Skip to Content
SCIM Enterprise

SCIM (System for Cross-domain Identity Management)

Configure automated user and group provisioning for your organization with SCIM v2 support.

Overview

Simplistica’s SCIM implementation provides dual mapping capabilities for enterprise identity management, allowing you to automatically provision users and groups while maintaining granular control over roles and workspace access.

Enterprise Feature: SCIM is available for enterprise customers only. Contact sales to enable this feature.

How SCIM Works

User Lifecycle Management

1. User Provisioning

  • Identity provider creates users via SCIM API
  • Users are automatically added to Simplistica
  • Profile and authentication accounts are created

2. Group Management

  • SCIM groups are created and managed by your IdP
  • Groups can represent both workspaces and role assignments
  • Users are automatically added to groups

3. Role Assignment

  • Role mapping rules evaluate group names
  • Users get roles based on group membership
  • Roles are computed in real-time with priority rules

4. Workspace Access

  • Groups can be mapped to specific workspaces
  • Users automatically gain access to mapped workspaces
  • Access is managed through group membership

User Management

User Activation and Deactivation

Automatic User Creation

  • When a user is created in your IdP, they are automatically provisioned in Simplistica
  • User profiles are created with basic information (name, email)
  • Authentication accounts are set up automatically
  • Users are assigned to appropriate organizations based on SCIM configuration

User Status Control

  • Active Users: Can sign in and access assigned workspaces
  • Deactivated Users: Cannot sign in but retain their data and access history
  • Status Changes: User status can be updated via SCIM API calls

Deactivation Process

  • Users can be deactivated through your IdP (e.g., when they leave the company)
  • Deactivated users lose access to Simplistica immediately
  • Their data and documents are preserved
  • Access can be restored by reactivating the user

Available Roles

Organization-Level Roles

Owner

  • Full administrative control over the organization
  • Can manage organization settings, billing, and members
  • Can configure SCIM and SSO settings
  • Only one owner per organization
  • Cannot be assigned through SCIM (must be set manually)

Admin

  • Full administrative access within the organization
  • Can manage organization members and their roles
  • Can create and manage workspaces
  • Can configure organization settings (except billing)
  • Can be assigned through SCIM role mapping

Editor

  • Content creation and editing capabilities
  • Can create, edit, and delete documents
  • Can manage documents they own
  • Cannot manage organization settings or other users
  • Can be assigned through SCIM role mapping

Viewer

  • Read-only access to assigned workspaces
  • Can view documents and content
  • Cannot create, edit, or delete content
  • Cannot access organization settings
  • Can be assigned through SCIM role mapping

Role Assignment Through SCIM

Automatic Role Mapping

  • Roles are assigned based on SCIM group membership
  • Group names are evaluated against role mapping rules
  • First matching rule determines the user’s role
  • Rules are evaluated in priority order (higher priority first)

Role Mapping Examples

  • admin|.*-admin → Admin role
  • manager|.*-manager → Admin role
  • editor|.*-editor → Editor role
  • viewer|.*-viewer → Viewer role
  • former|.*-former → Deactivated status

Priority System

  • Higher priority rules take precedence
  • Rules are evaluated from highest to lowest priority
  • Users can only have one role at a time
  • Role changes are applied immediately

Configuration

SCIM Setup

1. Create Connection

  • Go to SettingsSCIM in Simplistica
  • Click “Create SCIM Connection”
  • A bearer token will be generated automatically

2. Configure Your IdP

  • Use the provided bearer token for authentication
  • Configure the base URL and endpoints
  • Set up user and group provisioning

3. Enable/Disable

  • Toggle the connection on/off as needed
  • Generate new tokens for security
  • Monitor connection status

Endpoints

Required Endpoints

Base URL:

https://simplistica.co/api/scim/v2

Users Endpoint:

/Users

Groups Endpoint:

/Groups

Authentication:

Authorization: Bearer <your-scim-token>

Role Mapping

Role Assignment

Available Roles:

  • Admin: Full administrative access
  • Editor: Content editing access
  • Viewer: Read-only access
  • Deactivated: Account deactivation

Pattern Matching:

  • Use regex patterns to match group names
  • Examples: admin|.*-admin, manager, editor
  • Case-insensitive matching
  • Priority-based rule evaluation

Security

Security Best Practices

Token Management:

  • Keep bearer tokens secure
  • Rotate tokens regularly
  • Use HTTPS for all communications

Access Control:

  • Only workspace owners can configure SCIM
  • Monitor SCIM activity logs
  • Review role mappings periodically

Pro Tip: For optimal SCIM setup, combine it with SSO. SSO handles authentication while SCIM handles user provisioning, role assignment, and workspace access management.

Support: If you encounter issues with SCIM setup, contact our support team with your IdP configuration details and error messages.

Last updated on
SSO/SAML Enterprise
Team management