> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rootly.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SCIM

> Automate user provisioning and group sync in Rootly using SCIM 2.0 from Okta, Microsoft Entra, Google Workspace, Keycloak, and other identity providers.

<Frame>
  <img alt="SCIM provisioning settings" src="https://mintcdn.com/rootly/TIlGh9cK2EiEJpcz/images/integrations/scim/images-1.webp?fit=max&auto=format&n=TIlGh9cK2EiEJpcz&q=85&s=cb02f5c046d14ac65c6235296ee77355" width="873" height="593" data-path="images/integrations/scim/images-1.webp" />
</Frame>

## Introduction

SCIM (System for Cross-domain Identity Management) lets your identity provider automatically manage Rootly users and groups. When users are assigned or unassigned in your IdP, they are provisioned or deprovisioned in Rootly without any manual steps.

<Callout icon="triangle-exclamation" color="#FEF3C7">
  SCIM requires [SSO](/integrations/sso) to be configured first — the SCIM endpoint will not resolve until SSO setup is complete. SCIM and [Google Directory Sync](/integrations/google-directory-sync) are also mutually exclusive and cannot both be active at the same time.
</Callout>

## Before You Begin

Before connecting your IdP:

1. Complete [SSO setup](/integrations/sso) for your organization
2. Navigate to **Integrations > SSO** in Rootly and copy your **SCIM Token** — this is the Bearer token your IdP uses to authenticate SCIM requests
3. Note your **SCIM tenant URL**: `https://rootly.com/scim`

Rootly supports the following SCIM 2.0 operations:

| Resource | Supported Operations                                  |
| -------- | ----------------------------------------------------- |
| Users    | Create, read, update (PUT/PATCH), deactivate, delete  |
| Groups   | Create, read, update (PUT/PATCH), delete, member sync |

## Identity Provider Setup

Expand the section for your identity provider:

<AccordionGroup>
  <Accordion title="Okta" icon="lock">
    <Steps>
      <Step title="Enable SCIM provisioning" icon="plug">
        In Okta, navigate to **Applications > Rootly > Provisioning tab**. Under **Settings > Integrations**, click **Configure API Integration**, enter your SCIM Token, and save.

        <Frame>
          <img alt="Okta SCIM API integration configuration" src="https://mintcdn.com/rootly/TIlGh9cK2EiEJpcz/images/integrations/scim/images-2.webp?fit=max&auto=format&n=TIlGh9cK2EiEJpcz&q=85&s=694ce61daca7489f620308759bc719eb" width="886" height="687" data-path="images/integrations/scim/images-2.webp" />
        </Frame>
      </Step>

      <Step title="Enable Create and Deactivate users" icon="users">
        Go to **Provisioning > To App**, click **Edit**, and enable:

        * **Create Users** — provisions users when assigned to the Rootly app
        * **Deactivate Users** — removes users from Rootly when unassigned

        Ensure the **Default username** is set to **email**. If not, go to the **Sign on** tab, click **Edit**, and set **Application username** format to **email** under Credentials settings.
      </Step>

      <Step title="Push groups (optional)" icon="users-rectangle">
        To sync Okta Groups to Rootly:

        1. In Okta, navigate to **Directory > Groups** and create or select a group
        2. Go to **Applications > Rootly > Push Groups** tab
        3. Click **+Push Groups**, select the group, switch from **Create Group** to **Link Group**, and click **Save**
        4. In Rootly, go to **Integrations > SSO > Role Assignment** and map the Okta Group to a Rootly Role

        Every user added to that Okta Group will be provisioned in Rootly with the associated role.
      </Step>
    </Steps>
  </Accordion>

  <Accordion title="Microsoft Entra" icon="microsoft">
    Follow the official Microsoft tutorial for configuring SCIM provisioning with Rootly:

    [Microsoft Entra SCIM provisioning tutorial →](https://learn.microsoft.com/en-us/entra/identity/saas-apps/rootly-provisioning-tutorial)
  </Accordion>

  <Accordion title="Google Workspace" icon="google">
    Google Workspace has limited native SCIM support. The following workaround uses Google's Adobe app as a proxy for SCIM provisioning.

