Setting up SCIM with Okta or Entra ID (Azure AD)
Currently, SCIM (System for Cross-domain Identity Management) provisioning is generally available for Okta & Entra ID (Azure AD) for customers on our Org Plan.
We have beta support for other SCIM providers - please reach out to your account manager or support@whimsical.com for more information.
With SCIM provisioning, you can:
- Add users
- Remove users
- Update user roles (editor / viewer)
- Import workspace members to Okta/Entra ID (Azure AD)
Note: Once you have set up SCIM, you need to adjust the role of a user (Editor, Viewer, etc) from Okta/Entra ID (Azure AD). Do not adjust the role from within Whimsical.
Okta
To enable SCIM, you must first set up SAML SSO with Okta. Read this article to find out how.
Go to "Workspace Settings", which you'll find under your workspace name in the top left:
Enable SCIM provisioning and click "Reveal" to retrieve an OAuth token:
Paste the OAuth token into Okta, click "Test API Credentials", then Save:
Note
- To use SCIM, SAML has to be enabled and correctly configured.
- After user creation, given name and family name fields can only be updated by the users themselves in Whimsical.
- Provisioned users will receive an activation email and will have to log in through SAML to appear in your workspace in Whimsical.
- If the editor role is set to undefined, the user will be provisioned with the default role enabled in the Whimsical workspace.
- If you disable SAML in your Whimsical settings, SCIM will also be disabled. After reenabling SAML and SCIM, you will have to import all users into Okta.
- Once SCIM is enabled, please make any user role changes directly from Okta since Okta will overwrite the choices made within the Whimsical app.
- Email addresses must be sent to Whimsical in lower case, to do this you can change the Whimsical user name format in Okta to "String.toLowerCase(user.email)" or "String.toLowerCase(user.login)":
- The SCIM endpoint URL is https://api.whimsical.com/scim-v2/ . The Okta app is preconfigured, so you shouldn’t need to use it, but it is available for manual testing. Whimsical follows the standard SCIM-v2 endpoints, e.g. https://api.whimsical.com/scim-v2/Users
- To learn more about SCIM provisioning with Groups in Okta please check out this article.
Entra ID (Azure Active Directory - AAD)
To enable SCIM, you must first set up SAML SSO with Entra ID (AAD). Read this article to find out how.
Go to "Workspace Settings", which you'll find under your workspace name in the top left:
Enable SCIM provisioning and click "Reveal" to retrieve an OAuth token:
In the "Provisioning" tab in Entra ID (AAD), set "Provisioning Mode" to "Automatic", and paste the following URL into "Tenant URL":
https://api.whimsical.com/scim-v2/?aadOptscim0620200
Then, paste your OAuth token under "Secret Token", click "Test Connection", and Save:
Note
- To use SCIM, SAML has to be enabled and correctly configured.
- After user creation, given name and family name fields can only be updated by the users themselves in Whimsical.
- Provisioned users will receive an activation email and will have to log in through SAML to appear in your workspace in Whimsical.
- If the editor role is set to undefined, the user will be provisioned with the default role enabled in the Whimsical workspace.
- If you disable SAML in your Whimsical settings, SCIM will also be disabled. After reenabling SAML and SCIM, you will have to import all users into Entra ID (AAD).
- Once SCIM is enabled, please make any user role changes directly from Entra ID (AAD) since Entra ID (AAD) will overwrite the choices made within the Whimsical app.