Reprise supports the SCIM v2 (System for Cross-domain Identity Management) protocol for automatic user provisioning and deprovisioning. By connecting your identity provider (IdP) to Reprise via SCIM, you can:
- Automatically create Reprise user accounts when new users are assigned in your IdP
- Update user profiles (name, email) when they change in your IdP
- Deactivate users when they are unassigned or deactivated in your IdP
- Manage groups to control access and permissions at scale
SCIM eliminates the need to manually invite, update, or remove users in Reprise.
Prerequisites
- A Reprise plan that includes SCIM provisioning (contact support@reprise.com if you're unsure)
- Admin access to your Reprise organization settings
- Admin access to your identity provider (Okta, Azure AD / Entra ID, OneLogin, etc.)
Enable SCIM in Reprise
- Log in to Reprise as an admin
- Go to Settings > SCIM
- Toggle Enable SCIM on
Once enabled, the page displays:
- SCIM Base URL — The endpoint your IdP will connect to
- Bearer Token — Used to authenticate SCIM requests
- Default Group — Optionally assign new users to a group automatically
Generate a Bearer Token
- In the SCIM settings page, click Generate Token
- A token is displayed in a blue info box — copy it immediately
The token is shown only once. If you navigate away without copying it, you will need to regenerate a new token, which invalidates the previous one.
- Store the token securely — you will paste it into your IdP's SCIM configuration
- To replace an existing token, click Regenerate Token. The previous token stops working immediately.
- To remove a token entirely, click Revoke next to the active token.
Copy the SCIM Base URL
On the same settings page, copy the SCIM Base URL. It follows this format: https://app.getreprise.com/scim/v2
You will paste this URL into your IdP's SCIM connector configuration.
Configure Your Identity Provider:
Okta
- In the Okta Admin Console, go to Applications > Applications
- Click Browse App Catalog and search for SCIM 2.0 Test App (Header Auth), or add a custom SCIM app
- On the Provisioning tab, click Configure API Integration
-
Enter the following:
- SCIM connector base URL: Paste the SCIM Base URL from Reprise
- Unique identifier field for users: userName
- Authentication Mode: HTTP Header
- Authorization: Paste the Bearer Token from Reprise
- Click Test API Credentials to verify the connection
- Click Save
-
Under Provisioning > To App, enable:
- Create Users
- Update User Attributes
- Deactivate Users
- Go to the Assignments tab and assign users or groups to the app
Azure AD / Microsoft Entra ID
- In the Azure portal, go to Enterprise Applications
- Click New application > Create your own application
- Name it (e.g., "Reprise") and select Integrate any other application you don't find in the gallery
- Go to Provisioning and click Get started
- Set Provisioning Mode to Automatic
-
Under Admin Credentials, enter:
- Tenant URL: Paste the SCIM Base URL from Reprise
- Secret Token: Paste the Bearer Token from Reprise
- Click Test Connection to verify
- Click Save
-
Under Mappings, verify that the user attribute mappings include:
- userName mapped to user's email
- givenName and familyName mapped appropriately
- active mapped to account enabled status
- Go to Users and groups, assign the users or groups you want provisioned
- Set Provisioning Status to On and click Save
Azure AD provisions users on a fixed sync cycle (typically every 40 minutes). To trigger an immediate sync, click Provision on demand for individual users, or use Restart provisioning to trigger a full cycle.
OneLogin
- In the OneLogin Admin portal, go to Applications > Applications
- Click Add App and search for SCIM Provisioner with SAML (SCIM v2 Core)
-
On the Configuration tab, enter:
- SCIM Base URL: Paste the SCIM Base URL from Reprise
- SCIM Bearer Token: Paste the Bearer Token from Reprise
- On the Provisioning tab, enable provisioning
- On the Users tab, assign users to the application
Other Identity Providers
For any SCIM 2.0-compatible identity provider, use these settings:
| Setting | Value |
|---|---|
SCIM Base URL |
Copied from Reprise SCIM settings |
Authentication method |
Bearer Token (HTTP Header) |
Bearer Token |
Generated in Reprise SCIM settings |
Unique identifier |
userName |
Supported operations |
Create, Update, Delete users; Create, Update, Delete groups |
Set a Default Group (Optional)
When users are provisioned through SCIM, you can automatically assign them to a default group in Reprise:
- In the SCIM settings page, find the Default Group dropdown
- Select the group new users should be added to (e.g., "Viewer")
- The setting takes effect immediately for any new users provisioned going forward
Changing the default group does not affect users who were already provisioned. Select None to disable automatic group assignment.
How It Works:
User Provisioning
When a user is assigned to the Reprise application in your IdP:
- Your IdP sends a SCIM request to create the user
- Reprise creates the account with the user's name and email
- The user is set to authenticate via SSO (no Reprise password is created)
- If a default group is configured, the user is automatically added to it
- The user can now log in to Reprise through your IdP's SSO
User Updates
When a user's profile is updated in your IdP (name change, email change):
- Reprise automatically reflects those changes on the next sync
User Deprovisioning
When a user is unassigned or deactivated in your IdP:
- The user's Reprise account is deactivated
- They can no longer log in
- Their data and history are preserved
Group Management
Your IdP can also push groups to Reprise:
- Groups created in your IdP are synced to Reprise
- Group membership changes (adding/removing users) are applied automatically
- Deleting a group in your IdP removes it from Reprise
Supported User Attributes
| IdP Attribute | Reprise Field | Required |
|---|---|---|
userName |
Email address |
Yes |
name.givenName |
First name |
No |
name.familyName |
Last name |
No |
emails[type eq "work"].value |
Email address |
Yes |
displayName |
Display name |
No |
active |
Account active/inactive |
No |
externalId |
IdP unique identifier |
No |
Troubleshooting:
"Test Connection" fails in your IdP
- Verify that SCIM is enabled in Reprise settings
- Confirm the SCIM Base URL was copied correctly (no trailing spaces or extra characters)
- Confirm the Bearer Token was copied correctly
- If you regenerated the token, make sure you updated it in your IdP as well
Users are not being provisioned
- Check that provisioning is enabled and turned on in your IdP (not just configured)
- In Azure AD, provisioning runs on a cycle — it may take up to 40 minutes. Use Provision on demand for immediate testing
- In Okta, verify that users or groups are assigned to the application
- Check your IdP's provisioning logs for error details
A user was deprovisioned but still has access
- Verify that the deprovisioning sync has completed in your IdP's logs
- Confirm the user shows as inactive in Reprise
- Go to Settings > SCIM in Reprise
- Click Revoke on the existing token, then click Generate Token
- Copy the new token and update it in your IdP's SCIM configuration
- The old token is immediately invalidated
- Bearer tokens are hashed before storage — Reprise never stores your token in plaintext
- All SCIM traffic is encrypted over HTTPS
- Each token is scoped to a single Reprise organization
- SCIM-provisioned users authenticate exclusively through your IdP (SSO) — no Reprise passwords are created
- All provisioning operations are logged for audit purposes