What is User Provisioning SCIM standard and how does it work?

What User Provisioning with SCIM is?

With Single Sign-on (SSO) users can authenticate in Sherpany using an external Identity Provider. User attributes like Email and Name are updated in Sherpany every time a user logs in.

User Provisioning builds on top of that and also allows the Enterprise Identity Provider to write User attributes to the Sherpany database whenever necessary (without waiting for a user to log in).

User Provisioning with SCIM (System for Cross-Domain Identity Management) allows you to manage your users (create, change, deactivate) within Sherpany using your internal Identity Management systems (f.e. Azure AD).

SCIM is a REST API with a clearly defined structure. Many vendors (such as Microsoft, Github, Slack, and Salesforce) support the SCIM standard and there are libraries available for various programming languages (such as Java, and Python).

Why you should set up User Provisioning for your team?

Three of the most important reasons to set up User Provisioning for your organization: 

1. User Provisioning saves administrators time and expense. With User Provisioning, User details changes only need to be done in one place and reduce time spent by administrators keeping permissions up to date in Sherpany. As we all know, time equals money. User Provisioning saves time and therefore saves money.
2. With User Provisioning, your organization will be more secure. Users changing departments within the company won't have access to resources they are not supposed to see in Sherpany automatically. User Provisioning also supports offboarding users when they leave the company.
3. User Provisioning leverage existing investment. Many companies use a central User’s Identity database (LDAP / AD) to manage users’ identities. You can use the existing system and processes to assign roles in Sherpany. So if a User changes from one department to another, that can automatically reflect into permission changes in Sherpany.

Who can use it?

Single Sign-on (SSO) in Sherpany is designed for internal users managed by your organisation’s Identity Provider (IdP). For security reasons, only company-managed email domains can be enabled for SSO authentication. This ensures that access to Sherpany is fully controlled by your organisation’s identity and security policies (user lifecycle, access revocation, password rules, etc.).

Users with external or public email domains (for example Gmail, Bluewin, etc.) are therefore required to log in using email & password with 2-factor authentication (2FA). This setup is common in Board scenarios, where internal users access Sherpany via SSO, while Board members or other external participants authenticate via password & 2FA, ensuring a secure and compliant access model for all users.

How to get started? Set up User Provisioning with SCIM

Are you considering setting up User Provisioning with SCIM for Sherpany at your organization?

Simply contact us to get started. Our team will be happy to support you.