Skip to main content

SCIM Integration for automated user provisioning

SCIM is a standardized protocol used by identity providers to automatically provision, update, and deprovision users.

John-Henry Forster avatar
Written by John-Henry Forster
Updated this week

Skedda now supports SCIM (System for Cross-domain Identity Management) to help you automate user management! If you’re using Microsoft Entra ID (Azure AD) as your identity provider (IdP), you can seamlessly sync user access with your Skedda venues. Support for additional identity providers, starting with Okta, is coming soon.

This article explains what SCIM does, how it works in Skedda, and how to get started.

Prerequisites
SCIM Integration feature is included in the Premier Plan with Skedda Workplace. If you are subscribed to a plan that does not include this feature, please reach out to our team to discuss the upgrade.

What is SCIM?

SCIM is a standardized protocol used by identity providers to automatically provision, update, and deprovision users. Instead of managing users manually in Skedda, your IdP handles it for you.

Supported features:

  • Users are automatically added to your venue when assigned in your IdP.

  • User details (e.g., name, email, tags) can be updated automatically from the IdP.

  • Users are automatically deactivated or removed in Skedda when they are removed from the IdP

  • Group and department information can be synced as user custom tags in Skedda.

SCIM complements existing SAML SSO integrations. If you're already using SSO, adding SCIM will fully automate your identity management.

How Skedda SCIM works

Each Skedda venue has its own SCIM base URL, allowing you to manage access independently.

Why is it venue-specific? Because venues are independent, managing SCIM per venue aligns with our SSO approach and simplifies permission handling.

What gets synced?

We support the core SCIM 2.0 specification and sync:

  • Key user attributes:

Attribute

Field name

Sync behavior

Username

userName

IdP unique identifier for login. Required for user and should follow email address format.

First name

name.givenName

User's first name

Last name

name.familyName

User's last name

Emails

emails[primary eq true]

User's email

Active

active

Indicates if the user is active

Preferred language

preferredLanguage

User’s interface language

Locale

locale

Culture-specific formatting (dates, times, etc.)

  • Groups:

Group name

displayName

Become custom tags in Skedda.

Members

members

Group users.

Only the attributes listed above are supported by Skedda. Please ensure your IdP doesn’t attempt to sync unsupported attributes, as these will be ignored or may cause provisioning errors.

Skedda uses the SCIM Group resource to handle tags. This means your IdP groups can act as labels or attributes assigned to users in Skedda, enabling the implementation of specific rules and policies for those tagged users.

How to set it up

Microsoft Entra ID (Azure AD)

  1. Create a new SCIM application in Microsoft Entra ID, giving it a meaningful name.

    1. Keep the default setting (non-gallery)

  2. Setup SSO (optional)

    1. Use our instructions from here

    2. This step is not required if you’re using another IdP / Entra ID application for SSO. Just make sure that the NameID and userName values match between your SSO setup and this SCIM integration.

  3. Assign Users and Groups (optional)

    1. By default, Entra ID can provision all users/groups. For testing or controlled rollout, assign only selected users/groups:

      1. Go to your new application

      2. Click "Users and groups", then add the specific users or groups you want to sync.

  4. Enable SCIM in Skedda

    1. In Skedda go to the SSO settings, click “Edit” and tick the “Enable SCIM integration”. Save the settings

  5. Configure SCIM in Azure

    1. Go to the Provisioning tab of the Entra ID application. Click “New configuration”. Enter the SCIM Base URL and Token from the SSO settings page in Skedda.

    2. Click “Test connection” and then “Create” if the connection was successful.

  6. Map attributes and groups you want to provision.

    1. For Groups keep only “displayName” and “members”:

    2. For Users keep “userName”, “active”, “emails[type eq "work"].value”, “name.givenName”, “name.familyName”, "preferredLanguage" and "locale".

      1. Important: by default Azure maps the “userName” to “userPrincipalName” and “email” to “mail” properties. You might want to adjust it due to the following considerations:

        1. The “userName” should be mapped to whatever your SSO NameID attribute is mapped to. Please note that Skedda expects this attribute to be in the email format. It’s best to test the SSO integration first to confirm.

        2. The primary email address (attribute is “emails[type eq "work"].value”) should be mapped to whatever you want to be a user’s email address. Sometimes it’s the same “userPrincipalName”, sometimes it’s something else. This email address will be used as the email address of a user in Skedda.

  7. Optional: Use Provision on demand initially and check all is working as expected.

  8. Start auto-provisioning and you're done!

Okta (coming soon)

  1. Add Skedda from the Okta Integration Network

    1. In Okta, go to Applications → Browse App Catalog

    2. Search for Skedda

    3. Select the official Skedda application

    4. Click Add Integration.

  2. Copy your venue ID from Relay State field in Skedda and paste it into Venue ID in Okta.

  3. (Optional) Configure SSO in Okta:

    1. In the Skedda app → Sign On tab

    2. Follow the Skedda SSO instructions

    3. Make sure to select Email for the Application username format on the Sign On tab.

  4. Enable SCIM in Skedda

    1. In Skedda go to the SSO settings, click “Edit” and tick the “Enable SCIM integration”. Save the settings.

    2. Copy SCIM Bearer Token.

  5. Configure SCIM API Integration in Okta.

    Go to the Provisioning tab of the Skedda app.

    1. Under Settings → Integration, click Configure API Integration.

    2. Enable API Integration.

    3. Paste the Bearer Token from Skedda into API Token.

    4. Click Test API Credentials.

      1. You should see a green success message.

    5. Save your settings.

  6. Enable Provisioning Features:

    • Create Users

    • Update User Attributes

    • Deactivate Users

  7. Review and Adjust Attribute Mappings

    1. Refer to supported attributes here.

  8. Push Groups from Okta to Skedda

    If you want Okta groups to appear as Skedda tags:

    1. Go to Push Groups → Push Groups.

      1. Push groups By name or By rule.

      2. Groups will appear inside Skedda as custom tags.

Deprovisioning behavior

Inactive users are deleted and their bookings will be anonymized by updating the booking holder to the default 'Casual user'.

Not supported features

At the moment we don't support the following SCIM features:

  • Users created in Skedda are not imported to your IdP

  • User profile updates in Skedda are not imported to your IdP

Tips and best practices

  • We recommend setting up one SCIM app per venue for simplicity and clarity.

  • Use groups/tags in your IdP to map to Skedda user custom tags.

  • SCIM does not control admin privileges, assign those manually in Skedda.

  • Configure SCIM and SAML together for full automation.

Troubleshoot

If you need support configuring your identity provider, reach out to our team via Intercom or review our related guide on SSO Configuration.

Did this answer your question?