> For the complete documentation index, see [llms.txt](https://docs.datasaur.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.datasaur.ai/integrations/scim.md). # SCIM Datasaur supports SCIM 2.0 to efficiently provision and sync users within a workspace. Before enabling SCIM, you must first configure [SAML](/integrations/saml.md). Each team workspace can have its own SCIM setup. ## Scope With SCIM, you can manage workspace users from your identity provider, including: * Inviting users to a workspace with assigned roles * Provisioning users individually or in bulk through push groups * Syncing user profile information (First name, last name) * Removing users from a Workspace without deleting their account ## How to integrate Configuration is required on both the Datasaur app and the identity provider. Configuring only one side will not complete the integration. ### Configure in Datasaur app 1. Go to your Workspace and navigate to **Settings** > **API keys**. 2. Generate a key and save it securely. This will be used later on the identity provider app. 3. Go to **SAML & SCIM**. 4. Ensure that SAML 2.0 is already configured. 5. Click **Enable SCIM**. You can stop here if you do not plan to provision users through groups in Okta. 6. If you want to provision users through push groups: 1. In the **Group to role mapping** section, click **Edit**. 2. Add each group name that will be pushed to Datasaur and set the desired role. Refer to the [section below](#group-to-role-mapping) for more details. ### Configure in the identity provider To configure SCIM in your Identity Provider, refer to the guide below based on your provider: * [Okta](/integrations/scim/okta.md) * [Microsoft Entra ID](/integrations/scim/microsoft-entra-id.md) ## Group to role mapping You can map identity provider groups to workspace roles in Datasaur (admin, reviewer, labeler). Consider the following example: | Identity provider group | Workspace role | | ----------------------- | -------------- | | Administrator | Admin | | Manager | Reviewer | | QA | Reviewer | | Annotator | Labeler | | Data developer | Labeler | In this example, you have five groups in your identity provider. All users in these five groups will be added to the workspace with the corresponding role after the configuration is properly set (including the push group). If a user belongs to multiple groups with different roles, Datasaur assigns the highest-priority role using the following order: 1. Admin 2. Reviewer 3. Labeler For example, if John belongs to both the `Administrator` group and the `QA` group, John will be assigned the Admin role because Admin has higher priority than Reviewer. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.datasaur.ai/integrations/scim.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.