Skip to main content

SCIM Provisioning

SCIM (System for Cross-domain Identity Management) lets you automatically sync users between your identity provider and Omnivoo. When you add someone in Okta or Azure AD, they are automatically provisioned in Omnivoo. When you remove them, their access is revoked instantly.

Why Use SCIM

  • No manual invitations — New hires are provisioned automatically when added to the Omnivoo application in your IdP.
  • Instant deprovisioning — When someone leaves your company or is removed from the app in your IdP, their Omnivoo account is deactivated and all sessions are revoked immediately.
  • Accurate directory — User profile updates (name, email) sync automatically from your IdP to Omnivoo.
  • Reduced admin overhead — Your IT team manages access in one place instead of two.

Prerequisites

Before configuring SCIM, you must have:

  • An active SSO connection configured and verified (see Setting Up SSO)
  • Owner or Admin role on your Omnivoo company account
info

SCIM requires an active SSO connection because provisioned users need a way to authenticate. Without SSO, automatically created users would have no login method tied to your IdP.

Generating a SCIM Token

  1. Go to Settings > Single Sign-On.
  2. Scroll to the SCIM Provisioning section.
  3. Click Generate Token.
  4. Copy the token that appears.
warning

Save the SCIM token immediately -- it cannot be retrieved again. If you lose it, you will need to generate a new one, which invalidates the previous token.

SCIM Endpoint

Use the following base URL when configuring your identity provider:

https://api.omnivoo.com/scim/v2

Your IdP will append standard SCIM paths (e.g., /Users, /Groups) to this base URL automatically.

Configuring Your Identity Provider

Okta

  1. In Okta, open the Omnivoo application you created for SSO.
  2. Go to the Provisioning tab and click Configure API Integration.
  3. Check Enable API integration.
  4. Enter the SCIM base URL: https://api.omnivoo.com/scim/v2
  5. Paste the SCIM token from Omnivoo into the API Token field.
  6. Click Test API Credentials to verify the connection.
  7. Click Save.
  8. Under Provisioning > To App, enable:
    • Create Users
    • Update User Attributes
    • Deactivate Users

Azure AD / Entra ID

  1. In the Azure portal, open the Omnivoo enterprise application.
  2. Go to Provisioning and set the mode to Automatic.
  3. Under Admin Credentials:
    • Tenant URL: https://api.omnivoo.com/scim/v2
    • Secret Token: Paste the SCIM token from Omnivoo
  4. Click Test Connection to verify.
  5. Click Save.
  6. Configure Mappings to sync the user attributes you need (email and display name are required).
  7. Set Provisioning Status to On.

What SCIM Handles

Action in Your IdPWhat Happens in Omnivoo
Assign user to Omnivoo appUser account is created and an invitation email is sent
Update user's name or emailUser profile is updated in Omnivoo
Unassign or deactivate userUser account is deactivated and all active sessions are revoked

What Happens on Deprovisioning

When a user is deprovisioned through SCIM:

  1. Their Omnivoo account is deactivated -- they can no longer log in.
  2. All active sessions are revoked immediately -- any open tabs or devices are logged out.
  3. Their historical data (contracts, timesheets, payments) is retained for compliance and audit purposes.
  4. If the user is later re-provisioned, their account is reactivated with their previous data intact.
info

Deprovisioning does not delete data. Omnivoo retains records for legal and financial compliance. The user simply loses the ability to access the platform.

Troubleshooting

SCIM test connection fails.

  • Verify the SCIM base URL is exactly https://api.omnivoo.com/scim/v2 (no trailing slash).
  • Confirm the SCIM token is correct and has not been regenerated since you copied it.
  • Ensure your SSO connection is active and verified.

Users are not being provisioned.

  • Check that provisioning is enabled and set to Automatic in your IdP.
  • Verify that users are assigned to the Omnivoo application in your IdP.
  • Review your IdP's provisioning logs for error details.

Deprovisioned user can still access Omnivoo.

  • SCIM deprovisioning revokes sessions immediately. If the user can still access the app, verify the deprovisioning event was sent by checking your IdP's provisioning logs.

What's Next?