SCIM provisioning

SCIM 2.0 provisioning rides your workspace's SAML SSO connection: once SSO is active, your identity provider can create members, deactivate them when they leave, and keep their workspace roles in sync with IdP groups. Every IdP-driven change lands on the Config Changes page with actor scim, exactly like a dashboard edit.

Setup

1. Activate SAML SSO for the workspace (Team plan and above).
2. In Settings → Security → SCIM provisioning, generate the bearer token (owner-only, shown once).
3. In your IdP's provisioning settings, set:
   • Base URL: https://app.axiorank.com/api/scim/v2
   • Bearer token: the token from step 2.

Okta calls this "API integration" under Provisioning; Entra ID calls it "Automatic provisioning" with Tenant URL + Secret Token.

What syncs

Group to role mappings

Map IdP groups to workspace roles in Settings → Security. A member in any mapped group gets the highest mapped role; members in no mapped group get the connection's default role. Owner is never grantable through groups.

The same mappings apply to SAML JIT sign-ins when your IdP includes a groups attribute in the assertion, so role mapping works even before SCIM is connected.

Next steps

• Workspace security: SSO, MFA, and session rules.
• Approvals: the human-in-the-loop side of governance.