SCIM Setup

This article describes how to setup SCIM for automated provisioning and deprovisioning

Kevin Qiu avatar
Written by Kevin Qiu
Updated over a week ago


  • You will need to be both a SafeBase admin, and identity provider admin, to complete this setup.

  • You will need to have already set up SAML and toggled on the enforce SAML setting in the Settings page.

  • This feature is included in all enterprise plans and available as an add-on for growth plans . Please contact your CSM if you want to confirm eligibility.


Once you have contacted your CSM to get the SCIM feature enabled, you will see a new "Directory Sync" option in the Settings page under Organization Members.

Click on this button to bring up a modal. Select Go To Directory Sync.

This will open up a new tab for our middleware service, WorkOS. WorkOS is what we use for the SCIM feature. You will be asked to select your identity provider.

For each specific provider, WorkOS will provide exact steps and screenshots that you will need to take. You will be able to choose options such as:

  • Import new users to SafeBase based on idP permissions

  • Import changes to users, such as name/email changes

  • Automatically suspend users in SafeBase if they are suspended in the idP or removed from the appropriate group(s)

Note: Since you already created a SAML app during previous setup, you can use the existing one and will just need to add SCIM information. In the screenshot below, we can see that a SCIM Base URL and OAuth Bearer Token were added from what WorkOS provided.


  • Once you have completed the setup, you will begin to see users being populated in SafeBase. Existing users who were created using the standard Just-In-Time provisioning prior to SCIM will not be provisioned again.

  • If you chose to push groups via SCIM (the WorkOS instructions will explain this), you will see a Groups tab that will allow you to map a specific group to a role. All users that are not in one of these groups will inherit the default role. We recommend this to be set to Viewer or Knowledge Base Viewer.

Permissions inheritance

Note that we offer the ability to override a specific user's permission using the existing Role selector in the users tab. Our app will compute the highest permissions level of a specific user based on group permissions and the Role selector. For example, if a user is in the group Sales Department, which is mapped to Viewer, but is granted Admin in the Role Selector, they will be an Admin. On the contrary, if Viewer is selected in the Role Selector, and a group grants them Account Manager privileges, they will be Account Managers.

Did this answer your question?