Administration Guide > User provisioning
SCIM provisioning
SCIM 2.0 lets identity providers create, update, deactivate, and group users in TheChatApp while OIDC remains responsible for authentication.
When to use SCIM
Use SCIM when your organization already manages users in an identity provider and needs joiner, mover, and leaver lifecycle events reflected in TheChatApp without manual account work.
How provisioning works
Each workspace can expose SCIM v2 provisioning for users and groups. The identity provider connects over HTTPS with a workspace-specific token and can create, update, deactivate, list, and sync users and groups.
| Mechanism | Responsibility |
|---|---|
| SCIM | Provision users, profile attributes, active state, groups, and memberships. |
| OIDC | Authenticate the user and apply IdP session policy, MFA, and token validation. |
Groups and roles
SCIM groups become TheChatApp user groups. Manual, SCIM, and OIDC group memberships can coexist. A configured administrator group can promote SSO/SCIM-managed users to Manager on login when the OIDC groups claim contains the configured group.
Provider setup
Okta typically requires separate OIDC and SCIM apps. Microsoft Entra ID can host OIDC and SCIM under the same Enterprise Application. Other providers vary, but TheChatApp uses the same workspace URL and token pattern.