Setting up SCIM Provisioning with Okta or Azure AD

Currently, SCIM ( System for Cross-domain Identity Management) provisioning is only supported with Okta & Azure AD for customers on our Organization Plan. With SCIM provisioning you can:

  • Add users
  • Remove users
  • Update user roles (editor / viewer)
  • Import workspace members to Okta/Azure AD

Note: Once you have set up SCIM, you need to adjust the role of a user (Editor, Viewer, etc) from Okta/Azure AD. Do not adjust the role from within Whimsical.

Okta

To enable SCIM, you must first set up SAML SSO with Okta. Read this article to find out how.

Go to "Workspace Settings", which you'll find under your workspace name in the top left:

Enable SCIM provisioning and click "Reveal" to retrieve an OAuth token:

Paste the OAuth token into Okta, click "Test API Credentials", then  Save:

Note

  • To use SCIM, SAML has to be enabled and correctly configured.
  • After user creation, given name and family name fields can only be updated by the users themselves in Whimsical.
  • Provisioned users will receive an activation email and will have to log in through SAML to appear in your workspace in Whimsical.
  • If the editor role is set to undefined, the user will be provisioned with the default role enabled in the Whimsical workspace.
  • If you disable SAML in your Whimsical settings, SCIM will also be disabled. After reenabling SAML and SCIM, you will have to import all users into Okta.
  • Once SCIM is enabled, please make any user role changes directly from Okta since Okta will overwrite the choices made within the Whimsical app.

Azure Active Directory (AAD)

To enable SCIM, you must first set up SAML SSO with AAD. Read this article to find out how.

Go to "Workspace Settings", which you'll find under your workspace name in the top left:

Enable SCIM provisioning and click "Reveal" to retrieve an OAuth token:

In the "Provisioning" tab in AAD, set "Provisioning Mode" to "Automatic", and paste the following URL into "Tenant URL":

https://whimsical.com/public-api/scim-v2/?aadOptscim062020

Then, paste your OAuth token under "Secret Token", click "Test Connection", and  Save:

Note

  • To use SCIM, SAML has to be enabled and correctly configured.
  • After user creation, given name and family name fields can only be updated by the users themselves in Whimsical.
  • Provisioned users will receive an activation email and will have to log in through SAML to appear in your workspace in Whimsical.
  • If the editor role is set to undefined, the user will be provisioned with the default role enabled in the Whimsical workspace.
  • If you disable SAML in your Whimsical settings, SCIM will also be disabled. After reenabling SAML and SCIM, you will have to import all users into AAD.
  • Once SCIM is enabled, please make any user role changes directly from AAD since AAD will overwrite the choices made within the Whimsical app.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.