Provision Users and Groups with SCIM

Learning Objectives

After completing this unit, you’ll be able to:

• Use the SCIM API to manage Slack users, user groups, and IdP groups.
  
• Explain the most common use cases for the SCIM API.
  
• Recommend when to use the SCIM API.
  

What’s SCIM?

SCIM is an API for managing users on your team and the groups to which they belong. It provides a standard method for linking your systems together to make updating identities and automating provisioning in Slack much easier. In this unit, you explore how to use SCIM to manage Slack users and more.

SCIM (System for Cross-domain Identity Management) is an open standard for provisioning and updating users and groups via RESTful APIs. Identity providers (Azure, Okta, G Suite, and so on) use it to push updates to services like Slack.

SCIM provisioning lets org owners and admins create and deactivate members, sync profile fields, and manage user groups (Business+ regular groups, Grid IdP groups). Limitations: Org owners and admins can't create single-channel guests directly or set user group handles with SCIM.

How to Use the Slack SCIM API

Slack customers on the Business+ or Enterprise plans have access to use Slack’s implementation of the SCIM specification.

By connecting an identity provider (IdP) to Slack, you can automatically provision and deprovision users, update their attributes (such as name, email, job title, department, manager, and so on), as well as place users into IdP groups (specifically on Enterprise Grid). IdP groups can then be used to assign membership to a workspace or channel, and can also be used with allowlists, as you learned in the previous unit.

To use the Slack SCIM APIs on Enterprise Grid, an Enterprise Grid org owner must install an application requesting the admin scope at the org level.

Recommended reading:

• Using the Slack SCIM API
  

The Benefits of SCIM Provisioning

• Automated user and group management: Sync user data and group membership directly from your identity provider (IdP) to Slack, ensuring profiles and access stay up to date.
  
• Efficient onboarding: Assign new members to specific workspaces and channels automatically based on IdP groups, making onboarding consistent and scalable (Enterprise Grid only).
  
• Better analytics in Slack’s dashboards: Get deeper insights into user behavior and engagement with synced profile information.
  
• Preprovisioned access: Streamline users’ entry into Slack. Invited members can receive notifications and be found by colleagues even before signing in.
  

SCIM helps organizations centralize identity management and automate provisioning to improve both security and the user experience.

Recommended reading:

• Syncing members' profiles with SCIM
  
• Message activity, and its relation to SCIM profile fields
  
• Connect identity provider groups to your Enterprise organization
  

Invited members show up in an admin's Org Dashboard and Administration pages, labeled with their status as an invited member.

Recommended reading:

Learn more about reviewing the capabilities of Invited Members.

Key Considerations for Direct SCIM API Calls

While we have documented each of the HTTP endpoints in our SCIM API docs, there are a few items to pay special attention to.

1. SCIM endpoints, request/response formats, and pagination differ from Slack Web APIs, but existing SCIM connectors are reusable.
   
2. Single-channel guests can't be created via SCIM. Multichannel guests require Enterprise Grid.
   
3. Handle org-wide and endpoint-specific rate limits by retrying after the time indicated in the Retry-after header. Concurrency limits apply to rapid updates of the same user/group.
   
4. Usernames and emails must be unique. Review supported user attributes and other SCIM API limitations.
   

Quick Tip

Be very careful when deprovisioning users.
Deprovisioned users are immediately logged out of all devices. Ensure they're not the sole collaborator of a custom app—if they are, app configuration becomes inaccessible. Org/workspace owners and app managers can add themselves as collaborators to regain access.

Differences Between Slack SCIM 1.1 and 2.0

As you explore your implementation of SCIM, check out this handy table to help you understand the differences in these versions.

Recommended reading:

• The SCIM 1.1 standard
  
• The SCIM 2.0 standard
  

Recap

You’ve learned where the SCIM API comes from, the different user provisioning options based on your IdP, how to use it to efficiently manage Slack users and groups, and some common use cases. Next, explore Slack’s Discovery and Audit Logs APIs.