Automated User Provisioning (SCIM) Overview
Joel Bradley avatar
Written by Joel Bradley
Updated over a week ago

Tags | SCIM | Provisioning |

Admin privileges required

Applies to: Basic, Business

Enterprise users can access their documentation here. Find your plan.


Overview

SCIM is an open API for securely sharing user information between online systems. In Stack Overflow for Teams Basic and Business, SCIM 2.0 support allows an Identity Provider (IdP) to automatically update Stack Overflow with the user's activation status and/or role. Unlike SAML 2.0, which passes user information only at login, SCIM 2.0 sends updates whenever they occur. This provides Stack Overflow for Teams near-real-time updates to user status and role as changes happen at the IdP.

Supported processes

The SCIM 2.0 integration supports the following automated processes for users that have already been created in Stack Overflow for Teams:

  • Deactivate a user.

  • Reactivate a deactivated user.

  • Optionally promote/demote a user between administrator, moderator, and regular user roles.

Stack Overflow for Teams' SCIM 2.0 integration will not create users. Users must still log on to Stack Overflow for Teams with a valid assertion from their IdP to create an account. That is, Stack Overflow uses "just in time" provisioning when a user presents a valid identity assertion. It does not support user creation over SCIM 2.0.

NOTE: enabling SCIM 2.0 support does not disable user management options within Stack Overflow for Teams. This means a user may have an active status in the IdP, yet be deactivated in Stack Overflow for Teams through the admin user management settings. We recommend standardizing on a single provisioning workflow within your organization to avoid confusion.

Set up SCIM 2.0 support on Stack Overflow for Teams

NOTE: SCIM settings become available only after you've set up SSO Authentication.

To access the SCIM integration page, click Admin Settings in the left-hand menu, then SCIM integration under the "ACCESS MANAGEMENT" heading.

This page has three controls:

  • Enable SCIM Determines whether or not the SCIM 2.0 API is active. Select this checkbox to enable SCIM 2.0 support.

  • Generate a SCIM authorization bearer token Generates the shared secret needed to configure an IdP for SCIM 2.0 integration. Treat this as a password. If lost, you must generate a new token and enter it at your IdP.

  • Allow SCIM to manage user roles Enables SCIM promotion/demotion between administrator, moderator, and regular user roles.

Once you've configured these settings, you'll complete the setup process at the IdP.

Configure the Identity Provider

The following instructions are general instructions for SCIM 2.0 compliant systems. If you are using one of the following IdPs, please follow the links for detailed configuration information.

The IdP must send SCIM 2.0 requests to https://stackoverflowteams.com/c/[your_site]/auth/scim/v2. In addition, it must send the following values as part of the user resource to correctly map the user and set their status:

  • userName The User ID (must match the Display Name Assertion provided in /admin/access/authentication).

  • active (true/false) Determines whether or not the user should be deactivated or reactivated in Stack Overflow for Teams.

  • Required fields for SCIM 2.0 (these are commonly mapped for you by your IdP):

    • name.givenName

    • name.familyName

    • email

  • userType (optional) Requires enabling Allow SCIM to manage user roles on the SCIM Integration settings page on Stack Overflow for Teams. Accepts values of "Registered", "Moderator", or "Admin".

NOTE: Microsoft Entra ID SCIM doesn't support user role promotion or demotion.


Need help? Submit an issue or question through our support portal.

Did this answer your question?