SCIM Provisioning
SCIM (System for Cross-domain Identity Management) lets you automatically sync users between your identity provider and Omnivoo. When you add someone in Okta or Azure AD, they are automatically provisioned in Omnivoo. When you remove them, their access is revoked instantly.
Why Use SCIM
- No manual invitations - New hires are provisioned automatically when added to the Omnivoo application in your IdP.
- Instant deprovisioning - When someone leaves your company or is removed from the app in your IdP, their Omnivoo account is deactivated and all sessions are revoked immediately.
- Accurate directory - User profile updates (name, email) sync automatically from your IdP to Omnivoo.
- Reduced admin overhead - Your IT team manages access in one place instead of two.
Prerequisites
Before configuring SCIM, you must have:
- An active SSO connection configured and verified (see Setting Up SSO)
- Owner or Admin role on your Omnivoo company account
SCIM requires an active SSO connection because provisioned users need a way to authenticate. Without SSO, automatically created users would have no login method tied to your IdP.
Generating a SCIM Token
- Open the Single Sign-On page (avatar menu → Company Settings → Company tab → Configure SSO). See Setting Up SSO.
- Scroll to the SCIM Provisioning section. This section only appears once you have an SSO connection.
- On an active connection, click Generate SCIM Token.
- Copy the token that appears.
Save the SCIM token immediately -- it cannot be retrieved again. If you lose it, generate a new one (which invalidates the previous token).
SCIM Endpoint
The SCIM Provisioning section shows your SCIM endpoint. It is your Omnivoo API base URL followed by /scim/v2. Use the exact endpoint shown on the page when configuring your identity provider.
Your IdP will append standard SCIM paths (e.g., /Users, /Groups) to this base URL automatically.
Configuring Your Identity Provider
Okta
- In Okta, open the Omnivoo application you created for SSO.
- Go to the Provisioning tab and click Configure API Integration.
- Check Enable API integration.
- Enter the SCIM base URL shown on the Omnivoo SCIM Provisioning section (your API base URL followed by
/scim/v2). - Paste the SCIM token from Omnivoo into the API Token field.
- Click Test API Credentials to verify the connection.
- Click Save.
- Under Provisioning > To App, enable:
- Create Users
- Update User Attributes
- Deactivate Users
Azure AD / Entra ID
- In the Azure portal, open the Omnivoo enterprise application.
- Go to Provisioning and set the mode to Automatic.
- Under Admin Credentials:
- Tenant URL: The SCIM endpoint shown on the Omnivoo SCIM Provisioning section (your API base URL followed by
/scim/v2) - Secret Token: Paste the SCIM token from Omnivoo
- Tenant URL: The SCIM endpoint shown on the Omnivoo SCIM Provisioning section (your API base URL followed by
- Click Test Connection to verify.
- Click Save.
- Configure Mappings to sync the user attributes you need (email and display name are required).
- Set Provisioning Status to On.
What SCIM Handles
| Action in Your IdP | What Happens in Omnivoo |
|---|---|
| Assign user to Omnivoo app | An Omnivoo account is created for the user, ready to sign in via SSO (no separate invitation email is sent) |
| Update user's name or email | User profile is updated in Omnivoo |
| Unassign or deactivate user | User account is deactivated and all active sessions are revoked |
What Happens on Deprovisioning
When a user is deprovisioned through SCIM:
- Their Omnivoo account is deactivated -- they can no longer log in.
- All active sessions are revoked immediately -- any open tabs or devices are logged out.
- Their historical data (contracts, timesheets, payments) is retained for compliance and audit purposes.
- If the user is later re-provisioned, their account is reactivated with their previous data intact.
Deprovisioning does not delete data. Omnivoo retains records for legal and financial compliance. The user simply loses the ability to access the platform.
Troubleshooting
SCIM test connection fails.
- Verify the SCIM base URL exactly matches the endpoint shown on the Omnivoo SCIM Provisioning section (no trailing slash).
- Confirm the SCIM token is correct and has not been regenerated since you copied it.
- Ensure your SSO connection is active and verified.
Users are not being provisioned.
- Check that provisioning is enabled and set to Automatic in your IdP.
- Verify that users are assigned to the Omnivoo application in your IdP.
- Review your IdP's provisioning logs for error details.
Deprovisioned user can still access Omnivoo.
- SCIM deprovisioning revokes sessions immediately. If the user can still access the app, verify the deprovisioning event was sent by checking your IdP's provisioning logs.
What's Next?
- Setting Up SSO - Configure SSO before enabling SCIM
- Managing Team Members - Manual team management options
- Single Sign-On (SSO) - SSO overview and authentication policies