Setting up SCIM Provisioning with Okta or Azure AD
Currently, SCIM ( System for Cross-domain Identity Management) provisioning is generally available for Okta & Azure AD for customers on our Organization Plan.
We have beta support for other SCIM providers - please reach out to your account manager or support@whimsical.com for more information.
With SCIM provisioning, you can:
- Add users
- Remove users
- Update user roles (editor / viewer)
- Import workspace members to Okta/Azure AD
Note: Once you have set up SCIM, you need to adjust the role of a user (Editor, Viewer, etc) from Okta/Azure AD. Do not adjust the role from within Whimsical.
Okta
To enable SCIM, you must first set up SAML SSO with Okta. Read this article to find out how.
Go to "Workspace Settings", which you'll find under your workspace name in the top left:
Enable SCIM provisioning and click "Reveal" to retrieve an OAuth token:
Paste the OAuth token into Okta, click "Test API Credentials", then Save:
Note
- To use SCIM, SAML has to be enabled and correctly configured.
- After user creation, given name and family name fields can only be updated by the users themselves in Whimsical.
- Provisioned users will receive an activation email and will have to log in through SAML to appear in your workspace in Whimsical.
- If the editor role is set to undefined, the user will be provisioned with the default role enabled in the Whimsical workspace.
- If you disable SAML in your Whimsical settings, SCIM will also be disabled. After reenabling SAML and SCIM, you will have to import all users into Okta.
- Once SCIM is enabled, please make any user role changes directly from Okta since Okta will overwrite the choices made within the Whimsical app.
- Email addresses must be sent to Whimsical in lower case, to do this you can change the Whimsical user name format in Okta to "String.toLowerCase(user.email)" or "String.toLowerCase(user.login)":
Azure Active Directory (AAD)
To enable SCIM, you must first set up SAML SSO with AAD. Read this article to find out how.
Go to "Workspace Settings", which you'll find under your workspace name in the top left:
Enable SCIM provisioning and click "Reveal" to retrieve an OAuth token:
In the "Provisioning" tab in AAD, set "Provisioning Mode" to "Automatic", and paste the following URL into "Tenant URL":
https://whimsical.com/public-api/scim-v2/?aadOptscim062020
Then, paste your OAuth token under "Secret Token", click "Test Connection", and Save:
Note
- To use SCIM, SAML has to be enabled and correctly configured.
- After user creation, given name and family name fields can only be updated by the users themselves in Whimsical.
- Provisioned users will receive an activation email and will have to log in through SAML to appear in your workspace in Whimsical.
- If the editor role is set to undefined, the user will be provisioned with the default role enabled in the Whimsical workspace.
- If you disable SAML in your Whimsical settings, SCIM will also be disabled. After reenabling SAML and SCIM, you will have to import all users into AAD.
- Once SCIM is enabled, please make any user role changes directly from AAD since AAD will overwrite the choices made within the Whimsical app.