SCIM User Provisioning

SCIM (System for Cross-domain Identity Management) enables automatic user provisioning between your identity provider and Learn Amp. This means user accounts can be created, updated, and deactivated automatically based on changes in your HR system or identity provider.

This article explains how SCIM integration works and what it can do for your organisation.

Overview

SCIM provisioning automates user management by:

• Creating accounts — new users in your identity provider are automatically added to Learn Amp

• Updating profiles — changes to user details sync automatically

• Deactivating users — when someone leaves, their Learn Amp account is deactivated

• Assigning managers — manager relationships can be synced from your HR system

This reduces manual Admin work and ensures your Learn Amp user base stays in sync with your organisation.

Functionality Breakdown

What SCIM Can Sync

Supported Identity Providers

• Okta — full SCIM 2.0 support with the Learn Amp integration

💡 Tip: SCIM integrations require configuration by Learn Amp in partnership with your IT team. Contact your Customer Success Manager to get started.

Pre-requisites

Role Requirements

Technical Requirements

• An Okta account with SCIM provisioning capabilities

• The Learn Amp SCIM integration configured in your identity provider

• API credentials provided by Learn Amp

Quick Start Guide

Getting Started with SCIM

SCIM integration is set up by Learn Amp in collaboration with your IT team. Here's the typical process:

1. Contact your Customer Success Manager to express interest in SCIM provisioning.

2. Provide identity provider details — which system you use and what attributes you want to sync.

3. Learn Amp configures the integration and provides API credentials.

4. Your IT team configures your identity provider to connect to Learn Amp.

5. Test the integration with a small group of users.

6. Roll out to all users once testing is successful.

What Happens When SCIM is Active

• New employees: When added to your identity provider and assigned to the Learn Amp application, they automatically get a Learn Amp account.

• Profile updates: Changes in your identity provider (e.g. name change, new manager) sync to Learn Amp.

• Leavers: When removed from the Learn Amp application in your identity provider, their Learn Amp account is deactivated.

FAQs

Q: Can I still manually create users with SCIM enabled?
Yes. SCIM and manual user management can work alongside each other. However, for users managed by SCIM, manual changes may be overwritten by the next sync.

Q: How often does SCIM sync?
This depends on your identity provider's configuration. Most providers push changes in near real-time or on a scheduled basis.

Q: What happens if SCIM creates a duplicate user?
SCIM uses email address as the unique identifier. If a user with that email already exists, SCIM will update their profile rather than create a duplicate.

Q: Can SCIM assign users to specific teams?
Yes. The department or team attribute can be mapped to automatically assign users to teams in Learn Amp.

Q: What if I need to sync custom fields?
Custom field mapping is possible but requires configuration. Contact your Customer Success Manager to discuss your requirements.

Q: Is SCIM secure?
Yes. SCIM uses secure API tokens for authentication, and all data is transmitted over HTTPS. Access is restricted to authorised systems only.

Q: Can SCIM assign user roles (Admin, Curator, etc.)?
Standard SCIM doesn't handle Learn Amp roles. Users are typically created as Viewers, and role upgrades are managed manually or through other processes.

Troubleshooting