How to Set Up SCIM Integration in Sally AI
SCIM (System for Cross-domain Identity Management) lets you automatically connect Sally with your Identity Provider (IdP). This way, users and groups are always kept in sync without manual updates.
Quick Navigation
- What is SCIM and why use it with Sally AI?
- How do I set up SCIM in Sally AI?
- Where do I enter SCIM credentials in my IdP?
- What is the final configuration step in Sally?
- FAQ: SCIM in Sally
- 5.1. What happens if there are more users in a group than available licenses?
- 5.2. How does license priority work if a user is in multiple groups?
- 5.3. Can I assign single users instead of groups?
- 5.4. Do I need to reconfigure SCIM if new groups are added in my IdP?
- 5.5. How often does the sync run?
- 5.6. Can I disable SCIM once it's active?
1. What is SCIM and why use it with Sally AI?
SCIM is an open standard for user and group provisioning. It allows you to automatically transfer account information from your Identity Provider to Sally.
Instead of manually creating, updating, or removing users, SCIM ensures that:
- New employees get access to Sally immediately.
- Existing user details stay up to date.
- Users who leave your company lose access automatically.
By connecting once through SCIM, your IdP becomes the single source of truth. Groups and licenses can still be managed centrally in your IdP, while Sally always reflects the latest state. This reduces admin overhead, prevents mistakes, and ensures secure, consistent access for your team.
2. How do I set up SCIM in Sally AI?
-
In Sally, go to Settings.
Step 1: Go to Settings -
Go to Users.
-
Under the Management section, click on SCIM Integration.
Step 2: Open SCIM Integration in the User Administration tab -
Select your SCIM client and click Set up SCIM.
Available integrations- Microsoft Entra (Azure AD)
- Google Workspace
- Okta
- OneLogin
- PingOne
Step 3: Select your identity provider and start setup -
Sally generates your Tenant URL and Token. Make sure to copy these credentials right away, as you will need them to finish the setup inside your Identity Provider.
Copy the Tenant URL & Token to use in your IdP Continue in your IdPNow it's time to enter these credentials in your Identity Provider.
Jump directly to the instructions for your tool:
3. Where do I enter SCIM credentials in my IdP?
Until this step is done, groups won't appear in Sally, since the IdP hasn't started syncing yet.
3.1 Microsoft Entra (Azure AD)
Follow these steps to connect Sally via SCIM in Microsoft Entra:
-
In the Azure portal, go to "Enterprise Applications" and click on "+ New application".
Step 1: Create a new Enterprise Application -
Select "Create your own application".
Step 2: Start creating your own application -
Give the app a name (e.g., Sally AI SCIM Integration) and choose "Integrate any other application you don't find in the gallery (Non-gallery)". Then click Create.
Step 3: Name the application and select non-gallery integration -
Once the application is created, open it and go to Provisioning.
Step 4: Navigate to the Provisioning menu -
Click on "+ New configuration".
Step 5: Start a new provisioning configuration -
In the new configuration screen, enter the Tenant URL and Secret Token you copied from Sally. Click "Test connection" and then Create.
Step 6: Add credentials from Sally and test the connection -
After the configuration is created, you can now assign groups to this profile.
NoteOnly groups are supported for provisioning to Sally, not single users.
-
Finally, start the provisioning by clicking on "Start provisioning".
Step 8: Enable provisioning to start syncing groups to Sally -
After provisioning has started, return to Sally and complete the setup by assigning the correct groups and licenses. You can find the detailed instructions in Final step in Sally.
3.2 Google Workspace
- Open Admin Console → Apps → Web and mobile apps.
- Add a new custom SCIM app.
- Enter Tenant URL and Token.
- Assign groups for provisioning.
- After provisioning has started, return to Sally and complete the setup by assigning the correct groups and licenses. You can find the detailed instructions in Final step in Sally.
3.3 Okta
- Go to Applications → select your Sally app.
- Open Provisioning tab.
- Enter Tenant URL and Token.
- Enable provisioning features (create, update, deactivate users).
- After provisioning has started, return to Sally and complete the setup by assigning the correct groups and licenses. You can find the detailed instructions in Final step in Sally.
