SCIM (System for Cross-domain Identity Management) provisioning enables organizations to automate User lifecycle management between their Identity Provider (IdP) and Together. When configured with providers such as Okta, SCIM allows Users to be created, updated, and marked for termination in real time, reducing manual administration and ensuring User data remains accurate and up to date.

Note: At this time, the SCIM integration is only available to Together's enterprise level clients.

What is SCIM Provisioning?

SCIM is an industry-standard protocol used to automate the exchange of User identity data between systems. When SCIM is enabled, your Identity Provider becomes the source of truth for User data, and Together reflects those changes automatically.

This includes:

• Automatically creating Users in Together when they are added in your IdP.
• Updating User attributes (such as Department or Role) in real time.
• Marking Users for termination when they are deactivated in your IdP.

For background on how identity providers manage authentication and User access, see external resources such as: Integrate with Okta via SAML 2.0.

Key Benefits of SCIM Provisioning

Implementing SCIM provisioning provides several advantages for IT and Program Administrators:

• Reduced manual effort: Alleviates the need to manually add, update, or remove Users.
• Real-time updates: User attributes are always current.
• Improved data accuracy: Eliminates discrepancies between systems.
• Scalable User management: Easily manage large or growing organizations.

When to Use SCIM vs Other Integrations

SCIM provisioning is best suited for organizations that:

• Use an Identity Provider like Okta as their source of truth.
• Require real-time User updates.
• Want to automate onboarding and offboarding workflows.

For organizations using HRIS integrations or CSV uploads, User data may be synced on a scheduled basis rather than in real time. SCIM provides a more dynamic and automated alternative.

How SCIM Works in Together

With SCIM provisioning enabled, User lifecycle actions originate in your Identity Provider and are synchronized to Together automatically. This ensures consistency across systems and reduces the need for manual User management.

Supported Capabilities

• Users: Create, Read, List/filter, Update (PUT), Patch (PATCH), and Deactivate (via active: false or SCIM DELETE).
• Groups: Not supported. Together’s SCIM endpoint provisions Users only. Group push or group-based provisioning from your IdP will not sync.
• PATCH operations: Supported (used by Microsoft Entra ID by default).
• Filtering: Supported on /Users, up to 100 results per page.
• Bulk operations, sorting, ETag, and password change: Not supported.

SCIM Integration Configuration

To enable SCIM provisioning, you will need to configure the integration in both Together and your Identity Provider (IdP), such as Okta.

1. In Together, navigate to Settings > Integrations > SCIM Integration, and click Set Up.
   
    

2. Click Generate Credentials to generate your Base URL, Client ID, and API Key. The API Key will be available at the bottom of the Integrations page under API Keys once generated. The Base URL will align to the following syntax:

   https://api.us.togetherplatform.com/taskhandler/scim/v2/[togetherOrgID]

   

    

3. Click Next to proceed to Field Mappings, and add any additional Custom Mappings as necessary.
   
    
4. In your Identity Provider (for example, Okta), create a new SCIM integration. In Okta, this integration application will be called SCIM 2.0 Test App (Basic Auth).
    
5. In your IdP, navigate to provisioning/integration settings and enter the Base URL from Together. Then configure authentication using the method your IdP supports (see Authentication Methods below): for Basic Authentication, use your Client ID as the username and your API Key as the password; for OAuth Bearer Token, use your API Key as the token.
   
    
6. Assign Users to the SCIM app within your IdP. Assigned Users will be automatically provisioned in Together, and any updates made in your IdP will sync in real time.
   

After completing these steps, SCIM provisioning will be active, and User lifecycle management will be handled automatically through your Identity Provider.

Authentication Methods

Together supports two SCIM authentication methods using the same credentials you generated above. Your Identity Provider determines which one to use — you do not need to choose or generate anything different.

• HTTP Basic Authentication — used by Okta, OneLogin, and most IdPs. Enter your Client ID as the username and your API Key as the password.
• OAuth Bearer Token — used by Microsoft Entra ID (formerly Azure AD) and other IdPs that accept only a single secret token. Provide your API Key as the token. The Client ID is not entered separately — Together resolves it automatically from the API Key.

Both methods use the same Base URL and the same generated API Key, so you can switch between IdPs without regenerating credentials.

Configuring Microsoft Entra ID (Azure AD)

Microsoft Entra ID uses the OAuth Bearer Token method. When setting up provisioning for your enterprise application in Entra:

1. Open your application in Entra ID > Enterprise applications > Provisioning and set Provisioning Mode to Automatic.
2. In Tenant URL, enter the Base URL from Together (https://api.us.togetherplatform.com/taskhandler/scim/v2/[togetherOrgID]).
3. In Secret Token, enter your API Key from Together.
4. Click Test Connection to confirm Together accepts the credentials, then Save.
5. Assign users to the application. Assigned users will be provisioned in Together automatically.

Custom Field Mapping

Custom field mapping allows you to control how User attributes from your Identity Provider (IdP) are synchronized with fields in Together. Each mapping connects a SCIM attribute path from your IdP to a corresponding Together User field, ensuring that User data is transferred accurately during provisioning.

To configure field mappings, you will first need to locate the appropriate SCIM attribute paths within your Identity Provider:

• Okta: Go to Applications → Your App → Provisioning → Attribute Mappings
• Microsoft Entra ID (formerly Azure AD): Go to Enterprise applications → Your App → Provisioning → Mappings → Provision Microsoft Entra ID Users
• OneLogin: Go to Applications → Your App → Parameters

Together always syncs the following SCIM attributes via preset mappings (these cannot be disabled):

• userName
• name.givenName
• name.familyName
• emails (primary value)
• active

Additional IdP attributes such as displayName, title, department, or any custom IdP attribute can be synced by adding a custom mapping in Together that points the SCIM attribute path to a Together field (for example, title → title, or department → hrisFields.department).

If a field that isn't part of Together's standard fields needs to be mapped, set the Together Field using the following pattern, replacing <fieldName> with your custom HRIS field key (for example, hrisFields.costCenter):

hrisFields.<fieldName>

Note: The hrisFields. prefix is case-sensitive and must use a capital “F” (hrisFields, not hrisfields). Lowercase values will not be applied.

User Creation and Updates

When a User is added or updated in your Identity Provider:

• The User is automatically created in Together.
• Profile attributes (such as Department, Location, or Title) are synced in real time.
• No manual import or CSV upload is required.

Note: If a SCIM user’s primary email matches an existing Together user in the same organization, the incoming SCIM data is merged into that existing user instead of creating a duplicate.

This real-time sync differs from traditional HRIS or batch integrations, where updates may occur on a scheduled basis rather than instantly.

User Termination Handling

When a User is deactivated or removed in your Identity Provider — that is, your IdP sends active: false, unassigns the SCIM application, or issues a SCIM DELETE:

• The User is not immediately deleted from Together, and their Together status remains Active.
• Their external status is set to Terminated, and they are added to the Terminated Users review queue so an Administrator can confirm before final removal.
• If your IdP reactivates the user (active: true) before review completes, the user is restored to Active automatically.

This approach helps preserve Program data integrity and ensures that historical mentorship activity is not unintentionally lost.

Note: If a brand-new user is sent to Together with active: false on the initial create, that record is skipped — no Together user is created until they are activated in your IdP.