SCIM Identity Sync
SCIM (System for Cross-domain Identity Management) lets you provision and de-provision users and groups automatically from your identity provider (IdP) into Onehouse.
What does SCIM sync?
| Identity object | Appear as | Editable in Onehouse? |
|---|---|---|
| Users | Users | No (read-only) |
| Groups | Groups with External type | Membership & name are read-only. Permissions can be granted to the group. |
Important notes:
- SCIM sync is currently one-way. Changes made in Onehouse do not flow back to your IdP.
- Nested groups in your IdP will not be synced to Onehouse.
- Users that already exist in Onehouse (identified by email) and are synced from the IdP will be managed by the IdP.
Supported IdPs
Onehouse is compatible with the SCIM 2.0 standard. The following IdPs are fully supported:
- Microsoft Entra (aka Azure Active Directory)
- [Coming soon] Okta
Onehouse can also support other SCIM 2.0 compatible IdPs. Contact us if you require support for another IdP.
Set up SCIM identity sync
Prerequisites:
- You must be an Account Admin in Onehouse to set up SCIM.
- Allow outbound HTTPS traffic from your IdP to the Onehouse SCIM endpoint.
Steps:
- Open Account Console → Account Settings.
- Click Enable Identity Sync.
- Copy the SCIM Endpoint URL into your IdP.
- Click Generate Token. Save the secret and paste it into your IdP.
Rotate SCIM tokens
- On the Identity Sync page, click Regenerate Token.
- The old token remains valid for 24 hours to keep provisioning live.
- Update the token in your IdP within that window. Contact support if you need to immediately revoke the old token.
Troubleshooting identity sync
| Symptom | Likely cause | Fix |
|---|---|---|
| “Failed to connect” in IdP | Wrong URL or token | Re-copy both; check for whitespace |
| Users not appearing | Provisioning scope missing | Verify group/user assignments in IdP |
| Deleted user still in Onehouse | User still belongs to another External group | Remove from all synced groups or wait for next sync |
| IdP shows quarantine status | Repeated provisioning errors | See logs in your IdP |
Provisioning failures are handled by IdP retry logic; Onehouse logs the rejected payload for audit.
Managing external groups
External groups in Onehouse are created by the SCIM sync from your IdP.
- Users cannot add/remove users to/from an external group within Onehouse. We only support 1-way sync from the IdP to Onehouse
- Account Admins cannot edit or delete External groups synced from the IdP. The only action they can perform on these groups is to add/remove Onehouse roles for the group
- Onehouse identifies each group by Name + Source. If an External group arrives with the same name as an existing manual (Account) group, both coexist. However, we recommend renaming your Account group to minimize confusion.
- If a user’s Source is External and they are removed from all External groups (ie. all groups synced from the IdP), the user will be removed from the Onehouse account
Additional usage notes
- Contact support if you need to disable SCIM identity sync.
- SCIM can only be enabled from the account console – not via API.