automatically sync users from your Identity Provider (IdP) to ScribbleMaps, ensuring team membership stays in sync with your organization's directory.

SCIM provisioning is available at team.scribblemaps.com and is completely free.

Table of Contents

  1. What is SCIM?
  2. Before You Begin
  3. Step 1: Enable SCIM in ScribbleMaps
  4. Step 2: Generate a Bearer Token
  5. Step 3: Configure Your Identity Provider
  6. Step 4: Set Default Product Assignment
  7. Step 5: Test and Assign Users
  8. Provider-Specific Guides
  9. Supported SCIM Operations
  10. User Lifecycle Management
  11. Troubleshooting

What is SCIM?

SCIM (System for Cross-domain Identity Management) is an open standard that allows you to automatically:

  • Provision users - Automatically create ScribbleMaps accounts when users are assigned in your IdP
  • Update users - Keep user information (name, email) synchronized
  • Deprovision users - Automatically deactivate accounts when users are removed from your IdP
  • Manage roles - Assign users to Admin or Member roles via group membership

SCIM works alongside SSO (SAML/OIDC) to provide complete identity lifecycle management.

Before You Begin

  • You must be a Team Owner to configure SCIM
  • You need access to your Identity Provider's admin console
  • Your IdP must support SCIM 2.0 (Okta, Microsoft Entra ID, OneLogin, JumpCloud, etc.)
  • We recommend configuring SSO before SCIM for the best user experience

Step 1: Enable SCIM in ScribbleMaps

  1. Log in to team.scribblemaps.com
  2. Navigate to SCIM Provisioning (left side bar)
  3. Toggle Enable SCIM to ON

Note: You'll need to generate a bearer token before SCIM can be fully enabled.

Step 2: Generate a Bearer Token

The bearer token authenticates your Identity Provider with ScribbleMaps.

  1. On the SCIM settings page, click Generate Token
  2. Copy the token immediately and store it securely

Important Security Notes:

  • The token is only displayed once - if you lose it, you'll need to generate a new one
  • Treat this token like a password - anyone with the token can manage your team's users
  • You can revoke and regenerate the token at any time if it's compromised
  • Revoking a token immediately stops all SCIM operations until a new token is configured

Step 3: Configure Your Identity Provider

Use the following details to configure ScribbleMaps as a SCIM application in your IdP:

Setting Value
SCIM Base URL https://api.scribblemaps.com/scim/v2
Authentication Method HTTP Header / Bearer Token
Authorization Header Bearer YOUR_TOKEN_HERE
Unique Identifier userName (email address)

SCIM Endpoints Reference

Endpoint Purpose
/scim/v2/Users User provisioning and management
/scim/v2/Groups Role/group membership management
/scim/v2/ServiceProviderConfig SCIM capabilities (discovery)
/scim/v2/ResourceTypes Supported resource types (discovery)
/scim/v2/Schemas User and Group schemas (discovery)

Step 4: Set Default Product Assignment (Optional)

You can automatically assign a product license to users when they're provisioned via SCIM:

  1. On the SCIM settings page, find Default Product Assignment
  2. Select a product:
    • None - Users are created without a product (assign manually later)
    • Viewer - View-only access
    • Pro Basic - Standard editing features
    • Pro Business - Full feature access
  3. Click Save

Note: Users will only be assigned a product if seats are available. If no seats are available, the user is created but left unassigned.

Step 5: Test and Assign Users

  1. In your Identity Provider, use the Test Connection feature to verify SCIM connectivity
  2. Assign a test user to the ScribbleMaps application in your IdP
  3. Verify the user appears in your ScribbleMaps team members list
  4. Once confirmed, assign additional users or groups as needed

Provider-Specific Guides

Okta

  1. In Okta Admin Console, go to Applications > Browse App Catalog
  2. Search for "SCIM 2.0 Test App (Header Auth)" or create a custom SCIM app
  3. Go to the Provisioning tab > Configure API Integration
  4. Check Enable API integration
  5. Configure:
    • SCIM 2.0 Base URL: https://api.scribblemaps.com/scim/v2
    • OAuth Bearer Token: Paste your ScribbleMaps SCIM token
  6. Click Test API Credentials to verify
  7. Go to Provisioning > To App and enable:
    • Create Users
    • Update User Attributes
    • Deactivate Users
  8. Go to Assignments tab to assign users or groups

Microsoft Entra ID (Azure AD)

  1. In Azure Portal, go to Microsoft Entra ID > Enterprise Applications
  2. Select your ScribbleMaps application (or create one)
  3. Go to Provisioning > Get Started
  4. Set Provisioning Mode to Automatic
  5. Under Admin Credentials:
    • Tenant URL: https://api.scribblemaps.com/scim/v2
    • Secret Token: Paste your ScribbleMaps SCIM token
  6. Click Test Connection to verify
  7. Configure Mappings for user attributes
  8. Set Provisioning Status to On
  9. Go to Users and groups to assign users

