System for Cross-domain Identity Management (also known as SCIM) is a protocol for user management across multiple applications. It allows an IT or Operations team to easily provision (add), de-provision (deactivate), and update user data across multiple applications at once. 

 

Which SCIM capabilities are supported?

The following SCIM capabilities are supported in monday.com:

• Provisioning of Users
• De-provisioning of Users
• Provisioning of Teams
• De-provisioning of Teams
• Team Renaming
• Updating User Details
• Assigning Users to Teams
• Unassigning Users from Teams

 

SCIM Setup Options

There are three ways to set up SCIM Provisioning for your monday.com account:

1. Existing monday.com SCIM applications
   We currently work with three main providers: OKTA, Azure AD, and OneLogin. Aside from these, you also have the option to use your own provider (see the second option) or integrate directly with our SCIM API (see the third option).
   
   You can read more on enabling SCIM Provisioning for existing monday.com applications below:
   SCIM Provisioning using OKTA
   SCIM Provisioning using Azure AD
   SCIM Provisioning using OneLogin
   
   
2. Custom SCIM integration with identity providers
   This method will be covered in the article below. Continue reading to learn more about setting up a custom SCIM integration on your account!
   
   
3. SCIM API
   You can learn all about SCIM API in this article.

 

Custom SCIM integration with identity providers

To create a Custom SCIM integration with other identity providers, please follow the steps below. It is important to note, since there are many different identity provider options with varying instructions specific to them, you will need to review documentation from that specific identity provider in order to complete some of the steps below.

 

• Step 1: Create a custom application in your identity provider

Check out documentation from your identity provider for specific instructions on this.

 

• Step 2: Configure Provisioning

Please note, the following parameters may have different names in different identity providers. As part of your provisioning configuration process, you’ll need to use the specific parameters according to your chosen identity provider.

 

SCIM base URL:

The base URL for all calls from the identity provider to monday.com is: https://<YOUR_DOMAIN>.monday.com/scim/v2/ 

 

SCIM API token:

This allows monday.com to authenticate the class from your identity provider. To generate the API token, open up the admin section of your account. From there, press on the "Security" tab, open up the SCIM section, click on the "Generate" button and copy the generated token.

 

 

Map out your identity provider attributes to monday.com attributes:

You can see a table of monday.com attributes in the section below. Additionally, check out documentation from your identity provider for further instructions on how to map out these attributes.

 

• Step 3: Enable Provisioning and assign users and teams to the application

Check out documentation from your identity provider for specific instructions on how to enable the Provisioning and assign users and teams to the application.

 

Set Up User Provisioning

The following table presents all user attributes supported in monday.com’s SCIM integration:

monday.com Attribute	SCIM API Attribute(s)	Description
Name (required)	name, displayName	The user's displayed name
Email Address (required)	userName, email	The email address used by the user to log into monday.com
Active (required)	active	When creating a user, this field must be set to 'true'. Changing a user's 'active' value to 'false' will deactivate them in the monday.com.
Position	title	The user's position in the company.
Timezone	timezone	The user's timezone, all dates in the platform will be according to this timezone. Both 'Europe/Berlin' and 'Berlin' formats are acceptable
Locale	locale	monday.com will display a localized version for different locales.
Phone Number	phoneNumbers	The user's phone numbers. Note: only one will be displayed, the one marked as 'primary' or otherwise the first number.
Home Address	addresses	The user's address. Note: only one will be displayed, the one marked as 'primary' or otherwise the first address.
User Type	userType	The level of each user within the account (learn about it here). The possible values are: admin member viewer guest or custom role id

 

To set up SCIM provisioning to support custom roles as user types:

1. Configure the relevant custom role on monday as described in this article.
2. Copy the custom role ID. This can be done from the monday account permissions center, by clicking on the three-dot menu right next to the role name and then "Copy ID", as shown in the image below.
3. When setting the userType please pass the custom role ID's as a "string"(the same way you would pass the value admin, viewer, member, or guest).

  

Set Up Team Provisioning

When you assign a group into monday.com you will create a new Team in your monday.com account with all the users that are assigned to that group in the identity provider. 

 

The following table presents all team attributes supported in monday.com’s SCIM integration:

monday.com Attribute	SCIM API Attribute(s)	Description
Name (required)	displayName	The team's displayed name
Users	members	List of users assigned to the team

 

 

 

Keep in mind: The identity provider is the source of truth 

If you connect your monday.com account to SCIM, every data change performed in the monday.com platform will be overridden by the data sent via SCIM. As an example, let's say that a user is provisioned to be part of a team, and then you manually unassign them through the monday.com platform. The next time SCIM provisioning runs, it will re-assign them to the team.

 

Frequently Asked Questions

We've outlined a list of SCIM-related frequently asked questions for you. Click on this link here to check them out!

 

If you have any questions, please reach out to our team right here. We’re available 24/7 and happy to help.