SCIM Provisioning

Managing user accounts and access permissions across various systems and applications can be a complex and time-consuming task. System for Cross-domain Identity Management (SCIM) provides a standardized approach to user provisioning and simplifies the process of creating, updating, and deactivating user accounts. integrates with several identity providers using SCIM provisioning, SCIM is an open standard that simplifies cloud identity management and allows user provisioning to be automated. The integration is designed to integrate seamlessly with many popular identity providers who support SCIM provisioning. SCIM provisioning is only compatible with SAML-based integration, not with OAuth or OpenID Connect.

Some of the popular identity providers integrates with using SCIM are Okta, Azure Active Directory, LDAP/Active Directory, OneLogin, and SAML (any provider).

Automated User Provisioning SCIM provisioning enables organizations to automate the process of creating user accounts. When a new user is added to the organization's identity provider (IdP), the SCIM provisioning feature automatically provisions the user's account on, eliminating the need for manual setup. We provision the standard user attributes such as the User Name, Name, Display Name, Email Address, and Company Name. This ensures that new users can quickly access the platform and start collaborating without delays.

User Account Updates

SCIM provisioning also facilitates seamless updates to user accounts. When changes are made to user attributes such as name, email address, company name or group memberships in the IdP, these modifications are automatically synchronized with This ensures that user information remains consistent across different systems, reducing the risk of data discrepancies and administrative overhead.

Account Deactivation

When a user leaves the organization or their access needs to be revoked, SCIM provisioning simplifies the deactivation process. Instead of manually disabling the user's account, administrators can simply update the user's status in the IdP, triggering automatic account deactivation in This helps maintain data security by ensuring that former employees or external collaborators no longer have access to sensitive files.

Group Management SCIM provisioning extends beyond individual user accounts to include group management. Organizations can leverage SCIM to automatically create, update, and remove groups in based on changes made in the IdP. We provision the standard group attributes such as the Group Name and Group Members. This allows for efficient management of team collaborations and access control, ensuring that users have the appropriate permissions within

Setting Up SCIM Provisioning supports SCIM version 2.0 with Basic authentication and Token based authentication to integrate with your IdP. Along with standard user provisioning and deprovisioning via SCIM, also support automatic provisioning or deprovisioning of group memberships. Note that SCIM is specifically designed to work with the SAML protocol, not with the OAuth protocol.

To integrate your IdP with SCIM provisioning, use the below fields within your IdP SCIM configuration:

FIELDVALUE SCIM connector base URL
Unique identifier field for usersemail (it can be email address with some IdP providers) offers numerous configuration options for SCIM provisioning, detailed in the Configuration Options section. Also, refer to the Azure AD SSO SCIM, Okta SSO SCIM or OneLogin SSO SCIM pages for more information on how you can configure SCIM with your chosen IdP.

Provisioning Users

Once SCIM provisioning is enabled in, any new users created after the integration will be managed and provisioned through SCIM. The SCIM integration ensures that user creation, updates, and deprovisioning processes are automatically synchronized between the identity provider (such as Okta, Azure AD, OneLogin) and

If your users are already present in or in your IdP prior to configuring SCIM provisioning, the provisioning works seamlessly as long as the user in is set with corresponding SSO authentication enabled and the same user is assigned to the application in your IdP.

Modifying the Email Address or User Name

In the event that you modify your user's email address, user principal name (UPN), or username after provisioning the user with SCIM, the updates may not be immediately synchronized with As a result, users may experience login difficulties until your Identity Provider (IdP) pushes those changes according to their synchronization interval. To mitigate this issue, we suggest utilizing the on-demand provisioning capabilities of your IdP to promptly provision and propagate these changes.

