SCIM Provisioning

Your identity provider pushes member changes to TofuPilot, so when you add a user in Okta they get a TofuPilot account, and when you remove them from the group their access is revoked.

SCIM runs on top of SSO: SSO handles auth, and SCIM handles lifecycle. SSO works without SCIM, but SCIM requires SSO.

What SCIM syncs

SCIM mirrors directory events into TofuPilot, so membership and profiles stay in sync without manual updates.

Role assignment comes from group mapping, so you can map directory group Engineering to role Developer and group Operators to role Operator.

Configure SCIM

SCIM requires existing SSO, so set up SSO first.

1. Open Settings > Organization > SCIM Provisioning.
2. Click Generate token and copy the bearer token and base URL.
3. In your identity provider, create a SCIM 2.0 provisioning connection for TofuPilot, then paste the base URL and bearer token.
4. Map directory groups to TofuPilot roles.
5. Enable provisioning in your identity provider. The first sync runs immediately, and subsequent syncs are incremental.

Verify the sync

Once SCIM is connected, you can confirm it works by adding and removing a test user.

Add a test user to a mapped group, and the user appears in Settings > Members within a minute with the role mapped to their group.

Remove the test user from all mapped groups, and TofuPilot membership is removed within a minute.

Rotate the SCIM token

When you need to rotate the token, you generate a new one and swap it on the IdP side.

1. Open Settings > Organization > SCIM Provisioning.
2. Click Rotate token. The old token is revoked immediately.
3. Paste the new token into your identity provider's SCIM connection.

Limitations

SCIM controls organization membership and roles, but it does not control team membership. For team assignment, use the Teams UI or the API.

The Owner role cannot be assigned via SCIM, so you have to transfer ownership manually in Settings > Organization.