Skip to main content
SCIM provisioning is currently in beta. Requires Enterprise plan.
SCIM (System for Cross-domain Identity Management) lets your identity provider automatically create, update, and deactivate user accounts in Ona. Instead of manually inviting users or removing access, your IdP pushes changes to Ona as they happen in your directory.

How it works

When SCIM is configured, your identity provider communicates with Ona through a SCIM endpoint using a bearer token for authentication. Changes in your IdP directory — such as adding a new employee or disabling an account — are automatically reflected in your Ona organization. SCIM provisioning is linked to an existing SSO login provider. The linked SSO configuration determines how provisioned users authenticate when signing in to Ona.

Prerequisites

  • An active SSO login provider configured in your organization
  • Admin-level access to your organization settings in Ona
  • Admin access to your identity provider (e.g., Microsoft Entra ID)

Setting up SCIM in Ona

Step 1. Open SCIM configuration

Navigate to Organization Settings > Login and Security. Scroll to the SCIM Provisioning section. SCIM not configured SCIM Provisioning — initial state Click Setup now to begin.

Step 2. Create a SCIM configuration

In the configuration dialog:
  1. Select the Linked SSO configuration — this is the SSO provider that provisioned users will use to sign in
  2. Enter a Name for this SCIM configuration
  3. Click Create
New SCIM configuration New SCIM configuration — select SSO provider and name After creation, Ona displays the SCIM endpoint URL and a bearer token.
Copy the bearer token immediately. It is shown only once and cannot be retrieved later.
You will need both the endpoint URL and the token to configure your identity provider in the next step.

Configuring your identity provider

Microsoft Entra ID

  1. Open the Microsoft Entra admin center
  2. Navigate to Enterprise Applications and select the application you created for Ona SSO
  3. Go to Provisioning and select Provisioning again
  4. Set Provisioning Mode to Automatic
  5. Under Admin Credentials, configure the following:
    • Authentication Method: Bearer Authentication
    • Tenant URL: Paste the SCIM endpoint URL from Ona
    • Secret Token: Paste the bearer token from Ona
  6. Click Test Connection to verify the configuration
Entra provisioning configuration Microsoft Entra — provisioning admin credentials Once the test succeeds, save the configuration and enable provisioning.

Scoping users

We recommend provisioning only the users who will use Ona, rather than your entire directory. You can control this with scoping filters in your identity provider. In Microsoft Entra:
  1. In the Provisioning tab, select Mappings
  2. Open the mapping for Users or Groups
  3. Under Source Object Scope, add a Scoping Filter Group to limit which users are provisioned
For details on building scoping filters, see Microsoft’s scoping filter documentation.