SCIM Integration for Enterprise Organizations
SCIM is only available with an Enterprise plan and requires Single Sign-On (SSO) to be enabled. Currently, GrowthBook only supports Okta as the identity provider.
SCIM, or System for Cross-domain Identity Management, is the standard for managing users and groups across multiple applications. With SCIM, you can automate the provisioning and deprovisioning of users in your GrowthBook account through your identity provider.
GrowthBook's SCIM integration currently offers the following features:
- User provisioning
- User deprovisioning
When a user is provisioned, they are added to your GrowthBook organization with your organization's default role. After provisioning, admin users can adjust their roles and permissions via the GrowthBook application as needed. It's important to note that if a user is provisioned through SCIM, they can only be deprovisioned through your identity provider.
We are actively working to expand functionality to include group provisioning and deprovisioning, as well as adding support for additional identity providers.
Configuring SCIM Integration
Verify that your GrowthBook organization is on an enterprise plan with SSO enabled.
Log in to your Okta account and go to the Applications page. Select "Browse App Catalog," then search for "SCIM 2.0 Test App (OAuth Bearer Token)." Click "Add Integration" to add the app to your Okta account.
- Once the app is added, you can change its name, for example, to "GrowthBook SCIM." Click "Next."
On the next page, you don't need to modify any settings. Simply click "Done."
With the application created, click on the "Provisioning" tab and select "Configure API Integration."
Choose to enable API Integration, and input your credentials. Contact your account representative to obtain the SCIM 2.0 Base URL. You can acquire your OAuth Bearer Token by creating a new Secret API Key with an
Adminrole. To do this, go to your GrowthBook account, and in the left navigation, select "Settings > API Keys." We recommend creating a dedicated API key exclusively for your SCIM integration.
After adding your credentials, click "Test API Credentials" to ensure they are valid. If they pass the test, click "Save."
- Next, click on the "To App" tab and select "Edit" to enable "Create Users" and "Deactivate Users." Once enabled, click "Save."
- Congratulations! Your application is now set up. You can navigate to the "Assignments" tab and assign people to GrowthBook.
Frequently Asked Questions
What features are supported with SCIM?
Currently, GrowthBook supports user provisioning and deprovisioning.
What identity providers are supported?
At present, GrowthBook only supports Okta, but we are actively working on adding support for additional identity providers.
What happens if I deprovision a user in my identity provider?
If a user is deprovisioned in your identity provider, they will be removed from GrowthBook. If they are re-provisioned, they will be added back to GrowthBook, and their role will reset to the organization's default role.
What if I already have users in GrowthBook?
Existing users in GrowthBook will not be affected by SCIM. You can continue to manage them through the GrowthBook application as usual. If you wish to transition them to be managed by your identity provider, you can provision them through your identity provider. As long as the email matches, the existing GrowthBook user will be converted to be managed by your identity provider.
Do you support groups?
Currently, we do not support groups, but we are actively working on adding group support in the future.
Does GrowthBook follow SCIM 1.1 or 2.0 Protocol?
GrowthBook follows the SCIM 2.0 protocol.