What can we help you with?

SCIM Provisioning: Custom Setup

 

System for Cross-domain Identity Management (also known as SCIM) is a protocol for user management across multiple applications. It allows an IT or Operations team to easily provision (add), de-provision (deactivate), and update user data across multiple applications at once. 

Note: SCIM Provisioning is available on the Enterprise plan only. Additionally, to set up SCIM Provisioning you will need to have the involvement of both the monday.com admin and the manager of your identity provider account. 

 

Which SCIM capabilities are supported?

The following SCIM capabilities are supported in monday.com:

  • Provisioning of Users
  • De-provisioning of Users
  • Provisioning of Teams
  • De-provisioning of Teams
  • Team Renaming
  • Updating User Details
  • Assigning Users to Teams
  • Unassigning Users from Teams

 

SCIM Setup Options

There are three ways to set up SCIM Provisioning for your monday.com account:

  1. Existing monday.com SCIM applications
    We currently work with three main providers: OKTA, Azure AD, and OneLogin. Aside from these, you also have the option to use your own provider (see the second option) or integrate directly with our SCIM API (see the third option).


    You can read more on enabling SCIM Provisioning for existing monday.com applications below:
    SCIM Provisioning using OKTA
    SCIM Provisioning using Azure AD
    SCIM Provisioning using OneLogin

  2. Custom SCIM integration with identity providers
    This method will be covered in the article below. Continue reading to learn more about setting up a custom SCIM integration on your account!

  3. SCIM API
    You can learn all about SCIM API in this article.

 

Custom SCIM integration with identity providers

To create a Custom SCIM integration with other identity providers, please follow the steps below. It is important to note, since there are many different identity provider options with varying instructions specific to them, you will need to review documentation from that specific identity provider in order to complete some of the steps below.

 

  • Step 1: Create a custom application in your identity provider

Check out documentation from your identity provider for specific instructions on this.

 

  • Step 2: Configure Provisioning

Please note, the following parameters may have different names in different identity providers. As part of your provisioning configuration process, you’ll need to use the specific parameters according to your chosen identity provider.

 

SCIM base URL:

The base URL for all calls from the identity provider to monday.com is: https://<YOUR_DOMAIN>.monday.com/scim/v2/ 

Note: Replace <YOUR_DOMAIN> above with your account URL name (if your account URL is myaccount.monday.com, you would write "myaccount" here).

 

SCIM API token:

This allows monday.com to authenticate the class from your identity provider. To generate the API token, open up the admin section of your account. From there, press on the "Security" tab, open up the SCIM section, click on the "Generate" button and copy the generated token.

CPT2105231258-1337x735.gif

 

 

Map out your identity provider attributes to monday.com attributes:

You can see a table of monday.com attributes in the section below. Additionally, check out documentation from your identity provider for further instructions on how to map out these attributes.

 

  • Step 3: Enable Provisioning and assign users and teams to the application

Check out documentation from your identity provider for specific instructions on how to enable the Provisioning and assign users and teams to the application.

 

Set Up User Provisioning

The following table presents all user attributes supported in monday.com’s SCIM integration:

monday.com Attribute

SCIM API Attribute(s)

Description

Name (required)

name, displayName

The user's displayed

name

Email Address

(required)

userName, email

The email address used by the

user to log into monday.com

Active

(required)

active

When creating a user, this field must be set to 'true'.
Changing a user's 'active' value to 'false' will deactivate them in the monday.com.

Position

title

The user's position in the company.

Timezone

timezone

The user's timezone,

all dates in the platform

will be according to this timezone.


Both 'Europe/Berlin' and 'Berlin' formats are acceptable

Locale

locale

monday.com will display a localized version for different locales.

Phone Number

phoneNumbers

The user's phone numbers.
Note: only one will be displayed, the one marked as 'primary' or otherwise the first number.

Home Address

addresses

The user's address. Note: only one will be displayed, the one marked as 'primary' or otherwise the first address.

User Type

userType

The level of each user within the account (learn about it here).


The possible values are:

admin
member
viewer
guest


The default value is "member"

 

 

Note: If you deprovision a user from the custom app within the identity provider, the user will exist in monday.com as an inactive user and will not be counted towards your monday.com user count.

  

Set Up Team Provisioning

When you assign a group into monday.com you will create a new Team in your monday.com account with all the users that are assigned to that group in the identity provider. 


Important Note: If you assign a group to the custom app within the identity provider, and there is a monday.com team with the same name, then the identity provider's group will replace it.
Additionally, for privacy measures, we recommend coordinating the team provisioning with the monday.com admin, in order to avoid users losing access to their data or users gaining access non-intendedly.

 

The following table presents all team attributes supported in monday.com’s SCIM integration:

monday.com Attribute

SCIM API Attribute(s)

Description

Name (required) displayName

The team's displayed name

Users members List of users assigned to the team

 

 

 

Keep in mind: The identity provider is the source of truth 

If you connect your monday.com account to SCIM, every data change performed in the monday.com platform will be overridden by the data sent via SCIM. As an example, let's say that a user is provisioned to be part of a team, and then you manually unassign them through the monday.com platform. The next time SCIM provisioning runs, it will re-assign them to the team.

 

Frequently Asked Questions

  • What happens if the admin who set up the initial SCIM token is no longer admin (their user type changed or they were deactivated)?

If the original admin who created the SCIM provisioning token on your account was deactivated or changed to a different user type (member, guest, or viewer), SCIM will no longer work on your account. In order to reactivate SCIM, the current admin of the account can generate a new token and enter it into the identity provider.

  • How can an admin generate a new SCIM token?
    • To generate a new SCIM token, open up the admin section of your account. From there, press on the "Security" tab, open up the SCIM section, click on the "Generate" button and copy the generated token.

      CPT2105231258-1337x735.gif

      After entering this token into your identity provider, you should be all set!

 

  • What happens if I change my personal attributes in my monday.com account? 

The sync with your identity provider is a one-way sync, and any changes made to a user profile in the monday.com profile or teams page will be overwritten the next time your identity provider syncs with your account. 

  • What does this mean for me? 
    • To change any attributes of the user profile you will need to update them in your identity provider.
    • In order to add users to teams or remove users from teams created by your identity provider, you will need to make these changes in your identity provider
    • If you create a Team in monday.com that is not a group in your identity provider it will not be affected by the groups in your identity provider

 

  • What happens if I add users to a team in my monday.com account? 

If that team is provisioned by your identity provider, these users will eventually be removed from the team and replaced by users that are provisioned to the matching identity provider Group. Otherwise, if the team is not provisioned by your identity provider, when you add users to a team in your monday.com account, they will remain in that team.

 

 

If you have any questions, please reach out to our team by using our contact form. We're available 24/7 and happy to help! 

Have more questions? Submit a request