Issues with Duplicate User Names or Missing User Names

If you are using Azure SSO or other IdP with Create User On First Login enabled and do not have SCIM configured, you may encounter an issue where duplicate user records are created. This occurs because the system interprets the updated UPN/Email address as a new user entry. On the other hand, if you have Create User On First Login disabled and without SCIM, you may see an error when attempting to change the UPN or primary email/username. This error occurs because the system does not recognize the new user entry that is being referenced. To avoid such cases, we recommend using SCIM and on-demand provisioning to properly synchronize the user name or email address changes between your IdP and

Provisioning Groups can automatically provision/deprovision group memberships using SCIM. To configure the group provisioning settings, edit the settings for your SSO Provider. Type "SSO Providers" in the search box at the top of every page and click on the matching result. Locate your provider integration in the list and click Edit to see the Advanced Settings option. Once you click on the Advanced Settings, you will see various options related to provisioning. If your Groups at IdP are not synchronizing with, we recommend using manual provision options within your IdP provisioning settings. If you are using Okta as your IdP, go to Applications > > Push Groups to force the groups to be synchronized with application.

Configuration Options

Below are the available configuration options with our SCIM provisioning. You can access these options within the advanced settings when adding an SSO provider which supports SCIM provisioning.

Enable automatic user provisioning via SCIMAllows you to use the SCIM protocol for provisioning. Select Basic to create a SCIM username and password to use. Select Token to generate a SCIM token and specify an expiration date to use that token.
Automatically provision users on first loginAutomatically triggers user provisioning upon their initial login attempt to
Automatically deprovision usersAutomatically initiates the deprovisioning of users if they cannot be located in your Identity Provider (IdP) during the next synchronization process.
Automatically provision group membershipsAutomatically assigns users to groups based on their group membership settings within your Identity Provider (IdP).
Automatically deprovision group membershipsAutomatically removes users from groups if they are no longer associated with the corresponding groups in your Identity Provider (IdP) during the next synchronization process.
Method used for deprovisioning usersSpecifies whether deprovisioned users should be deleted or disabled within We recommend that users be disabled, rather than deleted, in case you need to audit their prior activity, history, and settings.
Provision companySets the "Company" attribute in the user profile of the provisioned user.
Add users to these default groups on first loginAutomatically assigns provisioned users to specified Groups upon their initial login.
Only provision users in these groupsRestricts user provisioning to only those who are members of the specified IdP groups. Enter comma separated names or wildcards. For instance, to limit provisioning to users in the IT and Support groups, specify "IT,Support".
Exclude these groups from provisioningTo exclude specific groups from being provisioned within
Provision users in these groups to be site adminsAutomatically assigns site administrator privileges within to users within the specified groups. Enter comma separated names or wildcards. For example, by specifying "Administrators,Domain Admins", users in these groups from the IdP will be granted site administrator privileges in
Provision users in these groups to be group adminsAutomatically assigns group administrator privileges within to users within the specified groups. Enter comma separated names or wildcards. For example, by specifying "Managers,Associate Directors", users in these groups from the IdP will be granted group administrator privileges in
Provision users in these groups to manage their password via Files.comProvisions users from the specified groups without requiring Single Sign-On (SSO). Their passwords will be stored in, independent of the IdP password.
Provision users with 2FASpecifies how two-factor authentication (2FA) is applied to provisioned users. You can choose to follow the site-wide 2FA policy or override it for SCIM provisioned users, opting to always require 2FA or never require it. For example, if your site-wide 2FA policy mandates Always required for all users, but you need to exempt SCIM provisioned users from this requirement, select Never require 2FA.
Auto-provisioned users with WebDAV permissionsSpecifies whether the provisioned users have permission to use the WebDAV protocol to connect to
Auto-provisioned users with FTP permissionsSpecifies whether the provisioned users have permission to use the FTP and FTPS protocols to connect to
Auto-provisioned users with SFTP permissionsSpecifies whether the provisioned users have permission to use the SFTP protocol to connect to
Default time zone for auto provisioned usersSpecifies the time zone attribute in the user profile of the provisioned user.

Get Instant Access to

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.

Start My Free Trial

©2024 All right reserved


  • Start My Free Trial
  • Pricing
  • Docs
  • API and SDKs
  • Contact


(800) 286-8372


9am–8pm Eastern