--- title: SCIM url: https://www.tines.com/docs/admin/user-administration/scim/ updated: 2025-11-19T16:30:46+00:00 --- *[tines.com](https://www.tines.com/llms.txt) › [Docs](https://www.tines.com/llms.txt) › [Admin](https://www.tines.com/llm/docs/admin.md) › [User administration](https://www.tines.com/llm/docs/admin/user-administration.md)* # SCIM *[View on tines.com](https://www.tines.com/docs/admin/user-administration/scim/)* [SCIM](https://scim.cloud/) allows you to configure an Identity Provider (IdP) to synchronize users with your Tines tenant. The Tines API offers a set of SCIM v2-compliant endpoints, documented [here.](https://www.tines.com/api/scim) Our own API for provisioning a tenant's user group mapping is documented [here](https://www.tines.com/api/admin/scim_user_group_mapping). > **NOTE:** SCIM support is not available in all plans, please reach out to your Tines point of contact or [Tines support](mailto:support@tines.com) to learn more about enabling it. ## Enabling SCIM To turn SCIM on or off for your tenant, go to "Authentication settings" in the settings menu. Note that SCIM is independent from [SSO](https://www.tines.com/docs/single-sign-on/) (even though you will probably use the same Identity Provider for both), and is not compatible with [Just-in-time user provisioning](/docs/admin/single-sign-on#just-in-time-user-provisioning). If you enable SCIM for your tenant, users can only be added and modified via SCIM. Regular methods of inviting and modifying users (via the UI or the API) will be disabled and users can only be managed by the Identity Provider. > **TIP:** > Before setting up SCIM, you need to make sure that the SCIM configuration will not revoke your tenant owner status immediately upon saving. > > As long as your IdP is not passing in a userType value other than TENANT\_OWNER (or is not passing any userType value), you can set up SCIM without a tenant\_owners\_group and map the tenant owners group later. > > However, if your IdP is going to pass a userType value that is not TENANT\_OWNER, one way to do this is to set up [JIT](https://www.tines.com/docs/admin/user-administration/jit/) first (temporarily), to make sure the identity provider group that you will be configuring to have tenant owner status is read by Tines. For example, if you have a group called "Admins" in your identity provider pased in the "Group" property, you would set up JIT with the following JIT config: > > { "group\_attribute\_name": "Group", "tenant\_owners\_groups": \["Admins"\], "mappings": \[\] } > > After this change, you can verify your user is part of the group in your user profile after logging in. Then, you and all users that belong to this group would remain as tenant owners after you set up the SCIM config with a tenant\_owners\_groups field ## Configuring your Identity Provider In order to configure your Identity Provider to synchronize users with Tines you will need to configure the following: - Base URL: `https://<>/api/scim/v2` - Authorization: Bearer token, with a tenant-level API key - Unique identifier field for users: `userName` (note: Tines requires that the userName is the user's email) ### Operations Supported operations: - Provisioning Users and Groups. - Pushing Profile Updates. - Adding/removing Users from Groups - Deprovisioning Users. - Note: some Identity Providers may not fully remove users once they are deactivated, destroyed or removed from the application, and instead will mark them as `active: false`. While these users will no longer be able to access the Tines tenant, a Tenant Owner must delete them via the Tines UI or API to remove their data from the system. > **TIP:** All SCIM operations show up in Audit Logs. You can use these to see exactly what your Identity Provider is sending Tines and ensure that Users and Groups are being assigned and mapped as expected. ### Attribute mapping Refer to the [API docs](https://www.tines.com/api/scim#supported-attributes) for the full list of User attributes supported by Tines. In order to grant users the "Tenant Owner" role in Tines, you can map a field in your user profile to the `userType` field in the Tines application in your IdP. If you configure SCIM to sync profile attributes, users without this `userType` will lose their admin privileges. Alternatively, you can enable group mapping (see following section), in which case the `userType` attribute is not used. For example, in Okta, assuming there is an `admin` field in the User profile, add a mapping from Okta users to Tines of: `(user.admin == true) ? 'TENANT_OWNER' : ''` → `userType` ### Identity Provider Group to Tines permissions mapping > **TIP:** Before configuring the mapping, ensure your Identity Provider is pushing groups and memberships to Tines. You can review this by inspecing the badges that show up below the name in a user's profile. If you configure group mappings as described in [automated user provisioning](https://www.tines.com/docs/user-provisioning/), users will be assigned to the teams, roles and permissions as configure in the mapping rules, and updated any time there is a SCIM operation invoked by the IdP or a change is made to the mappings.