SCIM (System for Cross-domain Identity Management) provisioning enables organizations to automate User lifecycle management between their Identity Provider (IdP) and Together. When configured with providers such as Okta, SCIM allows Users to be created, updated, and marked for termination in real time, reducing manual administration and ensuring User data remains accurate and up to date.

Note: At this time, the SCIM integration is only available to Together's enterprise level clients.

What is SCIM Provisioning?

SCIM is an industry-standard protocol used to automate the exchange of User identity data between systems. When SCIM is enabled, your Identity Provider becomes the source of truth for User data, and Together reflects those changes automatically.

This includes:

• Automatically creating Users in Together when they are added in your IdP.
• Updating User attributes (such as Department or Role) in real time.
• Marking Users for termination when they are deactivated in your IdP.

For background on how identity providers manage authentication and User access, see external resources such as: Integrate with Okta via SAML 2.0.

Key Benefits of SCIM Provisioning

Implementing SCIM provisioning provides several advantages for IT and Program Administrators:

• Reduced manual effort: Alleviates the need to manually add, update, or remove Users.
• Real-time updates: User attributes are always current.
• Improved data accuracy: Eliminates discrepancies between systems.
• Scalable User management: Easily manage large or growing organizations.

When to Use SCIM vs Other Integrations

SCIM provisioning is best suited for organizations that:

• Use an Identity Provider like Okta as their source of truth.
• Require real-time User updates.
• Want to automate onboarding and offboarding workflows.

For organizations using HRIS integrations or CSV uploads, User data may be synced on a scheduled basis rather than in real time. SCIM provides a more dynamic and automated alternative.

How SCIM Works in Together

With SCIM provisioning enabled, User lifecycle actions originate in your Identity Provider and are synchronized to Together automatically. This ensures consistency across systems and reduces the need for manual User management.

SCIM Integration Configuration

To enable SCIM provisioning, you will need to configure the integration in both Together and your Identity Provider (IdP), such as Okta.

1. In Together, navigate to Settings > Integrations > SCIM Integration, and click Set Up.
   
    

2. Click Generate Credentials to generate your Base URL, Client ID, and API Key. The API Key will be available at the bottom of the Integrations page under API Keys once generated. The Base URL will align to the following syntax:

   https://api.us.togetherplatform.com/taskhandler/scim/v2/[togetherOrgID]

   

    

3. Click Next to proceed to Field Mappings, and add any additional Custom Mappings as necessary.
   
    
4. In your Identity Provider (for example, Okta), create a new SCIM integration. In Okta, this integration application will be called SCIM 2.0 Test App (Basic Auth).
    
5. In your IdP, navigate to provisioning/integration settings. Enter the Base URL from Together and configure Basic Authentication using your Client ID as the username and your API Key as the password.
   
    
6. Assign Users to the SCIM app within your IdP. Assigned Users will be automatically provisioned in Together, and any updates made in your IdP will sync in real time.
   

After completing these steps, SCIM provisioning will be active, and User lifecycle management will be handled automatically through your Identity Provider.

Custom Field Mapping

Custom field mapping allows you to control how User attributes from your Identity Provider (IdP) are synchronized with fields in Together. Each mapping connects a SCIM attribute path from your IdP to a corresponding Together User field, ensuring that User data is transferred accurately during provisioning.

To configure field mappings, you will first need to locate the appropriate SCIM attribute paths within your Identity Provider:

• Okta: Go to Applications → Your App → Provisioning → Attribute Mappings
• Azure AD: Go to Enterprise Apps → Your App → Provisioning → Mappings → Provision Azure AD Users
• OneLogin: Go to Applications → Your App → Parameters

Common SCIM attribute paths that can be used for mapping include:

• userName
• name.givenName
• name.familyName
• displayName
• title

If a field that isn't part of Together's standard fields needs to be mapped, select the following Together Field, replacing fieldName with the custom HRIS field:

hrisfields.{fieldName}

User Creation and Updates

When a User is added or updated in your Identity Provider:

• The User is automatically created in Together.
• Profile attributes (such as Department, Location, or Title) are synced in real time.
• No manual import or CSV upload is required.

This real-time sync differs from traditional HRIS or batch integrations, where updates may occur on a scheduled basis rather than instantly.

User Termination Handling

When a User is deactivated or removed in your Identity Provider:

• The User is not immediately deleted from Together.
• Instead, they are marked for termination review.
• This allows Administrators to validate and manage User data before final removal.

This approach helps preserve Program data integrity and ensures that historical mentorship activity is not unintentionally lost.