Automate user management with user provisioning

🚧

If your organization uses Azure Active Directory for single sign-on, and you want to set up SCIM user provisioning, we advise against using the Microsoft Gallery app as it currently doesn't support SCIM. Instead, set up a non-Gallery app for Active Directory to support your SCIM user provisioning.

Why set up user provisioning?

Managing employee accounts on different platforms and software can be taxing, and the job gets more challenging as your organization grows. With user provisioning software, you can automate user management in SafetyCulture with your single sign-on identity provider (IdP). This means that each new employee you add to your IdP will automatically have a SafetyCulture account created for them, saving you time and effort from adding them manually in SafetyCulture.

We support user provisioning via System for Cross-domain Identity Management (SCIM) and Just-in-Time (JIT). SCIM user provisioning syncs your data to SafetyCulture continuously, whereas JIT syncs user data upon each successful login attempt.

📘

Please note that our customer support team can only provide limited help for single sign-on and user provisioning. If your organization is on the Enterprise Plan, please contact your customer success manager for assistance.

Requirements

• SafetyCulture Premium Plan or Enterprise Plan
• Web app
• Single sign-on with SafetyCulture
• API token
• "Platform management: Organization" permission

Set up automatic (SCIM) user provisioning

Although we support all identity providers, your user provisioning setup will vary depending on your chosen solution. Here are some of the common ones that we support, along with their setup guides:

• Microsoft Azure Active Directory
• Okta
• OneLogin
• PingFederate

During setup, your identity provider will ask for an API token to connect your IdP to SafetyCulture. You'll also be prompted to enter the following information:

• Connector URL: https://api.safetyculture.com/accounts/scim/v2
• Unique Identifier: Each user's email address.
• Authorization: HTTP Header (Bearer token)

Set up Just-in-Time (JIT) user provisioning

1. Log in to the web app.
2. Click your organization name on the lower-left corner of the page and select Organization settings.
3. Select Security on the top of the page.
4. Click Edit in the "Single sign-on (SSO)" box.
5. Turn "Just-in-Time provisioning (JIT)" on.
   
6. Click Save changes.
7. For each email domain, click Verify and follow the instructions in the pop-up window to update your DNS records. Then, click Verify.

🪄

If your organization uses Azure Active Directory for single sign-on, and you want to set up JIT user provisioning, you can also refer to Microsoft's support article for instructions.
Please note that the Microsoft Gallery app currently doesn't support SCIM provisioning.

Frequently asked questions

What seat type do newly added users get from user provisioning?

The default seat type for all new users is full seat. However, you can change a user's seat type by setting the value to "full", "lite", or "free" (guest seat) in your mapping.

Depending on your organization's identity provider, please use the following notation for the seat type mapping:

• Azure: urn:ietf:params:scim:schemas:extension:safetyculture:2.0:seat_type
• Okta:
  External name: seat_type
  External namespace: urn:ietf:params:scim:schemas:extension:safetyculture:2.0
  If your organization is provisioning via JIT, you'll only be able to provision users in full seats.

What can be synced through user provisioning settings?

The following data is synced with your identity provider for each user:

• Name
• Email address
• Group names
• Group members (for each group)

In addition, user provisioning via SCIM supports deactivating and removing users or groups, while JIT only supports additive events.

What happens if a user already has a SafetyCulture account?

They'll be added to your organization like any other user. Being a part of multiple organizations just means that they can switch between your organization and others.

How do users log in after they've been provisioned a SafetyCulture account?

Users added through user provisioning will not have a password set by default. However, they can still log in via single sign-on, a one-time email code received via email, or by creating a password using a password reset email, if passwords are enabled for your organization.