SCIM

SCIM allows you to configure an Identity Provider (IdP) to synchronize users with your Tines tenant.

The Tines API offers a set of SCIM v2-compliant endpoints, documented here. Our own API for provisioning a tenant's user group mapping is documented here.

💡Note

Enabling SCIM 

To turn SCIM on or off for your tenant, go to "Authentication settings" in the settings menu. Note that SCIM is independent from SSO (even though you will probably use the same Identity Provider for both), and is not compatible with Just-in-time user provisioning.

If you enable SCIM for your tenant, users can only be added and modified via SCIM. Regular methods of inviting and modifying users (via the UI or the API) will be disabled and users can only be managed by the Identity Provider.

🪄Tip

Configuring your Identity Provider 

In order to configure your Identity Provider to synchronize users with Tines you will need to configure the following:

  • Base URL: https://<<META.tenant.domain>>/api/scim/v2

  • Authorization: Bearer token, with a tenant-level API key

  • Unique identifier field for users: userName (note: Tines requires that the userName is the user's email)

Operations 

Supported operations:

  • Provisioning Users and Groups.

  • Pushing Profile Updates.

  • Adding/removing Users from Groups

  • Deprovisioning Users.

    • Note: some Identity Providers may not fully remove users once they are deactivated, destroyed or removed from the application, and instead will mark them as active: false. While these users will no longer be able to access the Tines tenant, a Tenant Owner must delete them via the Tines UI or API to remove their data from the system.

🪄Tip

Attribute mapping 

Refer to the API docs for the full list of User attributes supported by Tines.

In order to grant users the "Tenant Owner" role in Tines, you can map a field in your user profile to the userType field in the Tines application in your IdP. If you configure SCIM to sync profile attributes, users without this userType will lose their admin privileges. Alternatively, you can enable group mapping (see following section), in which case the userType attribute is not used.

For example, in Okta, assuming there is an admin field in the User profile, add a mapping from Okta users to Tines of: (user.admin == true) ? 'TENANT_OWNER' : ''userType

Identity Provider Group to Tines permissions mapping 

🪄Tip

If you configure froup mappings in Record #emkj3IWcQP6A5ykwsKOupg, users will be assigned to the teams, roles and permissions as configure in the mapping rules, and updated any time there is a SCIM operation invoked by the IdP or a change is made to the mappings.

Was this helpful?