Enterprise

SCIM

Automated user and group provisioning from your identity provider into MemorySync via SCIM 2.0. When you add or remove someone in your IdP, SCIM ensures MemorySync stays in sync automatically — no manual user management required.

What is SCIM

SCIM (System for Cross-domain Identity Management) is an open standard that automates user lifecycle management between your identity provider and MemorySync. Instead of manually creating accounts, assigning roles, and cleaning up departed employees, SCIM handles it all:

Provisioning. When you assign a user to the MemorySync app in your IdP, SCIM automatically creates their account with the correct role and sends a welcome email.
Updates. Name changes, email changes, and group membership changes in the IdP are pushed to MemorySync in real time via webhooks.
Deprovisioning. When you unassign or deactivate a user in the IdP, their MemorySync access is revoked immediately. You choose whether that means deactivation, soft delete, or hard delete.
Group sync. IdP groups can be mapped to MemorySync teams, keeping team membership synchronized automatically.

Supported Providers

Provider	Notes
Okta	Native SCIM 2.0 connector. Supports push groups, real-time webhooks for user lifecycle events.
Azure AD	SCIM provisioning app from the Microsoft enterprise gallery. Automatic attribute mapping.
OneLogin	SCIM provisioning with real-time webhook support for user create, update, and deactivate events.

Setup Guide

1In MemorySync: Settings → SCIM → Generate Token. A secure bearer token is generated. Copy it immediately — it is only shown once and never displayed again.
2In your IdP: configure the SCIM endpoint URL as https://api.memorysync.io/scim/v2 and paste the bearer token.
3Test the connection by provisioning a sandbox user: create, update, then deactivate. Verify each step appears in MemorySync’s SCIM sync logs.
4Map your IdP groups to MemorySync teams in Settings → SCIM → Group Mapping.
5Enable for production: assign your full user population to the app in your IdP, and SCIM will provision them automatically.

User Provisioning Settings

These settings control how SCIM handles user lifecycle events. Configure them in Settings → SCIM → Configuration.

Setting	Default	Description
`auto_provision`	`true`	Automatically create MemorySync accounts when users are provisioned via SCIM.
`auto_deprovision`	`false`	Automatically remove access when users are deprovisioned in the IdP. Disabled by default for safety — enable after testing.
`default_role`	`developer`	Role assigned to newly provisioned users. Can be overridden by group mapping.
`send_welcome_email`	`true`	Send a welcome email to users when their account is created via SCIM.
`delete_behavior`	`deactivate`	What happens when a user is deleted via SCIM. Options: `deactivate` (revoke access, keep data), `soft_delete` (mark for deletion), `hard_delete` (immediately remove all data).
`sync_groups`	`false`	Sync IdP groups to MemorySync teams. Enable this after configuring group mappings.

Group Mapping

Group mapping connects your IdP’s group structure to MemorySync teams. When a user belongs to an IdP group that is mapped to a MemorySync team, they are automatically added to that team on provisioning and removed when their group membership changes.

External group ID. The unique identifier your IdP uses for the group. This is matched during sync.
Group display name. The human-readable name of the IdP group, stored for reference in the dashboard.
Internal team mapping. The MemorySync team that the IdP group maps to. Members of the IdP group are added as members of this team.
Member count tracking. MemorySync tracks how many members are in each mapped group, updated on every sync.

Group sync schedule

Group memberships sync on three triggers: (1) real-time via IdP webhooks, (2) on a configurable schedule (manual, hourly, or daily), and (3) on-demand via the Force Sync button in Settings → SCIM.

Sync Jobs & Scheduling

Every SCIM synchronization — whether triggered manually, by schedule, or by webhook — is recorded as a sync job with full observability.

Field	Description
Trigger	How the sync was started: `manual` (dashboard button), `scheduled` (hourly/daily), or `webhook` (real-time push from IdP).
Status	Current state: `pending`, `running`, `success`, `partial` (some users failed), or `failed`.
Results	Counts of users created, updated, deprovisioned, and skipped. Groups synced count if group sync is enabled.
Error count	Number of individual errors encountered during the sync. Click through to see each error with remediation guidance.
Scheduling	Configure sync frequency: `manual` (only on-demand), `hourly`, or `daily`. Syncing can be paused with a reason.

Webhook event processing

Real-time webhooks from your IdP are processed idempotently — duplicate deliveries are safely ignored, and transient delivery failures are retried automatically.

Conflicts & Troubleshooting

When SCIM encounters a situation it cannot resolve automatically, it creates a conflict record that you can review and resolve in the dashboard.

Conflict Type	What It Means
`duplicate_email`	A user with this email already exists in MemorySync but was not provisioned via SCIM. Resolve by merging or skipping.
`missing_required_field`	The IdP did not send a required field (like email). Fix the attribute mapping in your IdP.
`role_mapping_error`	The user’s IdP group does not match any configured group-to-role mapping. Add a mapping or set a default role.
`suspended_user`	The IdP is trying to update a user who has been suspended in MemorySync. Unsuspend the user first or skip.
`existing_non_scim_user`	A manually-created user matches the SCIM external ID. Decide whether to link (merge) or keep them separate.

Each conflict can be resolved with one of these actions: skip (ignore this time), override (force the SCIM change), merge (link existing account to SCIM), or manual (mark for admin review). Resolution is tracked with timestamps and the admin who resolved it.

SCIM 401 errors. Your bearer token was rotated or is incorrect. Generate a new token in Settings → SCIM and update it in your IdP.
Users created but not assigned to teams. Group sync is disabled or group mappings are not configured. Enable sync_groups and map at least one group.
Deactivated users still appearing. The delete_behavior is set to deactivate, which preserves the account but revokes access. Switch to soft_delete or hard_delete if you want them fully removed.

← Previous

SSO

Roles & Permissions