Skip to main content

SCIM — automatic provisioning

With SCIM, your organization stops managing accounts manually in RuleForge. Your identity provider (Okta, Entra ID, OneLogin, etc.) becomes the source of truth: when someone joins or leaves the company, the account in RuleForge follows automatically.

What SCIM covers

  • Create accounts when a new user is assigned to the RuleForge application on your provider.
  • Update data (name, email, status) when it changes on the provider.
  • Deactivate accounts when the user leaves the company.
  • Sync groups to reflect the roles the user should have in RuleForge.

In short: you keep everything in one place, avoid orphan accounts, and reduce manual administration.

When to consider SCIM

Enable SCIM when:

  • your organization has more than a dozen users;
  • new members join and leave frequently;
  • compliance or audit requires access to be cut the same day a person is offboarded.

Small organizations can manage members directly on the Members and invitations screen without needing SCIM.

Before you start

SCIM makes sense when SSO with OIDC is already configured and in use. They go together: SSO handles login, SCIM handles account lifecycle.

To enable SCIM, you'll need, on the provider side:

  • a RuleForge application (usually the same one used for OIDC);
  • permission from your identity team to configure automatic provisioning on the application.

Availability in the interface

Today, SCIM endpoints are implemented and ready to receive synchronization from your provider. The configuration experience in the interface is still evolving, and certain advanced scenarios may require customer success support.

If you need to enable SCIM and don't find the complete option on screen, open a ticket so we can help configure it on your provider.

What happens when someone leaves the company

When the provider marks the user as inactive (or removes the application assignment), RuleForge deactivates the account. That person's audit records remain preserved — access is cut, but the history stays.

Common issues

Accounts aren't being created automatically

Confirm, on the provider, that provisioning for the RuleForge application is enabled and that the access token provided is still valid.

A user changed groups and the role didn't update

Check the group mapping configured on the provider and that the group matches exactly what's expected.