OneLogin

  1. In OneLogin Admin, go to Applications > Add App
  2. Search for "SCIM Provisioner with SAML (SCIM v2 Core)" or similar
  3. Go to Configuration tab
  4. Configure:
    • SCIM Base URL: https://api.scribblemaps.com/scim/v2
    • SCIM Bearer Token: Paste your ScribbleMaps SCIM token
  5. Go to Provisioning tab and enable provisioning
  6. Go to Users tab to assign users

JumpCloud

  1. In JumpCloud Admin, go to SSO Applications
  2. Click + to add a new application
  3. Select Custom SCIM
  4. Configure:
    • Base URL: https://api.scribblemaps.com/scim/v2
    • Token Key: Paste your ScribbleMaps SCIM token
    • Authentication: Bearer Token
  5. Click Test Connection
  6. Configure attribute mappings
  7. Assign user groups to the application

Supported SCIM Operations

User Operations

Operation Method Supported Description
List Users GET /Users Yes Retrieve all users with pagination and filtering
Get User GET /Users/{id} Yes Retrieve a specific user by ID
Create User POST /Users Yes Provision a new user
Replace User PUT /Users/{id} Yes Full update of user attributes
Update User PATCH /Users/{id} Yes Partial update of user attributes
Delete User DELETE /Users/{id} Yes Deactivate user (soft delete)

Group Operations

Operation Method Supported Description
List Groups GET /Groups Yes Returns Admin and Member role groups
Get Group GET /Groups/{id} Yes Retrieve group with member list
Update Group PATCH /Groups/{id} Yes Add/remove members from role groups
Create Group POST /Groups No Not supported (roles are fixed)

Supported User Attributes

SCIM Attribute ScribbleMaps Field Required
userName Email address Yes
externalId External IdP identifier No
name.givenName First name No
name.familyName Last name No
displayName Display name No
active Account status No
emails[].value Email address No

Supported Filters

Filter Example
Filter by email userName eq "user@example.com"
Filter by external ID externalId eq "12345"
Filter by status active eq true

User Lifecycle Management

When a User is Provisioned

  1. A new team member account is created in ScribbleMaps
  2. User information (name, email) is populated from your IdP
  3. If a default product is configured and seats are available, a license is automatically assigned
  4. The user can immediately log in via SSO (if configured)

When a User is Updated

  1. User attributes (name, display name) are updated to match your IdP
  2. Email changes are synchronized (unless the user has linked their account)

When a User is Deprovisioned

  1. The user's account is deactivated (soft delete)
  2. All product licenses are removed, freeing up seats
  3. All active sessions are immediately invalidated
  4. The user can no longer log in
  5. User data and maps are preserved (not deleted)
  6. The account can be reactivated if the user is re-provisioned

Role Management via Groups

ScribbleMaps exposes two role groups via SCIM:

Group ID Role Permissions
admin Administrator Manage team settings, users, and billing
member Member Standard team member access

To assign a user as an admin, add them to the admin group via SCIM PATCH. The Owner role cannot be modified via SCIM.

Troubleshooting

Common Issues

"401 Unauthorized" or "Invalid token"

  • Verify the bearer token is correct and hasn't been revoked
  • Ensure the token is passed in the Authorization header as Bearer YOUR_TOKEN
  • Check if the token has expired (if expiry was set)
  • Generate a new token if needed

"409 Conflict" - User already exists

  • A user with that email already exists in your team
  • If the existing user was deactivated, SCIM will automatically reactivate them
  • Check for duplicate email addresses in your IdP

"400 Bad Request" - Missing required field

  • Ensure userName (email) is included in the request
  • Verify email format is valid
  • Check your IdP's attribute mapping configuration

Users created but no product assigned

  • Check if a default product is configured in SCIM settings
  • Verify you have available seats for the default product
  • Users can be assigned products manually in Team Settings

User changes not syncing

  • Some IdPs sync on a schedule (e.g., every 40 minutes for Azure AD)
  • Try forcing a manual sync in your IdP
  • Verify SCIM is still enabled and the token is valid

Test connection fails

  • Verify the SCIM Base URL is exactly https://api.scribblemaps.com/scim/v2
  • Ensure there are no trailing slashes or typos
  • Check that your network/firewall allows outbound HTTPS to api.scribblemaps.com
     

Need Help?

If you're experiencing issues with SCIM provisioning, please contact our support team with:

  • Your Team name
  • The Identity Provider you're using
  • Any error messages from your IdP's provisioning logs
  • Screenshots of your SCIM configuration (with token redacted)

We're here to help you get SCIM provisioning configured for your organization.

Comments

0 comments

Please sign in to leave a comment.

Hi. Need any help?
Chat with Mappy