System for Cross-domain Identity Management (also known as SCIM) is a protocol for user management across multiple applications. It allows an IT or Operations team to easily provision (add), de-provision (deactivate), and update user data across multiple applications at once.
Which SCIM capabilities are supported?
The following SCIM capabilities are supported in monday.com:
- Provisioning of Users
- De-provisioning of Users
- Provisioning of Teams
- De-provisioning of Teams
- Team Renaming
- Updating User Details
- Assigning Users to Teams
- Unassigning Users from Teams
SCIM Setup Options
There are three ways to set up SCIM Provisioning for your monday.com account:
Existing monday.com SCIM applications
We currently work with three main providers: OKTA, Azure AD, and OneLogin. Aside from these, you also have the option to use your own provider (see the second option) or integrate directly with our SCIM API (see the third option).
You can read more on enabling SCIM Provisioning for existing monday.com applications below:
SCIM Provisioning using OKTA
SCIM Provisioning using Azure AD
SCIM Provisioning using OneLogin
- Custom SCIM integration with identity providers
This method will be covered in the article below. Continue reading to learn more about setting up a custom SCIM integration on your account!
- SCIM API
You can learn all about SCIM API in this article.
Custom SCIM integration with identity providers
To create a Custom SCIM integration with other identity providers, please follow the steps below. It is important to note, since there are many different identity provider options with varying instructions specific to them, you will need to review documentation from that specific identity provider in order to complete some of the steps below.
- Step 1: Create a custom application in your identity provider
Check out documentation from your identity provider for specific instructions on this.
- Step 2: Configure Provisioning
Please note, the following parameters may have different names in different identity providers. As part of your provisioning configuration process, you’ll need to use the specific parameters according to your chosen identity provider.
SCIM base URL:
The base URL for all calls from the identity provider to monday.com is: https://<YOUR_DOMAIN>.monday.com/scim/v2/
SCIM API token:
This allows monday.com to authenticate the class from your identity provider. To generate the API token, open up the admin section of your account. From there, press on the "Security" tab, open up the SCIM section, click on the "Generate" button and copy the generated token.
Map out your identity provider attributes to monday.com attributes:
You can see a table of monday.com attributes in the section below. Additionally, check out documentation from your identity provider for further instructions on how to map out these attributes.
- Step 3: Enable Provisioning and assign users and teams to the application
Check out documentation from your identity provider for specific instructions on how to enable the Provisioning and assign users and teams to the application.
The following table presents all user attributes supported in monday.com’s SCIM integration:
SCIM API Attribute(s)
The user's displayed
The email address used by the
user to log into monday.com
When creating a user, this field must be set to 'true'.
The user's position in the company.
The user's timezone,
all dates in the platform
will be according to this timezone.
Both 'Europe/Berlin' and 'Berlin' formats are acceptable
monday.com will display a localized version for different locales.
The user's phone numbers.
The user's address. Note: only one will be displayed, the one marked as 'primary' or otherwise the first address.
The level of each user within the account (learn about it here).
The possible values are:
or custom role id
To set up SCIM provisioning to support custom roles as user types:
- Configure the relevant custom role on monday as described in this article.
- Copy the custom role ID. This can be done from the monday account permissions center, by clicking on the three-dot menu right next to the role name and then "Copy ID", as shown in the image below.
- When setting the userType please pass the custom role ID's as a "string"(the same way you would pass the value admin, viewer, member, or guest).
Set Up Team Provisioning
When you assign a group into monday.com you will create a new Team in your monday.com account with all the users that are assigned to that group in the identity provider.
The following table presents all team attributes supported in monday.com’s SCIM integration:
SCIM API Attribute(s)
The team's displayed name
|List of users assigned to the team
Keep in mind: The identity provider is the source of truth
If you connect your monday.com account to SCIM, every data change performed in the monday.com platform will be overridden by the data sent via SCIM. As an example, let's say that a user is provisioned to be part of a team, and then you manually unassign them through the monday.com platform. The next time SCIM provisioning runs, it will re-assign them to the team.
Frequently Asked Questions
We've outlined a list of SCIM-related frequently asked questions for you. Click on this link here to check them out!
If you have any questions, please reach out to our team right here. We’re available 24/7 and happy to help.