Skip to content
Onplana Docs

Provision users with SCIM

Enterprise plan Owner or Admin

SCIM lets your identity provider (Microsoft Entra, Okta, OneLogin, and any other SCIM 2.0 capable IdP) manage the user lifecycle in Onplana automatically: new hires get accounts, role changes flow through, and leavers lose access the moment your IT team deactivates them.

Before you start

Section titled “Before you start”
  • SSO must be configured with at least one verified email domain. SCIM refuses to create users whose email domain is not on the verified list.
  • You need admin access to your identity provider.

Set it up

Section titled “Set it up”

  1. Open Organization Settings, go to the Security & Compliance tab, and find the SCIM section.

  2. Generate the SCIM bearer token and copy your organization’s endpoint URL. The token is shown once; if you lose it, regenerate.

  3. In your identity provider, create a SCIM-enabled app, paste the endpoint URL and token, and assign the users or groups who should be provisioned.

Roles

Section titled “Roles”

Provisioned users land as Member by default, which is the lowest-effort setup. If you want your IdP to drive roles instead, map a role attribute with the values MEMBER, MANAGER, or ADMIN, or push one of the three fixed groups named Members, Managers, or Admins.

Deactivation is per organization

Section titled “Deactivation is per organization”

When your IdP deactivates a user, only their membership in your organization is suspended. If the person also belongs to other Onplana organizations (a freelancer working with several clients, for example), those memberships are untouched and they keep signing in there.

Deactivation preserves everything: the membership row, team assignments, reviewer designations, and work history all survive. The person simply cannot access your organization while deactivated, and other admins see a deactivated badge next to their name.

When your IdP reactivates the user, Onplana restores the membership with the role they held before deactivation. Nothing needs to be re-created.

FAQs

Section titled “FAQs”

Does deactivating a user delete their work? No. Tasks, comments, time entries, and history stay attached to the person. Deactivation only blocks their access to your organization.

Can a deactivated reviewer block a governance gate? No. Deactivated members are skipped when approval quorums are calculated, so a panel never waits on someone who cannot sign in.

What happens if my IdP sends a user with an unverified email domain? The request is rejected with a clear error. Add the domain to your verified list in the SSO configuration and re-run provisioning.

Where do I see what SCIM has done? Provisioning events are written to the audit trail. See Read audit logs.