Skip to main content
All CollectionsGetting StartedSecurity in your workspace
System for Cross-domain Identity Management (SCIM) Provisioning
System for Cross-domain Identity Management (SCIM) Provisioning

Create and remove teammates using Okta, OneLogin or another identity provider using SCIM provisioning.

Jordan Shefrin avatar
Written by Jordan Shefrin
Updated over 4 months ago

SCIM or the System for Cross-domain Identity Management specification is a standard protocol to manage accounts across multiple services: add teammates, change their properties, such as name, or disable accounts to revoke access. Integrating Intercom with your identity provider makes managing teammates simple and secure.

Important:

  • Before setting up SCIM, SAML SSO should be set up in your workspace.

  • Intercom's provisioning capability is built using version 2.0 of the SCIM protocol.

  • Currently Groups and Roles are not supported.

  • Check our plans and pricing to add this to your subscription.

Setting up SCIM provisioning

To enable SCIM, go to Settings > Workspace > Security > General > Workspace Security Settings and make sure 'Require SAML SSO' is selected. Then toggle on 'SCIM Provisioning':

A token will be available after you save the security settings.

Add a base URL and token to configuration of Intercom app in your Identity provider.

Known limitations or important to note

Current SCIM implementation doesn’t support:

  • assigning role to teammate / removing from role

  • adding teammate to a team / removing from the team

  • assigning/removing seats to teammates

  • giving default role on provisioning (adding teammate to workspace)

  • giving default seats on provisioning (adding teammate to workspace)

📌 Important

  • Before setting up SCIM, the workspace should have SAML SSO set up and enabled.

  • Each customer’s workspace should be set up as a separate app in their Identity provider.

Creating teammates

When you hire a new employee, your IT team should add the new hire to the company's Identity Provider directory. Any provider that supports SCIM protocol can be used. Some popular examples are Okta, OneLogin and Azure ActiveDirectory.

User Provisioning Flow

  1. Once the teammate is added to Identity Provider directory and requires access to Intercom, the IT Team should assign Intercom to the new hire on the Identity provider's platform.

  2. The Identity provider then makes an HTTP request to Intercom which creates a new teammate in the Intercom workspace.

  3. By default, the new teammate receives permissions set up in the Provisioning settings on Intercom under the Default teammate permissions section.

  4. Once this is complete, the new teammate can log in to and use Intercom.

Note: If an admin account with the same email already exists in Intercom, this account gets access to the customer's workspace.

Updating teammates

When the IT Team changes the teammate’s name in the Identity provider’s directory, the Identity provider sends an HTTP request to Intercom to update the teammate’s name in Intercom.

Deleting teammates

User Deprovisioning Flow

  1. Once a teammate no longer requires access to Intercom(due to a role change or off-boarding), the IT Team should remove Intercom assignment from the employee in the company's Identity provider directory.

  2. Then the Identity provider makes a HTTP request to Intercom to remove the teammate from the workspace.

  3. Intercom will automatically reassign all objects (conversations, outbound messages, contacts articles) assigned to that teammate according to the reassignment rules configured in the SCIM Deprovisioning Settings.

If the teammate has access to any other workspaces, that access is retained.

Configuring provisioning settings

Default teammate permissions

When your new teammate is created by your identity provider, Intercom gives them a default set of permissions that you can set up in Security Settings:

Click 'Edit' and toggle on the permissions for the new teammate:

Deprovisioning teammates

When teammates are deprovisioned by your identity provider, Intercom reassigns all conversations, Articles, Outbound messages and Contacts to another admin. You can choose who should get the ownership of each type of data in your workspace. If you choose the 'Default' option, Intercom will assign items to the first teammate in the workspace, but they can be reassigned later.

You can also choose admins that should be excluded from deprovisioning. This could help your IT Team to keep access to your Intercom workspace in case of misconfiguration or an emergency.

Note:

  • Teammates in Intercom today can be one of two states; active or deleted. Intercom does not support any soft-deleted/de-activated/archived state for teammates.

  • Where a teammate is not active in your identity provider, this teammate's account will be deleted from the Intercom workspace.

  • Intercom considers email addresses as case insensitive.

💡Tip

Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts

Related Articles
Integrate with an identity provider and log in with SAML SSO
Review actions taken in your workspace with Teammate activity logs
Using conversation data in the inbox
Create and manage multiple Help Centers
Did this answer your question?