Manage users and teams with SCIM

Configuring SCIM for your Sigma organization allows you to centralize management of users and teams through an Identity Provider (IdP).

The following guide introduces you to SCIM and walks you through how to configure it for your Sigma organization. The configuration instructions in this document are not IdP-specific and can be applied across multiple IdPs (e.g. Okta, Azure, etc).

• If you use Okta as your IdP, follow the Okta specific instructions.
• If you use Microsoft Entra (Azure) as your IdP, follow the SAML With SCIM Integration using Microsoft Entra (Azure) IdP instructions on the Sigma Community.

For more information on setting up SCIM for specific IdPs, see the Sigma Community post on Guidelines For Configuring OAuth and SAML Authentication.

Requirements

• You must be assigned the Admin account type to initiate provisioning.

• Your Sigma organization must already be authenticated with your IdP using SAML.

  📘

  SCIM doesn't work with the following authentication types: Password, SAML or password.

Understanding SCIM

What is SCIM?

System for Cross-domain Identity Management (SCIM) is a standard that automates user and group provisioning between a service provider (SP) and an identity provider (IdP).

SCIM with Sigma and your IdP

Configuring SCIM for your organization allows you to create and manage users and groups in your IdP and automatically push them to your Sigma organization as users and teams.

After SCIM provisioning is enabled for both services, all management of users and teams must be done through your IdP. Although they are not directly editable in Sigma, both users and teams are displayed in the Administration portal in Sigma.

SCIM with SAML

Before you can configure SCIM for your organization, you must disable any password-based authentication methods.

SAML allows Single Sign On (SSO) and management of users, but when using SAML alone, syncing new users and updates between your IdP and Sigma is not automatic. A user must sign in to Sigma for updates to persist in Sigma. When you add SCIM to your SAML configuration, you can manage Sigma teams from your IdP, and both user and group/team data in your IdP are automatically synced to your Sigma organization.

What to expect when transitioning to SCIM

If you plan to transition to SCIM after creating users and teams in Sigma, review the following details.

Will I be able to edit users and teams in Sigma?

After transitioning to SCIM, all management of users and teams must be done through your IdP. Although they are not directly editable in Sigma, both users and teams are displayed in the Administration portal in Sigma.

Guest user accounts are not supported when using SCIM.

What will happen to my existing users and teams?

After transitioning to SCIM, existing users and teams remain in Sigma but can no longer be edited in Sigma. For specific configurations:

• Users: Your IdP might allow you to link to an existing user with the same email address in Sigma. No work will be lost, and admin management of that user can then be maintained through your IdP. Alternatively, you might be able to import users from Sigma into your IdP.

• User account types: If you transition to SCIM and change from managing a user originally created in Sigma to managing the user in your IdP, Sigma automatically respects the account type defined in the IdP, regardless of what was originally set in Sigma.

• Guest users: If you previously allowed guest users to your organization, if you transition to SCIM their accounts are disabled and they will no longer be able to sign in to Sigma.

• Teams: Your IdP might allow you to link a group in your IdP to an existing team in Sigma. No work will be lost, and admin management of that group/team can then be maintained through IdP.

Configuration instructions

To configure SCIM for your Sigma organization, perform the following steps:

1. Set up authentication
2. Enable provisioning in Sigma
3. Enable provisioning in your IdP
4. Add users and teams

Prerequisite: Set up authentication

If you have not already, connect your IdP to Sigma using SAML for authentication. See Manage authentication.

Step 1: Enable provisioning in Sigma

1. Sign in to Sigma. You must be assigned the Admin account type.

2. Open your Sigma Admin Portal.

3. In the left panel, click Authentication.

4. Choose the relevant authentication method:

   • If you have not yet configured SAML, set up the "SAML or password" authentication method. See Single Sign-On with SAML.
   • If your authentication method is set to "SAML or password", change it to SAML.

5. For Account type and team provisioning, click Set up.

   📘

   The Account type and team provisioning section only appears if you have the SAML or OAuth authentication method configured. If account type and team provisioning is turned off, changes in your IdP no longer sync to Sigma.

6. Review the notes provided on the Getting Started section of the modal, then select the confirmation checkbox and click Next to continue.

7. When prompted to create a token to authenticate your integration with your IdP, enter a token name, then click Next.

8. On the Copy Keys section, copy the Bearer token and Directory base URL. Copy and store these values in a secure location. You need them to complete the integration with your IdP.

9. Click Done.

Step 2: Enable provisioning in your IdP

Next, you must configure provisioning in your IdP. This process can vary depending on your IdP. If you’re using Okta, follow the Okta-specific configuration instructions. If your company uses a different IdP, follow the instructions to set up SCIM for that IdP.

🚧

Do not use SCIM provisioning for the same user across multiple IdPs. Users should be provisioned by a maximum of one IdP to avoid conflicts in information between IdPs.

Regardless of your IdP, you need the Bearer token that was generated when you enabled provisioning in Sigma. If you are using an IdP other than Okta, you also need to provide your Sigma-generated Directory base URL.

🚩

Use the same SCIM secret for all IdPs that you plan to provision users and teams from.

Step 3: Add users and push groups/teams

After provisioning is enabled, you can start managing users and groups/teams from your IdP and pushing these updates to Sigma. Because SCIM is enabled, you can no longer manage users and teams in Sigma.

For steps, refer to the documentation for your IdP. If you use Okta for your IdP, see Manage users and teams with SCIM and Okta.

Troubleshooting

If you run into issues or have questions when configuring SCIM, contact Sigma Support.

I added a new user to my Sigma application, but their account has not shown up in Sigma. What should I do?

Provisioning users and groups can take a few moments. If provisioning is taking longer than expected, check the provisioning status page for your IdP, if available. If the user was assigned before provisioning was configured, you might need to remove and reassign users.

The Admin who originally set up our provisioning has left or taken on a new role (account deactivated, unassigned, or account type changed). Now we’re hitting errors when attempting to push data from our IdP to Sigma. What happened?

Provisioning is associated with the Admin user who originally set up provisioning in Sigma. If you want to remove or update that user’s account type, you must also remove and re-enable provisioning in Sigma with a new Admin user.

Setting up provisioning again generates a new bearer token associated with the new Admin user. Provide your IdP with the updated bearer token, and rerun any provisioning tasks that might have failed.

Can I change a user’s username?

Changing a user's username when you have SCIM configured is not recommended. Changing a user’s username creates a new account for that user in Sigma and does not update the username of an existing user.

How can I deactivate user accounts that were already in Sigma prior to configuring SCIM?

User accounts created before SCIM was configured cannot be managed in the IdP or in the Sigma UI. Instead, update the user by making a PATCH request to the PATCH /v2/members/{memberId} endpoint and set the isArchived field to true for the user.

A user that used to be assigned to a team in Sigma before I enabled SCIM remained in that team even though they aren't in the application group in my IdP

If a user remains in a team after you transition to SCIM and have synced with the IdP, use the Sigma API to update the team membership, or turn off SCIM in Sigma, make the changes to your teams, then turn it back on.

Limitations

• Importing groups to an IdP from Sigma teams is not currently supported.
• Sigma cannot guarantee that SCIM provisioning works with any IdP. If you have questions about using a specific IdP with Sigma, please contact Sigma Support.