SCIM Customer Integration Guide
To implement SCIM integration with WorkOS for Orgvue, follow these steps:
It is recommended to test integrating SCIM in the staging environment before promoting it to production.
Provide IAM Administrator Detailsโ
The first step in integrating your IAM system with Orgvue is to provide us with the email address of your IAM administrator and specify the tenant(s) to configure for SCIM.
This information is required to set up the SCIM integration with WorkOS and may be provide to your Orgvue customer representative or to support@orgvue.com
If any issues arise during the integration process, Orgvue can facilitate a 3-way call with WorkOS support for assistance.
Receive WorkOS Directory IDโ
The IAM administrator will receive a WorkOS Directory ID from Orgvue and this Directory ID is crucial for configuring the SCIM integration, as it uniquely identifies the directory in WorkOS
Integrate WorkOS with the Identity Providerโ
The next step is to use the guides provided by WorkOS to integrate WorkOS with your relevant identity provider.
WorkOS offers detailed documentation on various identity providers, including Microsoft AD, Google Workspace, OneLogin, and others.
For detailed instructions on integrating with specific identity providers, refer to the WorkOS documentation at https://workos.com/docs/integrations and select your identity provider
Assign Users to Group Rolesโ
User roles are used by Orgvue in combination with permissions to control access to resources in your tenant. See for more details
These user roles are known as groups within most SCIM environments, which your IAM administrator can therefore create, and assign users to, within your IAM system
It is highly recommended to use group prefixes within your IAM system to identify the roles that are specific for Orgvue IAM.
These role prefixes will be removed when syncing users to the Orgvue system.
The prefix to be used on the group names must be agreed with your Orgvue representative prior to implementation.
For single tenant: IAMAPP_Orgvue_SCIM_<role> where <role> can be user,admin, sales or hr
For multi-tenant: IAMAPP_Orgvue_SCIM_<tenant>_<role> where <tenant> is your tenant name and <role> would be user, admin, sales or hr etc. (I.e: IAMAPP_Orgvue_SCIM_MYTENANT_user)
All Orgvue accounts must have the platform role of either admin or user in addition to any other assigned roles.
Therefore all users in your IAM must be a member of one of these groups
Any attempt to sync a user who is not part of either of these groups will result in a sync failure for that account
Example user and group names
| User | Group | Valid | Reason |
|---|---|---|---|
| testuser1@testOrg.com | IMAPP_Orgvue_SCIM_user | TRUE | |
| testuser2@testOrg.com | IMAPP_Orgvue_SCIM_admin | TRUE | |
| testuser3@testOrg.com | IMAPP_Orgvue_SCIM_user, IMAPP_Orgvue_SCIM_Retail, IMAPP_Orgvue_SCIM_ManagerRetail | TRUE | |
| testuser4@testOrg.com | IMAPP_Orgvue_SCIM_MyTenant_admin | TRUE | |
| testuser5@testOrg.com | IMAPP_Orgvue_SCIM_training, IMAPP_Orgvue_SCIM_Tech | FALSE | User is not part of either User group or Admin group |
| testuser6@testOrg.com | IMAPP_Orgvue_SCIM_MyTenant_EuropeFinance | FALSE | User is not part of either User group or Admin group |
Configure Connection from WorkOS to Orgvueโ
Once the connection between your IAM system and WorkOs is complete, Orgvue will then configure the WorkOs to Orgvue sync by setting up domain, tenant and IAM Sync configurations (prefix used for groups and other parameters) specific to your tenant.
Sync Operation Notificationsโ
Orgvue will be notified when users are created, deleted, or modified in WorkOS. This notification triggers a sync operation, which is delayed by 5 minutes to allow for batching updates.
This ensures that changes in the identity provider are efficiently synchronized with Orgvue's systems.
It's crucial to understand that any users manually added or removed through Orgvue's internal settings will be overridden during the next sync operation. This ensures that the user data in Orgvue remains consistent and accurate with the data in the customer's identity provider, maintaining the integrity of the user management process.