Skip to main content

Why SCIM

Without SCIM, env zero only syncs user access when someone logs in. That means if you offboard an employee in your IdP, they still have access to env zero until their next login attempt. SCIM fixes this by keeping your user directory in sync continuously - access is granted or revoked as soon as changes happen in your IdP.

Key benefits

  • Immediate deprovisioning - When you remove a user in your IdP, their env zero access is revoked right away, not at next login
  • No manual user management - New team members get env zero access automatically when added to the right groups in your IdP
  • Single source of truth - Your IdP stays the authoritative record for who has access to what
Beta Feature - SCIM Provisioning is currently in beta. We’re actively improving the feature and welcome your feedback.

Overview

SCIM (System for Cross-domain Identity Management) is a standard protocol that enables your identity provider to automatically provision and deprovision users in env zero.

Prerequisites

  • SSO must be configured - SCIM provisioning is only available after you set up an SSO connection (SAML or Azure AD)
  • Edit Organization Settings permission is required

Setting Up SCIM

1

Navigate to SSO Settings

Go to Organization Settings > SSO. Below your SSO connection, you’ll see the SCIM Provisioning section.
SCIM Provisioning section showing the Generate SCIM Token button
2

Generate a SCIM Token

Click Generate SCIM Token. This creates a bearer token and SCIM endpoint URL for your organization.
3

Copy the Token and Endpoint URL

A dialog displays your SCIM Endpoint URL and Bearer Token. Copy both values immediately.
The bearer token is shown only once. If you lose it, you’ll need to delete the SCIM configuration and generate a new one.
SCIM Token Created dialog showing the endpoint URL and bearer token
Once configured, the SCIM Provisioning section displays your endpoint URL and the date the token was created.
SCIM Provisioning configured state showing endpoint URL and creation date

Configuring Your Identity Provider

Use the SCIM Endpoint URL and Bearer Token to configure provisioning in your identity provider.
Your IdP must map the user’s email address to the SCIM userName attribute. env zero uses this field to match IdP users to organization members. Without a valid email mapping, provisioning will not work correctly.
See your IdP’s documentation for SCIM setup instructions: For other identity providers, refer to their SCIM 2.0 integration documentation and use the endpoint URL and bearer token from the previous step.

Revoking a SCIM Token

To revoke SCIM access, navigate to Organization Settings > SSO and click Delete Configuration in the SCIM Provisioning section. This immediately invalidates the token and stops all SCIM provisioning from your IdP.