System for Cross-Domain Identity Management (SCIM)

SCIM lets your Identity Provider (IdP) manage StackAI access automatically. You can use it to automate onboarding and offboarding of users without manual intervention.

Use SCIM when users are managed centrally in Okta or Entra ID. Changes apply when people join, move teams, or leave.

Why SCIM helps

SCIM keeps your StackAI user access in sync with your IdP.

• Provision users when they’re added in your IdP.

• Deprovision users when they leave your organization.

• Assign roles based on IdP role or group attributes.

• Sync groups from your IdP into StackAI.

Key concepts

• SCIM token: Bearer token used by your IdP to authenticate provisioning calls.

• Role mapping: Rule that maps an IdP role value to a StackAI role.

• Disable mode: Behavior for SCIM-managed users when SCIM is turned off.

Before you begin

You need two things before you can enable SCIM:

1. SSO configured in Settings → SSO Settings.

2. Once SSO is configured, head to Settings → Provisioning to configure SCIM provisioning. Note that a default role must be selected. All provisioned users receive this role unless a role mapping applies.

Supported identity providers

StackAI supports any SCIM 2.0-compliant IdP, including:

• Microsoft Entra ID (Azure AD)

• Okta

• Google Workspace

• Ping Identity

• JumpCloud

• OneLogin

• Auth0

• Others (SCIM 2.0-compliant)

Set up SCIM

Role mappings

All SCIM-provisioned users get the Default role by default. Role mappings let you assign specific StackAI roles based on roles sent by the IdP.

When your IdP sends a role attribute (like Admin), StackAI checks the role mapping table and assigns the matching role. If no mapping matches, the Default Role applies.

Create a role mapping

1. Go to Settings → Provisioning → Role Mappings.

2. Click Add Mapping.

3. Enter the IdP Role Value — the exact role name as sent by your IdP.

4. Select the target StackAI Role (refresher on StackAI Roles can be found here)

5. Save.

What gets synced

Users

StackAI supports the full user lifecycle.

• Provision: Create new users.

• Update: Sync attributes like name and email.

• Deactivate: Setting active: false deactivates the user in StackAI.

• Reactivate: Setting active: true restores access.

Groups

When Sync groups is enabled, IdP groups are mirrored in StackAI. Membership changes in the IdP sync automatically.

Disable SCIM

When you disable SCIM, choose a disable mode:

• Soft (default): SCIM-managed users remain active. They keep their access but are no longer externally managed.

• Lock: SCIM-managed users are deactivated. They lose access until manually reactivated by an Admin.

In both modes, StackAI revokes all SCIM tokens.

Token management

• Create multiple tokens — useful for rotating credentials with zero downtime.

• Revoke a token — takes effect immediately. The IdP will receive 401 errors until a new token is configured.

• Set an expiration — optional. Tokens without an expiration remain valid until revoked.

Configuration options

• Default role (required): Role applied when no role mapping matches.

• Auto-activate users (default on): Activates new users when provisioned.

• Sync groups (default on): Mirrors IdP groups into StackAI.

Troubleshooting

• "The Enable SCIM toggle is grayed out": SSO must be configured, a default role must be set, and an IdP must be selected before you can enable SCIM.

• "A provisioned user has the wrong role": Check your role mappings. If the IdP role value doesn't exactly match a mapping, the user falls back to the Default Role.

• "The IdP is returning 401 errors": Your SCIM token may have been revoked or expired. Generate a new token and update your IdP configuration.

• "A user was provisioned but can't log in": Confirm SSO is active and that the user's email in the IdP matches their StackAI profile. Email matching is case-insensitive.