    <Steps>
      <Step title="Add a new Web and Mobile app" icon="plus">
        In Google Admin Console, navigate to **Apps > Web and mobile apps** and click **Add app**.

        <Frame>
          <img alt="Google Workspace add app" src="https://mintcdn.com/rootly/6qP0tS1GNk4jbxrs/images/integrations/scim/images-3.webp?fit=max&auto=format&n=6qP0tS1GNk4jbxrs&q=85&s=7ca7d08b88b06361936ade0ea181d8c7" width="319" height="205" data-path="images/integrations/scim/images-3.webp" />
        </Frame>
      </Step>

      <Step title="Select the Adobe app" icon="magnifying-glass">
        Search for and select the **Adobe** app from the catalog.

        <Frame>
          <img alt="Google Workspace Adobe app selection" src="https://mintcdn.com/rootly/6qP0tS1GNk4jbxrs/images/integrations/scim/images-4.webp?fit=max&auto=format&n=6qP0tS1GNk4jbxrs&q=85&s=044059290a0198fa83c17fc96c311b7d" width="2153" height="753" data-path="images/integrations/scim/images-4.webp" />
        </Frame>
      </Step>

      <Step title="Configure auto-provisioning" icon="gear">
        When prompted for SAML fields, enter `https://dummy.com/saml` for all values. When you reach the auto-provisioning step:

        * **SCIM Token**: your token from **Rootly > Integrations > SSO**
        * **Endpoint URL**: `https://rootly.com/scim`
        * Select a group of users to import, or leave empty to import all

        Enable the application — sync will begin shortly.
      </Step>
    </Steps>
  </Accordion>

  <Accordion title="Keycloak" icon="key">
    <Steps>
      <Step title="Install the SCIM extension" icon="download">
        Download the `keycloak-scim` JAR from the [releases page](https://github.com/mitodl/keycloak-scim/releases), place it in `/opt/keycloak/providers/`, and restart Keycloak.
      </Step>

      <Step title="Add SCIM as an event listener" icon="bell">
        Go to **Realm Settings > Events > Event Listeners** and add `scim` to the list. Save.
      </Step>

      <Step title="Create a SCIM federation provider" icon="plug">
        Navigate to **User Federation > Add provider > SCIM** and configure:

        | Field                 | Value                       |
        | --------------------- | --------------------------- |
        | UI display name       | `Rootly`                    |
        | SCIM 2.0 endpoint     | `https://rootly.com/scim`   |
        | Endpoint content type | `application/scim+json`     |
        | Auth mode             | `BEARER`                    |
        | Auth password/token   | Your SCIM Token from Rootly |

        Set the environment variable `SCIM_EMAIL_AS_USERNAME=true` — this ensures usernames are sent in email format, required for user matching in Rootly.
      </Step>

      <Step title="Enable propagation" icon="rotate">
        In the federation provider settings, enable:

        * **Enable user propagation**: On
        * **Enable group propagation**: On (optional)
        * **Log SCIM requests and responses**: On (recommended for debugging)
        * **Import action**: `CREATE_LOCAL`

        Optionally enable **Periodic full sync** or **Periodic changed users sync** for regular synchronization.
      </Step>
    </Steps>
  </Accordion>

  <Accordion title="Rippling" icon="bolt">
    Rippling supports SSO and SCIM provisioning for Rootly in a single step. Connect from the [Rippling app store](https://www.rippling.com/app-shop/app/rootly).
  </Accordion>
</AccordionGroup>

## Supported Attributes

### Users

| SCIM Attribute    | Rootly Field      | Notes                                                               |
| ----------------- | ----------------- | ------------------------------------------------------------------- |
| `userName`        | Email             | Required. Must be a valid email address.                            |
| `name.givenName`  | First name        |                                                                     |
| `name.familyName` | Last name         |                                                                     |
| `displayName`     | Preferred name    |                                                                     |
| `externalId`      | External ID       | Stored per SSO account, not globally                                |
| `active`          | Membership status | `false` removes the user's team membership                          |
| `emails`          | Email             | Primary work email                                                  |
| `phoneNumbers`    | Phone numbers     | Auto-verified on import; normalized with US as default country code |