3.4 OneLogin
- Navigate to Apps → SCIM Provisioning.
- Paste Sally's Tenant URL and Token.
- Map groups and save.
- After provisioning has started, return to Sally and complete the setup by assigning the correct groups and licenses. You can find the detailed instructions in Final step in Sally.
3.5 PingOne
- Go to Connections → Provisioning.
- Add a new SCIM connection.
- Provide Tenant URL and Token.
- Test and activate.
- After provisioning has started, return to Sally and complete the setup by assigning the correct groups and licenses. You can find the detailed instructions in Final step in Sally.
4. What is the final configuration step in Sally?
After you have added the Tenant URL and Token to your Identity Provider and started the provisioning, the connection between your IdP and Sally is live.
Now it's time to finish the setup inside Sally by defining which groups and licenses should be used. This ensures that users synced from your IdP get the correct role and license automatically.
Sally lets you assign multiple IdP groups per role and per license tier. You don't have to merge everything into one big umbrella group: you can map several groups from your IdP to the same category and even combine categories (for example, the same group can activate users as standard users AND grant them a Pro license).
Follow these steps:
-
Open SCIM Integration again.
-
Under Group assignment, map your IdP groups to Sally roles:
info- Active Sally user groups → Select one or more groups whose members should get access as standard users.
- Admin user groups → Select one or more groups whose members should have administrator rights in Sally.
-
Under License assignment, link IdP groups to specific license types (Starter, Pro, Enterprise). You can pick multiple groups per license tier, so membership in any of them controls which license users receive in Sally.
ImportantIf the selected groups combined contain more users than the number of available licenses, Sally will automatically purchase additional licenses.
These licenses are billed immediately, so make sure your group sizes align with your subscription plan. -
Decide whether new users should receive an automatic invitation.
-
Click Save to apply the configuration.
- After saving, all members provisioned via SCIM will appear in your user list in Sally.
Because Sally supports multiple groups per category, you don't need one oversized group for the whole company. A few patterns that work well in practice:
- Group by department or team. Keep separate IdP groups for Sales, Marketing, Support, etc. Assign all of them as Active Sally user groups and, if they all use the same license, also as the matching license group. Adding a new team later is just a new group, not a new configuration.
- Use a dedicated admin group. Keep Sally admins in a small, focused group (e.g. Sally Admins or IT Leads). Members of that group get admin rights on top of their regular user role.
- Model license tiers as explicit groups. Create IdP groups like Sally Starter, Sally Pro, Sally Enterprise. Upgrading a user is then a single membership change in your IdP, with no changes needed in Sally.
- Combine both approaches. Use departmental groups to control who gets access, and a smaller tier group (e.g. Sally Pro) on top to upgrade selected power users to a higher license.
The more granular your groups, the easier it is to change access or licenses later, entirely from within your IdP.
5. FAQ: SCIM in Sally
5.1 What happens if there are more users in a group than available licenses?
If the groups assigned to a license tier contain, in total, more users than you currently have licenses for, Sally will automatically purchase additional licenses.
These licenses are billed immediately to ensure all users get access.
5.2 How does license priority work if a user is in multiple groups?
When a user belongs to multiple SCIM license groups, Sally will always assign the lowest license tier.
For example: if a user is in both the Starter group and the Pro group, the user will only receive a Starter license.
5.3 Can I assign single users instead of groups?
No. SCIM provisioning in Sally works exclusively with groups from your Identity Provider.
This ensures consistency and avoids manual exceptions.
5.4 Do I need to reconfigure SCIM if new groups are added in my IdP?
No. As long as SCIM is active, any new groups created in your Identity Provider can be added directly in Sally under Group assignment or License assignment without restarting the setup. You can map as many groups as you need per category, so new teams or license tiers only require picking them in the multi-select.
5.5 How often does the sync run?
Provisioning runs automatically in cycles (based on your IdP's schedule). In Microsoft Entra, for example, provisioning typically runs every 40 minutes.
Changes in your IdP (like adding or removing users) will appear in Sally after the next sync.
5.6 Can I disable SCIM once it's active?
Yes. You can disconnect SCIM at any time in the Sally SCIM Integration settings.
However, already provisioned users will remain in Sally until you remove them manually.