SCIM provisioning: automatically sync users from your identity provider
SCIM provisioning: automatically sync users from your identity provider
SCIM lets your identity provider keep your SimplyPrint members in sync automatically. When you add, change, or remove someone in your directory, that change flows into SimplyPrint on its own - no manual inviting, no CSV uploads, no leftover accounts. This guide covers what SCIM does, what you need, where to set it up, and how to read the activity log when something looks off. For step-by-step instructions in your specific provider, follow one of the provider guides linked below.
What you'll find here
- What SCIM does in SimplyPrint
- Requirements and which providers are supported
- Where to set it up
- Connection details and tokens
- Provider setup guides
- What gets synced
- Controlling deprovisioning (the grace period)
- The activity log
- Troubleshooting
What SCIM does
SCIM (System for Cross-domain Identity Management) is an open standard that directories use to push user data to other apps. With SCIM connected, your identity provider automatically:
- Creates a SimplyPrint member when you assign someone to the SimplyPrint app in your directory.
- Updates their name and email when those change in your directory.
- Deactivates them (blocks sign-in) when you disable them in your directory.
- Removes them from your account when you unassign or delete them.
- Syncs groups, so your directory groups can drive SimplyPrint user groups, and (on school accounts) become classes.
Members provisioned through SCIM sign in through your single sign-on, so they never set a SimplyPrint password.
Requirements
SCIM needs single sign-on set up and active first. SCIM provisions the accounts; SSO is how those people actually sign in. Set up SAML or OIDC before you start here.- SAML or OIDC single sign-on is connected and active for your account. Start with Set up Single sign-on (SSO) for SimplyPrint if you haven't yet.
- A School or Enterprise plan (the plans that include SSO).
- Permission to manage user-registration settings for your account. Full account administrators have this, and it can also be granted on its own.
- An identity provider that can push via SCIM - see below.
Which providers can push via SCIM
SimplyPrint's SCIM server works with the providers that support SCIM provisioning to custom apps:
- Microsoft Entra ID (formerly Azure AD)
- Okta
- OneLogin
Where to set up SCIM
- Go to Settings → Organization → User registration.
- With SAML or OIDC active, find the User provisioning section.
- Click Set up SCIM provisioning.
The SCIM window opens with a tab for each provider (Microsoft Entra ID, Okta, OneLogin, and Other) at the top - pick yours for an in-app summary of the steps and a link to its full guide. Below the tabs are two sections: Connection details and Activity.
Connection details and tokens
The Connection details section is where you get the two things your identity provider needs: the SCIM base URL and a bearer token.
Your SCIM base URL (also called the tenant or connector URL) is shown with a copy button:
https://api.simplyprint.io/scim/v2
Your identity provider authenticates to SimplyPrint with a bearer token. In the same Connection details section:
- Enter a name (for example, "Entra ID") so you can tell tokens apart later.
- Click Create token.
- Copy the token immediately - it's shown only once and can't be retrieved again.
- Paste it into your identity provider as the secret / bearer token.
The Connection details section lists each token's name, prefix, when it was last used, and the client that used it. You can keep up to five active tokens at once; if you reach the limit, revoke one you no longer use. To cut off a provider's access, click Revoke next to its token - access stops immediately. If a token is ever exposed, revoke it and create a new one.
Provider setup guides
Pick your provider's tab in the SCIM window for the short version, or follow the full step-by-step guide:
- Set up SCIM provisioning with Microsoft Entra ID
- Set up SCIM provisioning with Okta
- Set up SCIM provisioning with OneLogin
Any other SCIM 2.0 provider works too: point it at the base URL above, authenticate with a bearer token, and enable user and group provisioning.
What gets synced
Once provisioning is on, your directory drives these in SimplyPrint:
- Accounts are created, updated, deactivated, and removed to match your directory.
- Groups pushed from your directory can map to SimplyPrint user groups (which set permissions) through your SSO group mappings.
- On school accounts, pushed groups become classes. Group membership can also drive teacher status, again through your SSO group mappings.
For how group names turn into user groups, permissions, and teacher status, see SAML single sign-on: user groups, group mapping, and teacher mapping. The same mappings apply to SCIM-provisioned users.
Controlling deprovisioning
Back in Settings → Organization → User registration → User provisioning, the toggle Automatically create and remove user accounts from your identity provider's directory governs whether directory changes add and remove members here.
When it's on, you can set a grace period: Remove users [N] days after they disappear from your directory (anywhere from 0 to 90 days; 0 removes them immediately). This gives you a window to catch mistaken removals before a member loses access.
Two directory actions behave differently:
- Deactivating a user in your directory blocks their sign-in but keeps their membership. This is reversible - reactivate them in your directory and they're back.
- Deleting or unassigning a user removes them from your SimplyPrint account after the grace period.
The activity log
The Activity section of the SCIM window is your provisioning history. Every operation your directory performs - create, update, deactivate, remove, and group sync - is logged with a timestamp, the operation, who it affected, the source, and whether it succeeded. A failed operation shows a red icon; hover it to see the error.
If you're not sure why someone was or wasn't provisioned, this is the first place to look.
Troubleshooting
- "Test connection" fails in your provider: double-check the base URL is the exact value from the Connection details section and that the token was pasted without extra spaces. If in doubt, create a fresh token and try again.
- A user wasn't created: confirm they're assigned to the SimplyPrint app in your directory, and that single sign-on is still active. Check the Activity section for a failed create operation and its error.
- Groups aren't mapping to user groups or classes: group sync has to be enabled in your provider (for example, Okta's "Push Groups"), and your SSO group mappings have to match the group names your directory sends. See SAML single sign-on: user groups, group mapping, and teacher mapping.
- Someone was removed who shouldn't have been: increase the grace period so you have longer to react, and remember that deactivating (rather than deleting) in your directory keeps the membership.
- Provisioning stopped working after a token change: if you revoked or rotated a token, update your provider with the new one - the old token no longer has access.
Related articles
- Set up SCIM provisioning with Microsoft Entra ID
- Set up SCIM provisioning with Okta
- Set up SCIM provisioning with OneLogin
- Set up Single sign-on (SSO) for SimplyPrint
- SAML single sign-on: user groups, group mapping, and teacher mapping
- Importing users from a CSV or directory export
- Cleaning up and removing users from your account
Updated on: 13/06/2026
Thank you!