Setting up SCIM provisioning
Who can use this feature
- Supported on certain tiers of Enterprise plans. Contact your CSM if you don't have access.
- Anyone with an org admin role can access and EDIT SCIM settings
In this article, we'll show you how to set up SCIM, so you can provision new users to WRITER automatically. If you're looking for information about setting up single sign-on authentication, check out our article, Setting up SAML SSO.
What's in this article:
- What provisioning features are supported?
- Configuring SCIM provisioning
- Editing users manually
- Map IdP groups
- Troubleshooting
- Frequently asked questions
What provisioning features are supported?
WRITER supports the following provisioning features:
- User and Group push: We support user and group push from your IdP as a way to assign users and groups directly to different team/access role combinations in WRITER.
- Provision and Deprovision users: We support the ability to provision and deprovision users from your IdP automatically.
WRITER doesn't support the following provisioning features:
- Sync password
- Create/delete teams
- Deactivate/reactivate users (soft delete/undelete)
Configuring SCIM provisioning
Set up SAML SSO from WRITER to your IdP
Before you provision SCIM, you'll need to set up the connection between WRITER and your IdP. Check out our article, Setting up SAML SSO.
Navigate to Admin > Access & provisioning and select the SCIM tab. Select Set up SCIM to get started.
If you have not done so already, you will be prompted to claim your email domain. To learn more about claiming a domain, see our article here.
Share information from WRITER with your identity provider
To get started, go to Admin > Access & provisioning and select the SCIM tab.
WRITER actively supports SCIM with multiple providers specified on this page. However, you can also set up SCIM with other identity providers as well via the Other IdP selection.
Select your IdP of choice, then scroll down to complete the connection.
You'll be presented with 3 important fields: Unique identifier, Endpoint, and Bearer token. You'll share with your identity provider in the next step.
Share information from your IdP with WRITER
Go to the WRITER SSO application in your IdP, and enable SCIM provisioning with your WRITER setup details. This process looks different in each IdP; some guides for our most common IdPs are below:
Editing users manually
If you want users who have been synced via SCIM to have their role, team, or password access levels be editable, turn the toggle on.
If you want users who have been synced via SCIM to have their role, team, or password access to be locked, turn the toggle off.
Mapping IdP groups
You can map IdP groups to different teams/roles in WRITER. Once groups have been synced from the IdP, the IdP groups tab will show the IdP groups that you can map to specific teams within WRITER. These IdP groups will override any permissions set elsewhere (e.g. override default teams set up during when claiming a domain).
Managing IdP group mapping
If you’d like to set up or change your IdP groups at any time, then you can return to Admin > Access & Provisioning and select the IdP Groups tab. Select Edit to update your mapping.
From here you can also select the role in WRITER you’d like each group to have. If this is left blank, users will be assigned to the default role/team set up during domain claiming. Don’t forget to select Save when you're done editing!
Frequently asked questions
General
Q: Can we provision our entire organization?
Yes and no. IdPs typically don't allow you to select everyone for a group push. However, if all of your users are assigned to groups, you can push all of these to WRITER, which will provision everyone.
Q: Can we manage imported group memberships in our IdP?
No.
Q: Can we create or delete WRITER Teams in our IdP?
No.
Q: How are roles, hierarchy, and permissioning handled?
| User added via | Default Team/Role | Role override logic |
| SAML | • Default role and team is mandatory - as specified in “default team”, at least 1 team must be selected • Default role can be member or team admin on whichever team(s) are specified • There is only one default role/team setting per WRITER org. | • Users added via SAML can be manually edited to be changed to a different team/role • Users added via SAML will remain in their default team and role as a member unless manually overridden or overridden by SCIM • If a user that was added via SAML is later added to IdP and synced via SCIM, their default teams will change to whatever SCIM specifies (SCIM will override) |
| SCIM | • Default role and team is mandatory and is the same as the SAML default role/team for any WRITER org. | • Any users synced via SCIM are initially added to the default role/team combos set in Domain access • Manual override toggle logic is the same as for IdP groups below. |
| IdP Groups | • Role and teams are specified per IdP Group | • Any users synced via IdP groups will be added to the role/team combo specified in IdP Groups. These role/team combos will replace the default role/team combos - if a user is in an IdP group, they will only be added to that role/team combo and not the default role/teams. • If a user is in multiple IdP groups, we will add them to all the specified team/roles ◦ If there is a conflict (eg a user is in two different IdP groups mapping to the same team but with different roles), the higher level role will override (Org Admin > Team Admin > Member) • Manual override toggle: ◦ If the toggle is set to OFF (default), users who are in SCIM IdP groups will be locked for changes in the WRITER app. ◦ If the toggle is set to ON, users who are in SCIM IdP groups will be editable manually in the WRITER app. For those edits, the users will have baseline the role / team combos specified in IdP groups. However, they can also be added to other teams outside of the IdP group mapping. If there is a conflict, the IdP groups will override. |
| Manual Invite (via People > Add people) | • At least 1 team and role must be selected • Users can be added as either a team admin or a member but not both • Users can be added for several teams for their role | • If a user that is manually added is also managed by SCIM, SCIM will override manual permissions |
Troubleshooting
If you have questions around our SCIM integration, please contact support@writer.com.