### Groups

| SCIM Attribute | Rootly Field        | Notes                                     |
| -------------- | ------------------- | ----------------------------------------- |
| `displayName`  | Group name          |                                           |
| `externalId`   | External identifier |                                           |
| `members`      | Group members       | User and nested group types both accepted |

## Group Sync

SCIM groups pushed from your IdP can be synced to Rootly Groups. When enabled:

* **Create** — a pushed SCIM group creates a corresponding Rootly Group, or links to an existing one with the same name
* **Rename** — renaming a group in your IdP renames the linked Rootly Group
* **Members** — adding or removing members from a SCIM group updates Rootly Group membership

<Callout icon="circle-info" color="#DBEAFE">
  The **Sync SCIM groups to teams** toggle must be enabled by Rootly support. Contact [support@rootly.com](mailto:support@rootly.com) to enable it. Once enabled, any groups already pushed before the toggle was turned on will be automatically backfilled.
</Callout>

### Role Assignment via Groups

When **Assign roles to SCIM groups** is enabled, Rootly automatically assigns roles based on group membership. If a user belongs to multiple SCIM groups with different role configurations, the highest-weighted role is applied.

## SCIM Logs

All SCIM operations are logged. Go to **Integrations > SSO > SCIM Logs** to view a history of provisioning requests including resource type, event type, request URL, response status, and full request/response bodies (encrypted at rest). Use this to diagnose provisioning failures or verify that operations from your IdP are reaching Rootly.

## Troubleshooting

<AccordionGroup>
  <Accordion title="The SCIM endpoint is not resolving" icon="link">
    The SCIM endpoint only becomes active after SSO is fully configured. Complete SSO setup in **Integrations > SSO** and save before connecting your IdP's SCIM provisioning. Confirm you are using `https://rootly.com/scim` with no trailing slash.
  </Accordion>

  <Accordion title="Authentication errors from the IdP" icon="lock">
    The IdP authenticates with your SCIM Token as a Bearer token. Retrieve the current token from **Integrations > SSO** in Rootly and confirm it matches what your IdP has configured. Also confirm that SCIM is enabled in your SSO settings.
  </Accordion>

  <Accordion title="Users are not being provisioned" icon="user-slash">
    Confirm that the user is assigned to the Rootly application in your IdP, the `userName` attribute is a valid email address, **Create Users** is enabled in your IdP's provisioning settings, and the default username format is set to **email**. Check SCIM Logs for failed requests and their error details.
  </Accordion>

  <Accordion title="Deactivated users still appear in Rootly" icon="user">
    When a user is deactivated (`active: false`), Rootly removes their team membership but preserves the user record. If they still appear active, check SCIM Logs for a failed deactivation request.
  </Accordion>

  <Accordion title="Groups are not syncing to Rootly" icon="users">
    Group sync requires the **Sync SCIM groups to teams** toggle to be enabled by Rootly support. If it's not visible in your SSO settings, contact [support@rootly.com](mailto:support@rootly.com). Also confirm group push is configured in your IdP.
  </Accordion>

  <Accordion title="Phone numbers are not syncing" icon="phone">
    Phone number sync is a feature-flagged capability. Contact [support@rootly.com](mailto:support@rootly.com) to confirm it is enabled for your organization. Numbers are normalized using US as the default country code — include a country code prefix for non-US numbers.
  </Accordion>
</AccordionGroup>

## Related Pages

<CardGroup cols={3}>
  <Card title="SSO" icon="lock" href="/integrations/sso">
    Configure SAML 2.0 single sign-on — required before enabling SCIM.
  </Card>

  <Card title="Google Directory Sync" icon="google" href="/integrations/google-directory-sync">
    Poll-based alternative to SCIM for Google Workspace organizations.
  </Card>

  <Card title="On-Call Schedules" icon="calendar" href="/on-call/schedules">
    Manage on-call schedules once users are provisioned via SCIM.
  </Card>
</CardGroup>