> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rootly.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SCIM user provisioning and deprovisioning for Rootly

> Automate Rootly user provisioning and deprovisioning with SCIM 2.0 from Okta, Microsoft Entra, Google Workspace, Keycloak, and other identity providers.

<Frame>
  <img src="https://mintcdn.com/rootly/TIlGh9cK2EiEJpcz/images/integrations/scim/images-1.webp?fit=max&auto=format&n=TIlGh9cK2EiEJpcz&q=85&s=cb02f5c046d14ac65c6235296ee77355" alt="SCIM provisioning settings" width="873" height="593" data-path="images/integrations/scim/images-1.webp" />
</Frame>

## Introduction

SCIM (System for Cross-domain Identity Management) lets your identity provider automatically manage Rootly users and groups. When users are assigned or unassigned in your IdP, they are provisioned or deprovisioned in Rootly without any manual steps.

<Callout icon="triangle-exclamation" color="#FEF3C7">
  SCIM requires [SSO](/integrations/sso) to be configured first — the SCIM endpoint will not resolve until SSO setup is complete. SCIM and [Google Directory Sync](/integrations/google-directory-sync) are also mutually exclusive and cannot both be active at the same time.
</Callout>

## Before You Begin

Before connecting your IdP:

1. Complete [SSO setup](/integrations/sso) for your organization
2. Navigate to **Integrations > SSO** in Rootly and copy your **SCIM Token** — this is the Bearer token your IdP uses to authenticate SCIM requests
3. Note your **SCIM tenant URL**: `https://rootly.com/scim`

Rootly supports the following SCIM 2.0 operations:

| Resource | Supported Operations                                  |
| -------- | ----------------------------------------------------- |
| Users    | Create, read, update (PUT/PATCH), deactivate, delete  |
| Groups   | Create, read, update (PUT/PATCH), delete, member sync |

## Identity Provider Setup

Expand the section for your identity provider:

<AccordionGroup>
  <Accordion title="Okta" icon="lock">
    <Steps>
      <Step title="Enable SCIM provisioning" icon="plug">
        In Okta, navigate to **Applications > Rootly > Provisioning tab**. Under **Settings > Integrations**, click **Configure API Integration**, enter your SCIM Token, and save.

        <Frame>
          <img src="https://mintcdn.com/rootly/TIlGh9cK2EiEJpcz/images/integrations/scim/images-2.webp?fit=max&auto=format&n=TIlGh9cK2EiEJpcz&q=85&s=694ce61daca7489f620308759bc719eb" alt="Okta SCIM API integration configuration" width="886" height="687" data-path="images/integrations/scim/images-2.webp" />
        </Frame>
      </Step>

      <Step title="Enable Create and Deactivate users" icon="users">
        Go to **Provisioning > To App**, click **Edit**, and enable:

        * **Create Users** — provisions users when assigned to the Rootly app
        * **Deactivate Users** — removes users from Rootly when unassigned

        Ensure the **Default username** is set to **email**. If not, go to the **Sign on** tab, click **Edit**, and set **Application username** format to **email** under Credentials settings.
      </Step>

      <Step title="Push groups (optional)" icon="users-rectangle">
        To sync Okta Groups to Rootly:

        1. In Okta, navigate to **Directory > Groups** and create or select a group
        2. Go to **Applications > Rootly > Push Groups** tab
        3. Click **+Push Groups**, select the group, switch from **Create Group** to **Link Group**, and click **Save**
        4. In Rootly, go to **Integrations > SSO > Role Assignment** and map the Okta Group to a Rootly Role

        Every user added to that Okta Group will be provisioned in Rootly with the associated role.
      </Step>
    </Steps>
  </Accordion>

  <Accordion title="Microsoft Entra" icon="microsoft">
    Follow the official Microsoft tutorial for configuring SCIM provisioning with Rootly:

    [Microsoft Entra SCIM provisioning tutorial →](https://learn.microsoft.com/en-us/entra/identity/saas-apps/rootly-provisioning-tutorial)
  </Accordion>

  <Accordion title="Google Workspace" icon="google">
    Google Workspace has limited native SCIM support. The following workaround uses Google's Adobe app as a proxy for SCIM provisioning.

    <Steps>
      <Step title="Add a new Web and Mobile app" icon="plus">
        In Google Admin Console, navigate to **Apps > Web and mobile apps** and click **Add app**.

        <Frame>
          <img src="https://mintcdn.com/rootly/6qP0tS1GNk4jbxrs/images/integrations/scim/images-3.webp?fit=max&auto=format&n=6qP0tS1GNk4jbxrs&q=85&s=7ca7d08b88b06361936ade0ea181d8c7" alt="Google Workspace add app" width="319" height="205" data-path="images/integrations/scim/images-3.webp" />
        </Frame>
      </Step>

      <Step title="Select the Adobe app" icon="magnifying-glass">
        Search for and select the **Adobe** app from the catalog.

