# Introduction For admins. The **Provisioning** screen shows setup options for automated user account management. With System for Cross-domain Identity Management (SCIM) provisioning you can create, update and deactivate users directly from your Identity Provider (IdP). Use this page to: - Enable automated provisioning and deprovisioning of users. - Manage user access centrally from your identity platform. --- # Prerequisites You need to have the Admin role in Foundational and admin permissions in your IdP. --- # Supported Identity Providers - Okta - Azure - Custom SCIM --- # Generic SCIM workflow There are no IdP parameters to enter into Foundational. The direction is one-way at setup time. Foundational generates the SCIM endpoint and token, and you paste these into the IdP as part of the process. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1823913901/b616210fa8060bb868bd76f0ede6/provisioing+scim+flow.png?expires=1781782200&signature=beb699274b1a31a25fa0a83e637ca07ff2de1562105e956c07432a4b520d7cc6&req=dSglFcB%2FnohfWPMW1HO4zbex%2FZfG9iH8TqpuIKHGN6C%2FnQ8zeljUSzXc7Kc0%0AzLHaRGsa8LUy9mdPT2k%3D%0A) 1. Create a Foundational SCIM account in th IdP. ​ 2. Paste the Foundational endpoint & token into the IdP. ​ 3. Assign users in the IdP to the SCIM Foundational account. ​ 4. Test the SCIM setup. --- # SCIM provisioning workflow for each IdP We’ve a wizard for each SCIM IdP. Here’s how to open the wizard. 1. Click your avatar, then go to **User Management** and select the **Provisioning** tab. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1823914446/2d79ddb34ffaf75181500ec8c795/provisioning+scim+start+screen.png?expires=1781782200&signature=120779ccb68b16824aeef5eed92afd07cd39ca1359a5ee01b7c6a9181c87174e&req=dSglFcB%2FmYVbX%2FMW1HO4zYQR%2Fxf0y2WXX15gHkgDqafG8TPScCWhNkLCSO8l%0Axoi2%0A) 2. Click **Add Connection**. The **Setup SCIM connection** screen opens. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1823914659/beaa2eda3e317017228811300478/provisioning+scim+select+screen.png?expires=1781782200&signature=34dbc12326777ea2d4299b595d1200477db73e56fff3a82c4913109b00d61601&req=dSglFcB%2FmYdaUPMW1HO4zfChE1evnDtAsV6as9uYFcg6xmYK%2FMqW%2Bmx5GGGS%0AIaaD%0A) 3. Enter an integration name. ​ 4. Click the relevant SCIM icon. A wizard opens specifically for the selected IdP. ​ **## Okta** This is the start screen that also shows the main process steps. ​ ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1823916196/3a73c7a5017810c2833d133207d0/provisioning+scim+okta+screen+1.png?expires=1781782200&signature=17ae7d6a7b1acb388f14425484a641a450538cb3b8e6a979b62fb5736755e2cf&req=dSglFcB%2Fm4BWX%2FMW1HO4zULMTC9GIUXe9B%2BlAGz3tWKWs0btJqlENS4xQmP%2F%0At9wOfFmrZzNKSLtPNGQ%3D%0A) **## Azure** This is the start screen that also shows the main process steps. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1823917234/1efa8f273a8bf4320c32936c2097/provisioning+scim+azure+screen+1.png?expires=1781782200&signature=9cef5ac415027ce7045daa0028849c7aa979d6d9e066cc88da410734db555db2&req=dSglFcB%2FmoNcXfMW1HO4zYmoZ%2FZKQPnk18neZJ%2F5WzGSWh9UD%2Bfm21wHObVR%0A3nCeTqctLuzTfv5i6Vs%3D%0A) **## Custom SCIM** This is the start screen that also shows the main process steps. ![](https://downloads.intercomcdn.com/i/o/pbbyfcys/1823918005/a64b33571fc14c7152fb57feeff7/provisioning+scim+custom+screen+1.png?expires=1781782200&signature=2d07da9303957be53bd48052f0fc8dc17dc59f2059f44defccb97b28c1a16b5c&req=dSglFcB%2FlYFfXPMW1HO4zRBs%2BKyjHsB9dm2ewI9xCKYdH8HVIvlHIEjA6RXw%0AsRafbAhJfgYOdvmYjog%3D%0A) --- # Troubleshoot SCIM connections Here are some possible issues and recommendation actions. | **Issue** | **Possible Cause** | Action | | ------------------------------------------------- | ---------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | | Connection test fails | Invalid SCIM endpoint or Bearer token. | Verify the endpoint URL and token from Foundational. Regenerate the token if needed and re-enter it in your IdP. | | Users not created in Foundational | Users or groups not assigned to the Foundational app in the IdP. | Check that users are assigned to the SCIM app. Only assigned users are provisioned. | | Provisioning requests fail | | | | (401 Unauthorized) | Token expired or missing in IdP configuration. | Reissue a new SCIM token in Foundational and update it in your IdP provisioning settings. | | Provisioning requests fail | | | | (403 Forbidden) | The IdP does not have permission to call the SCIM API. | Confirm that the IdP app has the correct API permissions and is using HTTPS. | | User attributes not syncing | Attribute mapping mismatch between IdP and Foundational. | Review attribute mappings in the IdP (e.g., `userName`, `email`, `displayName`, `active`). Adjust to match Foundational’s schema. | | Deactivated users remain active | “Deprovisioning” not enabled in the IdP. | Ensure your IdP provisioning settings include “Deactivate users” or “Disable users on unassignment.” | | Sync delays or missing updates | IdP provisioning interval not immediate. | Check the provisioning schedule in your IdP. Okta and Azure often sync every 40–60 minutes by default. | | Provisioning test succeeds but users don’t appear | Test user created but sync not yet committed. | Wait for the next sync cycle or trigger a manual sync from your IdP. | --- # Still can’t connect? Reach out to customer support. We’re here to help!