SCIM – UserVoice

What is SCIM?

SCIM is an open standard that allows for the automation of user provisioning. SCIM is used by Single Sign-On (SSO) Services and identity providers to manage people across multiple domains.

Note: UserVoice supports SCIM v2, and has been tested with Okta and Entra ID. However, we do not support other IdPs at this time; however, if your IdP follows spec, it may work regardless of official support.

Configuring SCIM

Step One: Enable SCIM in UserVoice

To find the setting, go to General Settings -> User Authentication and enable SCIM by toggling the feature "On". Once enabled, click "Create Token" to obtain the API Token for configuring in your IdP.

Note: Admins with owner-level permissions are the only admins able to enable and obtain the token.

Step Two: Configure within your Identity Provider

Setup will depend upon which Identity Provider you use as long as it allows setting up SCIM v2. During the configuration, you will need to enter the Base URL https://yourdomain.uservoice.com/api/scim_v2 and Token obtained from Step One.

Supported Features

Assign License
- Pass a licenseType for users to determine which license type they are provisioned.
Assign User Traits
Assign Team for Admins & Contributors (Okta Only)
- Pass teams for admins or contributors to assign them to specific Teams.
Deactivate License
- When deleting or deactivating a user via the IdP or SCIM, this will only deactivate their license within UserVoice. The user will be moved from one of the Licensed Types to End-User.

Attributes

SCIM Attribute	UserVoice Field
SCIM Attribute	Variables	Permission Reference
`licenseType`	Variables	Capture Feedback	Internal Roadmap	Idea Management	Settings
	`fullaccess_owner`	On	View & Edit	View & Edit	Full edit
	`admin`	On	View & Edit	View & Edit	Partial
	`admin_no_settings`	On	View & Edit	View & Edit	Disabled
	`readonly_admin`	On	View & Edit	View only	Disabled
	`admin_ideas_only`	On	Disabled	View & Edit	Disabled
	`admin_feedback_only`	On	Disabled	View only	Disabled
	`contributor`	On	Disabled	Disabled	Disabled
	`none`	Off	N/A	N/A	N/A
`userName`	`email`
`teams` (optional)	array of Team Names OR IDs

Note: Once SCIM has been configured, any further provisioning of licenses (add/removing/updating) will be done through the IdP. If attempted within the UI, changes will not be saved.

GET Schemas to list the schemas
GET ServiceProviderConfig to return the service provider configurations
GET Users to list users permissions
GET Users/:id to list a specific user permissions
POST Users to create a permission record
PUT Users/:id to replace a permission record
DELETE Users/:id to delete a permission record

Assign Teams (optional)

SCIM supports automatic team assignment during user provisioning, allowing you to sync Team assignments with your Idp groups. To best understand this process, please read these details below.

When teams is included in a SCIM request, SCIM becomes the source of truth for that user's team assignments
Users must have an active admin or contributor license to be assigned to teams
Team assignments are silently skipped for users without admin/contributor licenses, so if you accidentally assign a Team to an end user, it will not be accepted.
Teams specified by name are auto-created if they don't exist in UserVoice (SCIM as source of truth)
Teams specified by ID must exist in UserVoice, or an error is returned
Any existing teams not in the SCIM payload will be removed
Teams are automatically removed when admin/contributor licenses are revoked

Best Practices

Use team names - Let SCIM auto-create teams to match your IdP group names
Consistent naming - Ensure IdP group names match desired UserVoice team names (typos create new teams!)
Test first- Verify team assignments with one user before rolling out
Include teams always - You can safely include teams in all requests; they're silently skipped for non-admin users
Monitor for unexpected teams - Auto-creation means typos become new teams
Remember: SCIM overwrites manual team assignments
Endpoints