        <Frame>
          <img src="https://mintcdn.com/rootly/6qP0tS1GNk4jbxrs/images/integrations/scim/images-4.webp?fit=max&auto=format&n=6qP0tS1GNk4jbxrs&q=85&s=044059290a0198fa83c17fc96c311b7d" alt="Google Workspace Adobe app selection" width="2153" height="753" data-path="images/integrations/scim/images-4.webp" />
        </Frame>
      </Step>

      <Step title="Configure auto-provisioning" icon="gear">
        When prompted for SAML fields, enter `https://dummy.com/saml` for all values. When you reach the auto-provisioning step:

        * **SCIM Token**: your token from **Rootly > Integrations > SSO**
        * **Endpoint URL**: `https://rootly.com/scim`
        * Select a group of users to import, or leave empty to import all

        Enable the application — sync will begin shortly.
      </Step>
    </Steps>
  </Accordion>

  <Accordion title="Keycloak" icon="key">
    <Steps>
      <Step title="Install the SCIM extension" icon="download">
        Download the `keycloak-scim` JAR from the [releases page](https://github.com/mitodl/keycloak-scim/releases), place it in `/opt/keycloak/providers/`, and restart Keycloak.
      </Step>

      <Step title="Add SCIM as an event listener" icon="bell">
        Go to **Realm Settings > Events > Event Listeners** and add `scim` to the list. Save.
      </Step>

      <Step title="Create a SCIM federation provider" icon="plug">
        Navigate to **User Federation > Add provider > SCIM** and configure:

        | Field                 | Value                       |
        | --------------------- | --------------------------- |
        | UI display name       | `Rootly`                    |
        | SCIM 2.0 endpoint     | `https://rootly.com/scim`   |
        | Endpoint content type | `application/scim+json`     |
        | Auth mode             | `BEARER`                    |
        | Auth password/token   | Your SCIM Token from Rootly |

        Set the environment variable `SCIM_EMAIL_AS_USERNAME=true` — this ensures usernames are sent in email format, required for user matching in Rootly.
      </Step>

      <Step title="Enable propagation" icon="rotate">
        In the federation provider settings, enable:

        * **Enable user propagation**: On
        * **Enable group propagation**: On (optional)
        * **Log SCIM requests and responses**: On (recommended for debugging)
        * **Import action**: `CREATE_LOCAL`

        Optionally enable **Periodic full sync** or **Periodic changed users sync** for regular synchronization.
      </Step>
    </Steps>
  </Accordion>

  <Accordion title="Rippling" icon="bolt">
    Rippling supports SSO and SCIM provisioning for Rootly in a single step. Connect from the [Rippling app store](https://www.rippling.com/app-shop/app/rootly).
  </Accordion>
</AccordionGroup>

## Supported Attributes

### Users

| SCIM Attribute    | Rootly Field      | Notes                                                               |
| ----------------- | ----------------- | ------------------------------------------------------------------- |
| `userName`        | Email             | Required. Must be a valid email address.                            |
| `name.givenName`  | First name        |                                                                     |
| `name.familyName` | Last name         |                                                                     |
| `displayName`     | Preferred name    |                                                                     |
| `externalId`      | External ID       | Stored per SSO account, not globally                                |
| `active`          | Membership status | `false` removes the user's team membership                          |
| `emails`          | Email             | Primary work email                                                  |
| `phoneNumbers`    | Phone numbers     | Auto-verified on import; normalized with US as default country code |

### Groups

| SCIM Attribute | Rootly Field        | Notes                                     |
| -------------- | ------------------- | ----------------------------------------- |
| `displayName`  | Group name          |                                           |
| `externalId`   | External identifier |                                           |
| `members`      | Group members       | User and nested group types both accepted |

## Role Assignment via Groups

When **Assign roles to SCIM groups** is enabled, Rootly automatically assigns roles based on group membership. If a user belongs to multiple SCIM groups with different role configurations, the highest-weighted role is applied.

## Troubleshooting

<AccordionGroup>
  <Accordion title="The SCIM endpoint is not resolving" icon="link">
    The SCIM endpoint only becomes active after SSO is fully configured. Complete SSO setup in **Integrations > SSO** and save before connecting your IdP's SCIM provisioning. Confirm you are using `https://rootly.com/scim` with no trailing slash.
  </Accordion>

  <Accordion title="Authentication errors from the IdP" icon="lock">
    The IdP authenticates with your SCIM Token as a Bearer token. Retrieve the current token from **Integrations > SSO** in Rootly and confirm it matches what your IdP has configured. Also confirm that SCIM is enabled in your SSO settings.
  </Accordion>

  <Accordion title="Users are not being provisioned" icon="user-slash">
    Confirm that the user is assigned to the Rootly application in your IdP, the `userName` attribute is a valid email address, **Create Users** is enabled in your IdP's provisioning settings, and the default username format is set to **email**. Most IdPs record outbound SCIM requests with the full request body and Rootly's response — Okta's **System Log**, Microsoft Entra's **Provisioning logs**, and Google Workspace's **Admin reports** are the canonical first place to check. If the IdP shows successful sends but the user still isn't appearing in Rootly, contact [support@rootly.com](mailto:support@rootly.com).
  </Accordion>

  <Accordion title="Deactivated users still appear in Rootly" icon="user">
    When a user is deactivated (`active: false`), Rootly removes their team membership but preserves the user record. If the user still appears active in Rootly, check your IdP's outbound SCIM provisioning logs for the deactivation request — confirm it was sent with `active: false` and that Rootly returned a `2xx` response. If the IdP shows a successful send but the user is still active in Rootly, contact [support@rootly.com](mailto:support@rootly.com).
  </Accordion>

  <Accordion title="Phone numbers are not syncing" icon="phone">
    Confirm the source value in your IdP includes a country code prefix for non-US numbers. Rootly normalizes phone numbers using US as the default country code, so unprefixed international numbers fail to normalize and are not persisted.
  </Accordion>
</AccordionGroup>

## Related Pages

<CardGroup cols={3}>
  <Card title="SSO" icon="lock" href="/integrations/sso">
    Configure SAML 2.0 single sign-on — required before enabling SCIM.
  </Card>

  <Card title="Google Directory Sync" icon="google" href="/integrations/google-directory-sync">
    Poll-based alternative to SCIM for Google Workspace organizations.
  </Card>

  <Card title="On-Call Schedules" icon="calendar" href="/on-call/schedules">
    Manage on-call schedules once users are provisioned via SCIM.
  </Card>
</CardGroup>
