Manage and Provision Users with SCIM

Overview of SCIM

Follow the steps below to configure SCIM support for your organization. To configure SCIM, you need to be an Org Security Admin.

What is SCIM?

System for Cross-domain Identity Management (SCIM) is an open specification that is designed to make managing user identities simple and automatic. Using SCIM, you can manage the creation and suspension of Workiva users automatically through SCIM-enabled identity providers, such as Okta, SailPoint IdentityIQ, PingFederate, OneLogin, Azure Active Directory, and more.

SCIM uses the latest version of the standard, SCIM 2.0, published in 2015. The service is reached over HTTPS, just like your browser does today, and requires no new firewall rules or network modifications.

SCIM and SAML Single Sign-on

SCIM should be used in conjunction with SAML-based single sign-on (SSO), which provides access to Workiva through your identity provider (IdP). Before you configure SCIM settings, make sure you’ve reviewed Basics of SAML Single Sign-on and Configuring SAML Single Sign-on.

Step 1: Add an Identity Provisioner

First, you need to configure an Identity Provisioner in your organization. To create an Identity Provisioner:

1. In Organization Admin, click Security.
2. Click Identity Provisioning.
   
3. Click Add Provisioner.

Step 2: Enter Provisioner Info

Now you are ready to create a new Identity Provisioner association. To create a new Identity Provisioner:

1. Set a Full Name for your association. This name should describe the system which will be sending user information to Workiva, for example ‘SailPoint Production’.
2. Set a Credential Type. Consult your identity provider’s documentation to determine which to use. If your identity provider supports both, we recommend using Bearer Token.
3. Set a Username that the SCIM service will operate on behalf of. SCIM actions in the Activity Log are attributed to the user you select, and API credentials are generated for the user as well. We recommend creating a dedicated Org Security Admin for this purpose.
4. Optionally, enter a Description for this Identity Provisioner.
5. Under the Administrator Contact, enter the name and e-mail address of a technical contact within your IT department who we can contact in the event of issues or to communicate future feature enhancements.
   
6. Click Create Provisioning to finish.

You'll then see the connection details for Identity Provisioner that you'll need for the next step.

Step 3: Configuring Your Identity Provider

After you configure an Identity Provisioner association, you can then configure your cloud-based or on-premise Identity Provider to connect to Workiva:

• Ensure you are setting up a connection with SCIM 2.0, as we do not support previous versions of the SCIM protocol.
• If you are utilizing the Basic Auth credential type, be aware that references to ‘username’ in your Identity Provider software is synonymous with ‘ID’ and ‘password’ is synonymous with ‘credential’.

If you run into any issues or need help setting up Identity Provisioners, you can reach out to platform support@workiva.com for assistance.