All Collections
Enterprise org administration
Configure SCIM for provisioning
Configure SCIM for provisioning

For Enterprise org admins only: Learn how to set up SCIM for user and group provisioning in Coda (including steps for Microsoft Azure)

Updated over a week ago

SCIM (System for Cross-domain Identity Management) is a set of protocols that allow a third-party identity provider to manage users inside Coda for your organization. This enables your identity provider to automatically provision and de-provision users and groups in Coda, based on their roles and application assignments within your identity provider.

This article will cover the basics of setting up SCIM for your org, including both generic instructions and instructions for those using Microsoft Azure.

SCIM is only available to customers on our Enterprise plan. Only Enterprise org admins (typically members of your IT team) have the ability to enable SCIM.

Within this article you’ll find...


Set up SCIM (generic)

Below are some generic instructions for setting up SCIM for your org.

A few notes before you begin:

  • You must be an org admin on our Enterprise plan to follow these steps

  • You will need access to your org’s identity provider

  • Before enabling SCIM, you must first have configured SAML for your org

Enable SCIM in Coda

The first step is to enable SCIM within your Coda organization settings. Note that you must be an Enterprise org admin to follow these steps:

  1. In the lower left corner, select More options, then select Organization Settings

  2. Go to the Provisioning tab.

  3. Ensure Provision with SCIM is enabled.

  4. Click Generate New Token. (Note: Only one SCIM token is valid at a time. If SCIM was previously configured, generating a new token invalidates the previous token.)

  5. Note the SCIM Base URL and SCIM Bearer Token. You will need this information later.

Ent enable SCIM.gif

Configure SCIM in your identity provider

Next, you’ll need to configure SCIM within your identity provider platform:

  1. Create a new application in your identity provider administration console and enable SCIM.

  2. Copy the SCIM Base URL from Coda (see the steps in the section above) into the appropriate location in your identity provider setup.

  3. Copy the SCIM Bearer Token from Coda into the appropriate location in your identity provider setup. Note that your identity provider may require the word Bearer before the token (e.g. Bearer 12345678-abcd-9012-abfe-345678901234 ).

  4. Ensure your application passes user identity to Coda in "email" format; that is, your identity provider is sending email-address-like user identities to Coda.

Set up SCIM for Microsoft Azure

The instructions below are for Enterprise organizations that currently use Microsoft’s Azure Active Directory to provision users.

Please note that a custom app (not the Coda Gallery app) must be used to successfully push groups to Coda. Microsoft 365 group members cannot be synced as part of this process. Not all Azure Active Directory plans support pushing groups - please check with Microsoft to confirm if your plan supports this feature.

Before kicking off this process, ensure that SAML SSO is accurately configured for your organization. You can find instructions here.

Transition from Coda Gallery app to custom app

The Gallery app for Coda does not support the latest updates to share with groups at this time, so you will have to transition from using the Coda Gallery app to a custom app if you'd like to grant your organization the ability to share docs and folders to groups. If you’re already using a custom app, you can skip this section and just follow the steps in the section above.

Follow these steps to get started:

  1. From the Provisioning tab in your existing gallery app, disable provisioning (via the Stop provisioning setting)

  2. Then create a new application in Azure under Enterprise applications.

  3. Then press Create your own application to create a custom app to connect to Coda. Do not use the Gallery app for Coda as it does not support the latest updates to share with groups at this time.

Frame 1 (8).png

Now that you’ve transitioned to a custom app, you’re ready to start setting up SCIM. Return to the previous section of this article and follow the steps there, starting with Enable SCIM in Coda.

What can I do with SCIM?

Once you’ve configured SCIM for your Coda org, you can use it to take the following actions:

FAQs

Who can enable SCIM?

SCIM (and pushing groups) is only available on our Enterprise plan, and only org admins have the ability to enable it. Since enabling SCIM also requires you to have access to your company’s identity provider, these org admins are typically members of your IT team.

If you’re interested in upgrading to an Enterprise plan, check out our pricing page to learn more.

What is different about enabling SCIM with Microsoft Azure?

If your org uses Microsoft Azure - as opposed to another service like Okta - to provision users, there is only one real difference in enabling SCIM. You first need to make sure that you are using a custom app for Coda within Azure, rather than the pre-built Coda Gallery app. The reason for this is that the Coda Gallery app does not allow for pushing groups to Coda (a primary use case of SCIM). If you do currently use the Coda Gallery app in Azure, you need to follow the steps above to transition to the custom app. Then you can follow the standard instructions for enabling SCIM.


Related resources

Did this answer your question?