SCIM Integration
SCIM (System for Cross-domain Identity Management) lets you automatically connect Sally with your Identity Provider (IdP). This way, users and groups are always kept in sync without manual updates.
Quick Navigation
- What is SCIM?
- How to set up SCIM in Sally
- Where to enter SCIM credentials in your IdP
- Final step in Sally
- FAQ: SCIM in Sally
- 5.1. What happens if there are more users in a group than available licenses?
- 5.2. How does license priority work if a user is in multiple groups?
- 5.3. Can I assign single users instead of groups?
- 5.4. Do I need to reconfigure SCIM if new groups are added in my IdP?
- 5.5. How often does the sync run?
- 5.6. Can I disable SCIM once it’s active?
1. What is SCIM?
SCIM is an open standard for user and group provisioning. It allows you to automatically transfer account information from your Identity Provider to Sally.
Instead of manually creating, updating, or removing users, SCIM ensures that:
- New employees get access to Sally immediately.
- Existing user details stay up to date.
- Users who leave your company lose access automatically.
By connecting once through SCIM, your IdP becomes the single source of truth. Groups and licenses can still be managed centrally in your IdP, while Sally always reflects the latest state. This reduces admin overhead, prevents mistakes, and ensures secure, consistent access for your team.
2. How to set up SCIM in Sally
-
In Sally, go to Settings.
Step 1: Go to Settings
-
Go to Users.
-
Under the Management section, click on SCIM Integration.
Step 2: Open SCIM Integration in the User Administration tab
-
Select your SCIM client and click Set up SCIM.
Available integrations- Microsoft Entra (Azure AD)
- Google Workspace
- Okta
- OneLogin
- PingOne
Step 3: Select your identity provider and start setup
-
Sally generates your Tenant URL and Token. Make sure to copy these credentials right away, as you will need them to finish the setup inside your Identity Provider.
Copy the Tenant URL & Token to use in your IdP
Continue in your IdPNow it’s time to enter these credentials in your Identity Provider.
Jump directly to the instructions for your tool:
3. Where to enter SCIM credentials in your IdP
Until this step is done, groups won’t appear in Sally, since the IdP hasn’t started syncing yet.
3.1 Microsoft Entra (Azure AD)
Follow these steps to connect Sally via SCIM in Microsoft Entra:
-
In the Azure portal, go to "Enterprise Applications" and click on "+ New application".
Step 1: Create a new Enterprise Application
-
Select "Create your own application".
Step 2: Start creating your own application
-
Give the app a name (e.g., Sally AI SCIM Integration) and choose "Integrate any other application you don’t find in the gallery (Non-gallery)". Then click Create.
Step 3: Name the application and select non-gallery integration
-
Once the application is created, open it and go to Provisioning.
Step 4: Navigate to the Provisioning menu
-
Click on "+ New configuration".
Step 5: Start a new provisioning configuration
-
In the new configuration screen, enter the Tenant URL and Secret Token you copied from Sally. Click "Test connection" and then Create.
Step 6: Add credentials from Sally and test the connection
-
After the configuration is created, you can now assign groups to this profile.
NoteOnly groups are supported for provisioning to Sally, not single users.
-
Finally, start the provisioning by clicking on "Start provisioning".
Step 8: Enable provisioning to start syncing groups to Sally
-
After provisioning has started, return to Sally and complete the setup by assigning the correct groups and licenses. You can find the detailed instructions in Final step in Sally.
3.2 Google Workspace
- Open Admin Console → Apps → Web and mobile apps.
- Add a new custom SCIM app.
- Enter Tenant URL and Token.
- Assign groups for provisioning.
- After provisioning has started, return to Sally and complete the setup by assigning the correct groups and licenses. You can find the detailed instructions in Final step in Sally.
3.3 Okta
- Go to Applications → select your Sally app.
- Open Provisioning tab.
- Enter Tenant URL and Token.
- Enable provisioning features (create, update, deactivate users).
- After provisioning has started, return to Sally and complete the setup by assigning the correct groups and licenses. You can find the detailed instructions in Final step in Sally.
3.4 OneLogin
- Navigate to Apps → SCIM Provisioning.
- Paste Sally’s Tenant URL and Token.
- Map groups and save.
- After provisioning has started, return to Sally and complete the setup by assigning the correct groups and licenses. You can find the detailed instructions in Final step in Sally.
3.5 PingOne
- Go to Connections → Provisioning.
- Add a new SCIM connection.
- Provide Tenant URL and Token.
- Test and activate.
- After provisioning has started, return to Sally and complete the setup by assigning the correct groups and licenses. You can find the detailed instructions in Final step in Sally.
4. Final step in Sally
After you have added the Tenant URL and Token to your Identity Provider and started the provisioning, the connection between your IdP and Sally is live.
Now it’s time to finish the setup inside Sally by defining which groups and licenses should be used. This ensures that users synced from your IdP get the correct role and license automatically.
Follow these steps:
-
Open SCIM Integration again.
-
Under Group assignment, map your IdP groups to Sally roles:
info- Active Sally user group → Select the group that should get access as standard users.
- Admin user group → Select the group that should have administrator rights in Sally.
-
Under License assignment, link each IdP group to a specific license type (Starter, Team, Enterprise). This way, the group membership in your IdP directly controls which license users receive in Sally.
ImportantIf a group contains more users than the number of available licenses, Sally will automatically purchase additional licenses.
These licenses are billed immediately, so make sure your group sizes align with your subscription plan. -
Decide whether new users should receive an automatic invitation.
-
Click Save to apply the configuration.
Assign groups to roles and licenses, then save your configuration
- After saving, all members provisioned via SCIM will appear in your user list in Sally.
List of user
5. FAQ: SCIM in Sally
5.1 What happens if there are more users in a group than available licenses?
If a SCIM group contains more users than you currently have licenses for, Sally will automatically purchase additional licenses.
These licenses are billed immediately to ensure all users in the group get access.
5.2 How does license priority work if a user is in multiple groups?
When a user belongs to multiple SCIM license groups, Sally will always assign the lowest license tier.
For example: if a user is in both the Starter group and the Team group, the user will only receive a Starter license.
5.3 Can I assign single users instead of groups?
No. SCIM provisioning in Sally works exclusively with groups from your Identity Provider.
This ensures consistency and avoids manual exceptions.
5.4 Do I need to reconfigure SCIM if new groups are added in my IdP?
No. As long as SCIM is active, any new groups created in your Identity Provider can be mapped directly in Sally under Group assignment or License assignment without restarting the setup.
5.5 How often does the sync run?
Provisioning runs automatically in cycles (based on your IdP’s schedule). In Microsoft Entra, for example, provisioning typically runs every 40 minutes.
Changes in your IdP (like adding or removing users) will appear in Sally after the next sync.
5.6 Can I disable SCIM once it’s active?
Yes. You can disconnect SCIM at any time in the Sally SCIM Integration settings.
However, already provisioned users will remain in Sally until you remove them manually.