Skip to main content
All CollectionsAdministrationUser management
Automated user provisioning and de-provisioning (SCIM 2.0)
Automated user provisioning and de-provisioning (SCIM 2.0)

Learn about SCIM provisionning

Stéphane Delprat avatar
Written by Stéphane Delprat
Updated over a year ago

With a subscription to Holaspirit Enterprise Plan, you can sync Holaspirit directly with your identity provider to enable automated provisioning and de-provisioning of your users.

🚀 SCIM User Provisioning is included with Holaspirit Enterprise plan.


About User Provisioning

Automated user provisioning allows for a direct sync between your identity provider and your Holaspirit organization. You no longer need to manually create user accounts when someone joins the company or moves to a new team.

Automated de-provisioning reduces the risk of information breaches by removing access for those that leave your company. We automatically remove people when they leave the company.


Configuration

SCIM User Provisioning is available on Holaspirit.

It works well with SAML. But they can also be used separately.

If you’d like to provision users with SCIM, you must complete these two steps:

First step: Copy your provisioning key from Administration -> Users -> Provisioning

Second step: Configure SCIM in your IdP with the information:

  1. SCIM URL (or Tenant URL): https://app.holaspirit.com/api/scim/2.0

  2. Secret Token (Bearer): The provisioning key from the first step

Note: If no license is available in the subscription, the user account will be created as inactive. Admin can change the user's privilege later on.


Limitations

  • Soft-deleted is not implemented: Use hard delete or suspend

  • Groups are not implemented: Send only Users


Attribute Mappings

In your IdP configuration you will have an "Attribute Mappings" section, that will tell which fields should be sent to Holaspirit.

Here is the list of fields that we will saved on Holaspirit:

  • email

  • user.firstname

  • user.lastname

  • language

  • timezone

  • phones[type=work].value

  • addresses[type=work].value (will be saved to "Locations")

  • privilege (possible values: "member" or "inactive")

  • active (only available when updating a member, possible values: "true" or "false") when set to "false" the member will be suspended

If other fields are sent, we will ignore them silently.


Troubleshooting

If you experience this error:

{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":400,"detail":"{'emails': ['This field is required.']}"}

You should change the mapping of the User as below.

emails[type eq "work"].value needs to be mapped to userPrincipalName that is, if userPrincipalName is where the email is.

Did this answer your question?