Skip to main content

SCIM provisioning

Manage Fieldguide user accounts via your identity provider

SCIM provisioning lets your identity provider (IdP) automatically manage firm user accounts in Fieldguide. When SCIM is enabled, your IdP can create and deactivate users based on changes in your directory, helping reduce manual user management and keep access up to date.

Fieldguide supports SCIM provisioning for organizations that use single sign-on (SSO). You can configure this for your organization by combining settings in Fieldguide with setup steps in your IdP, such as Microsoft Entra ID or Okta.

Before you begin

Before setting up SCIM provisioning, confirm the following:

  • Your organization has completed SSO setup in Fieldguide. You must finish creating an SSO connection before you can enable SCIM.

  • You're an admin in Fieldguide with permission to manage SSO settings.

  • You're an admin in your identity provider (for example, Microsoft Entra ID or Okta).

SCIM provisioning is optional. You can continue managing users manually in Fieldguide if SCIM is not enabled.

How SCIM provisioning works

SCIM (System for Cross-domain Identity Management) allows your identity provider to act as the source of truth for user access. At a high level:

  1. You enable SCIM provisioning in Fieldguide.

  2. Fieldguide generates SCIM credentials:

    • A SCIM base URL

    • A SCIM bearer token

  3. An IT administrator enters those credentials into your identity provider.

  4. Your identity provider sends SCIM requests to Fieldguide to manage users.

SCIM provisioning manages users, while SSO manages authentication. You must enable SSO before you can enable SCIM provisioning. If you have multiple SSO connections enabled for your organization, you can only enable SCIM provisioning on one of them.

What SCIM manages in Fieldguide

Fieldguide supports SCIM provisioning for firm user accounts. Fieldguide doesn't support this on client user accounts. To automate client user account provisioning, consider using Fieldguide's API and webhooks.

When SCIM provisioning is enabled, your IdP can manage the following user lifecycle events:

  • User creation: Creates a new Fieldguide user when a user is assigned in the IdP.

  • User updates: Applies updates to existing users when any of these supported attributes change in the IdP: first name, last name, or email.

  • User deactivation: Deactivates a Fieldguide user when access is removed in the identity provider.

Fieldguide does not process SCIM DELETE requests.

Once SCIM is enabled, Fieldguide doesn't stop you from changing user attributes like name and email in the Fieldguide user settings menu. However, any changes you make in Fieldguide may be overwritten by your IdP if there's a conflict. We recommend changing these user attributes in your IdP instead of Fieldguide to avoid this.

Set up SCIM provisioning

Step 1: Enable SCIM provisioning in Fieldguide

After your SSO connection is fully configured, follow these steps to enable SCIM provisioning:

  1. Go to Admin settings > SSO in Fieldguide.

  2. Open your existing SSO connection.

  3. Go to the SCIM Provisioning section and select Generate credentials.

  4. Copy the generated credentials:

    • SCIM base URL

    • SCIM bearer token

Store the bearer token securely. It is shown only once. You will provide these credentials to your IdP.

Step 2: Configure SCIM in your identity provider

These steps depend on the identity provider your organization uses. Use the official documentation from your IdP to complete setup using the SCIM URL and token generated by Fieldguide.

How Fieldguide matches SCIM users to existing users

Fieldguide identifies users by email address.

  • When processing SCIM requests, Fieldguide treats the SCIM attribute emails[type eq "work"].value as the user’s primary email address. This value must match the email address used by your IdP for SSO authentication.

  • If these values don't match, Fieldguide may be unable to associate SCIM events with the correct user. This can result in duplicate users or users being unable to sign in.

Microsoft Entra ID

When using Microsoft Entra ID, map the SCIM attribute emails[type eq "work"].value to the Entra mail attribute.

Other identity providers

Other identity providers may use different attribute names or mapping models. Make sure the value sent as emails[type eq "work"].value matches the email address used for SSO login.

Activity log behavior

Fieldguide records some, but not all, SCIM-related activity in the Users activity log.

  • User creation via SCIM: Creation events appear in Fieldguide’s activity log.

  • User updates via SCIM: Updates triggered by SCIM do not appear in Fieldguide's activity log. To review these changes, refer to your IdP's provisioning or audit logs.

  • User updates made directly in Fieldguide: These appear in the activity log as usual.

Reset credentials and disable SCIM provisioning

You can reset credentials or disable SCIM provisioning in your SSO connection settings.

  • Resetting the credentials or disabling SCIM provisioning will delete your existing SCIM credentials. Once disabled, user provisioning between your identity provider and Fieldguide will stop immediately.

  • To re-enable SCIM, you’ll need to reconfigure SCIM in your identity provider with new SCIM credentials from Fieldguide.

See also

Did this answer your question?