SCIM (System for Cross-domain Identity Management) lets your Identity Provider (IdP) automatically create, update, and deactivate user accounts in nShift. When you add or remove someone in your directory, the change is pushed to nShift within minutes, no manual account management needed.
Supported Identity Providers:
- Microsoft Entra ID (formerly Azure AD)
- Okta
- PingIdentity
- Any SCIM 2.0-compatible provider
What gets synced:
| From your IdP | To nShift |
|---|---|
| User accounts (name, email) | nShift user profiles |
| Group memberships | nShift Permission Groups (via mapping) |
| Account disable/delete | nShift user deactivation |
Sections in this article:
- Prerequisites
- Part 1: Enable SCIM in nShift Portal
- Part 2: Configure your Identity Provider
- Part 3: Map groups in nShift
- Part 4: Verify provisioning
- Troubleshooting
Prerequisites
Before you begin, make sure:
- You have nShift Admin access with SSO configuration permissions.
- SSO (Single Sign-On) is already configured and active for your organisation. See Single Sign-On (SSO) configuration.
- You have admin access to your Identity Provider.
- Your nShift contract includes SCIM provisioning.
Part 1: Enable SCIM in nShift Portal
- Log in to nShift Portal.
- Go to Settings > Company Management > Single-Sign On (SSO).
- Click the edit icon next to your identity provider.
- Select the User provisioning tab.
- Click Generate credentials.
- A one-time credentials dialog appears with your Client ID, Client secret, Token endpoint and SCIM endpoint. Copy all four values now and store them securely — the client secret cannot be retrieved after you close this dialog.
- After closing the dialog, the User provisioning tab shows:
"SCIM provisioning is enabled
Users and groups sync automatically when sent by your identity provider".
The tab also shows buttons to Disable provisioning and Rotate client secret when you need them later.
nShift is now ready to receive SCIM requests. Continue to Part 2 to configure your Identity Provider.
Part 2: Configure your Identity Provider
To configure your identity provider, we refer to their official documentation:
Once you have configured your IdP, please continue to Part 3: Map groups in nShift.
Part 3: Map groups in nShift
Once your IdP starts provisioning, it pushes group information to nShift via SCIM. These groups appear automatically in the Group mapping tab, and you need to map them to nShift Permission Groups so that provisioned users receive the right access.
Note: Users in unmapped groups are provisioned in nShift but receive no permissions until their group is mapped. If you remove a group mapping, you can choose to remove users from the nShift groups to keep their permissions.
Step 1: Open Group mapping
- In nShift Portal, go to Settings > Company Management > Single-Sign On (SSO).
- Click the edit icon next to your identity provider.
- Select the Group mapping tab. You will see a list of groups discovered from your IdP, with their current mapping status.
- Map each group by clicking the edit icon on the row.
- Click the edit icon on the row and select one or more nShift Permission Groups from the dropdown.
- Repeat for all relevant groups. Many-to-many mapping is supported: one external group can map to multiple nShift Permission Groups, and multiple external groups can map to the same Permission Group.
- Close the Group mapping dialog box and click Save. From this point on, when your IdP adds a user to a mapped group, they automatically receive the corresponding nShift permissions. When the user is removed from the group, those permissions are revoked. Changes propagate within minutes, depending on your IdP's sync interval.
Part 4: Verify provisioning
After setup, run through these checks to confirm everything is working:
| Check | How to verify | Expected result |
|---|---|---|
| Connection test | IdP provisioning settings > Test connection | Success |
| User creation | Assign a test user in your IdP | User appears in nShift within ~40 min (Entra) or ~5 min (Okta/Ping) |
| User update | Change the test user's name in your IdP | Updated in nShift at next sync |
| User deactivation | Unassign or disable the test user in your IdP | User deactivated in nShift |
| Group membership | Add test user to a mapped group in your IdP | User receives the corresponding nShift Permission Groups |
| Group removal | Remove test user from the group in your IdP | Permissions revoked in nShift |
Where to check in nShift Portal
-
Users list - go to Settings > Company Management > Users and confirm the provisioned user appears with the correct name and email.
-
User detail — confirm Access groups match your group mapping configuration.
-
Audit log - go to Settings > Company Management > Audit Logs and confirm SCIM provisioning events are recorded.
Troubleshooting
"Test connection" fails
| Possible cause | Solution |
|---|---|
| Incorrect SCIM endpoint | Verify you entered the SCIM endpoint exactly as shown in nShift, with no trailing slash |
| Wrong credentials | Verify the Client ID and Client Secret match what nShift provided |
| Secret was not copied | Rotate the secret: go to User provisioning > Rotate client secret, copy the new secret, and update your IdP |
| Provisioning not enabled | Confirm the User provisioning tab in nShift shows "SCIM provisioning is enabled" |
Users are not being provisioned
| Possible cause | Solution |
|---|---|
| Users not assigned to the app | Assign users or groups in your IdP's application settings |
| Provisioning scope too narrow | In Entra ID: confirm Scope is set to "Sync assigned users and groups only" and the relevant users are assigned |
| Initial sync still running | Entra ID initial sync can take 20–40 min — check the provisioning logs in your IdP |
| Missing required attribute mappings | Ensure userName, externalId, emails, and active are mapped in your IdP |
Group permissions are not applied
| Possible cause | Solution |
|---|---|
| Groups not mapped in nShift | Go to the Group mapping tab and map external groups to Permission Groups |
| Groups not pushed by the IdP | In Okta: confirm groups are in the Push Groups tab. In Entra ID: confirm groups are assigned to the nShift application |
| Sync delay | Wait for the next IdP sync cycle |
Need to rotate credentials
- In nShift Portal, go to Settings > Company Management > Single-Sign On (SSO).
- Edit your identity provider and open the User provisioning tab.
- Click Rotate client secret.
- Copy the new client secret. It is shown only once.
- Update the client secret in your IdP's provisioning settings.
- Test the connection.
Note: The old secret is invalidated immediately. Update your IdP promptly to avoid sync interruptions.