Skip to main content
Enterprise Edition FeatureThis feature requires an Enterprise plan. View plans or contact sales to learn more.
Configure Onyx with SCIM 2.0 to automatically provision and deprovision users and groups from your identity provider. Onyx has been tested with Okta and Microsoft Entra ID (Azure AD). Other SCIM 2.0 providers have not been validated yet. If you need support for a specific provider, reach out on our Slack or Discord channels and we can add it to the roadmap.
SCIM handles provisioning — syncing users and groups into Onyx. You still need a separate authentication method (e.g. OIDC or SAML) for user sign-in.

What SCIM Does

  • User provisioning — Automatically create Onyx accounts when users are assigned in your IdP
  • User deprovisioning — Deactivate Onyx accounts when users are unassigned or suspended
  • Group sync — Push group membership changes from your IdP to Onyx
  • Profile updates — Keep user attributes (name, email) in sync

Generate a SCIM Token

Before configuring your identity provider, generate a SCIM bearer token in Onyx.
1

Navigate to SCIM Settings

In your Onyx instance, go to the Admin PanelPermissionsSCIM.
2

Generate Token

Click Generate SCIM Token. A new bearer token will be created for your IdP to authenticate with.
The token is displayed only once. Copy or download it immediately. Generating a new token will revoke the previous one.
You will need these two values when configuring your identity provider:
FieldValue
SCIM Base URLhttps://YOUR_ONYX_DOMAIN/scim/v2
Bearer TokenThe token generated above

Configure Your Identity Provider

Use the SCIM Base URL and Bearer Token from the previous step when configuring provisioning in your IdP.
https://mintcdn.com/danswer/AyVhIwSdfMMIcs1k/assets/icons/okta.svg?fit=max&auto=format&n=AyVhIwSdfMMIcs1k&q=85&s=05656cbda2d13a6446b45bdbb452c0e8

Okta

Follow Okta’s guide to add SCIM provisioning to your application

Microsoft Entra ID

Follow Microsoft’s guide to configure automatic provisioning
When prompted for connection details, use:
IdP FieldValue
SCIM Base URL / Tenant URLhttps://YOUR_ONYX_DOMAIN/scim/v2
AuthenticationBearer token (HTTP Header)

Verifying the Connection

Once provisioning is configured, the SCIM page in the Onyx Admin Panel will show a Connected status once the IdP has made its first request. You can also check the Users and Groups page to confirm that provisioned users and groups appear correctly.

Supported Attributes

The SCIM discovery endpoints are unauthenticated — no token required. You can query them directly to see exactly what Onyx supports without guessing. 
curl -s https://YOUR_ONYX_DOMAIN/scim/v2/Schemas -H "Accept: application/scim+json" | jq .
curl -s https://YOUR_ONYX_DOMAIN/scim/v2/ServiceProviderConfig -H "Accept: application/scim+json" | jq .
curl -s https://YOUR_ONYX_DOMAIN/scim/v2/ResourceTypes -H "Accept: application/scim+json" | jq .
The tables below reflect the current responses.

User Attributes (/scim/v2/Schemas)

AttributeTypeRequiredNotes
userNamestringYesUnique identifier — typically the user’s email address
name.givenNamestringNoFirst name
name.familyNamestringNoLast name
name.formattedstringNoFull name including middle names and titles
emails[].valuestringNoEmail address
emails[].typestringNoLabel, e.g. work
emails[].primarybooleanNoWhether this is the primary email
activebooleanNoWhether the account is active
externalIdstringNoIdentifier from the IdP (case-sensitive)
Enterprise User extension (urn:ietf:params:scim:schemas:extension:enterprise:2.0:User):
AttributeTypeRequiredNotes
departmentstringNoDepartment
manager.valuestringNoManager’s user ID

Group Attributes (/scim/v2/Schemas)

AttributeTypeRequiredNotes
displayNamestringYesHuman-readable group name
members[].valuestringNoUser ID of the group member
members[].displaystringNoDisplay name of the member (read-only)
externalIdstringNoIdentifier from the IdP (case-sensitive)

Supported Operations (/scim/v2/ServiceProviderConfig)

FeatureSupported
PATCHYes
Bulk operationsNo
FilteringYes (max 100 results)
Change passwordNo
SortingNo
ETagsNo
AuthenticationBearer token

Resource Types (/scim/v2/ResourceTypes)

ResourceEndpointSchema
User/scim/v2/Usersurn:ietf:params:scim:schemas:core:2.0:User + Enterprise extension (optional)
Group/scim/v2/Groupsurn:ietf:params:scim:schemas:core:2.0:Group