SCIM Provisioning

Overview of SCIM Provisioning

SCIM Provisioning is an Enterprise feature that allows team administrators to use Identity Providers to provision and deprovision users and groups into Parsec.


SCIM provisioning allows companies to manage user identities in the cloud efficiently and easily allowing centralized addition and removal of users and groups within their organization.

  • Lower costs
  • Reduced risk
  • Streamlined workflows

For Parsec, SCIM Provisioning streamlines the way for you to create, assign, unassign, and remove users and groups.

Setting up SCIM

Okta Azure AD Google SSO
  • If Okta is not already configured as the SAML Identity Provider (IdP) for your Parsec tenant, follow the steps here before you proceed.
  • On the 'Domain & SAML' tab, click the 'Enable SCIM' toggle.


  • Copy the SCIM key and tenant URL, you will need these later. Click 'OK'.
    • Please note, you have 10 seconds to copy the SCIM key before it is hidden. Generating a new key will revoke the previous auth token.

  • In the Okta Admin Portal, navigate to the application you configured as your Parsec tenant's SAML IdP. On the 'General' tab, click 'Edit' next to 'App Settings'.
  • Click the 'Enable SCIM provisioning' checkbox.


  • Click the 'Provisioning' tab.
  • Paste the Tenant URL in the 'SCIM connector base URL'.
  • Set 'Unique identifier field for users' to 'email'.
  • Select appropriate 'Supported provisioning actions'.
    • When selecting your "Supported provisioning actions", you may choose to select "Import Groups" experience the full provisioning functionality. If you check this box, you may find that you encounter a 400 Bad Request error upon saving your configuration. If that is the case, you'll need to open a support ticket with Okta to request that the SELECTIVE_APP_IMPORT_PLATFORM feature is enabled.
  • Set 'Authentication Mode' to 'HTTP Header'
  • Paste the SCIM key in the 'Authorization' header.
  • Click 'Test Connector Configuration'
  • Click 'Save'.
    • Before we enable automatic provisioning, we need to verify domain ownership. 


  • On the 'Domain & SAML' tab of the Teams admin panel, type in your domain name then click 'Add Domain'
  • Click 'Copy Text Record'. You will need to add this record to your public DNS.


  • Below is an example DNS record. Please note your interface may not look like the one below, but the values will be the same.


  • Click 'Verify'.


  • In the Okta application, click the 'Push Groups' tab. Click 'Push Groups' then 'Find groups by name'.


  • Search for target group(s) by name.
    • You can choose whether or not group members are pushed to Parsec immediately.
    • If there is already a group in Parsec that matches a group name in Okta, you will have the option to link the groups.
    • If there is not a group in Parsec that matches a group name in Okta, select 'Create Group'.
  • Click 'Save' or 'Save & Add Another'.


  • Click the 'Provisioning' tab.
  • Enable 'Create Users', 'Update User Attributes' and 'Deactivate Users'.
  • Click 'Save'.


  • (Optional) If Okta users were already assigned to the application prior to configuring SCIM provisioning, you can link them by clicking 'Provision User'.




  • I have a different Identity Provider than one supported currently, what should I do?
    • We are working to support more IDPs in the future. Please let us know by opening an enhancement request.
  • I currently have Parsec for Teams, can I use SCIM Provisioning?
    • No, SCIM Provisioning is enabled for Enterprise plans only. Please contact your account executive to upgrade.
  • Is SCIM required to use SAML for authentication?
    • No. SAML Authentication does not require SCIM Provisioning to be enabled.