All Collections
Getting Started
Installing Intercom
Security in your workspace
System for Cross-domain Identity Management (SCIM) Provisioning
System for Cross-domain Identity Management (SCIM) Provisioning

Create and remove teammates using Okta, OneLogin or another identity provider using SCIM provisioning.

Jordan Shefrin avatar
Written by Jordan Shefrin
Updated over a week ago

SCIM or the System for Cross-domain Identity Management specification is a standard protocol to manage accounts across multiple services: add teammates, change their properties, such as name, or disable accounts to revoke access. Integrating Intercom with your identity provider makes managing teammates simple and secure.

Important:

  • Before setting up SCIM, SAML SSO should be set up in your workspace.

  • Intercom's provisioning capability is built using version 2.0 of the SCIM protocol.

  • Currently Groups and Roles are not supported.

  • Check our plans and pricing to add this to your subscription.

Setting up SCIM provisioning

To enable SCIM, go to Settings > Security and make sure 'Require SAML SSO' is selected. Then toggle on 'SCIM Provisioning':

A token will be available after you save the security settings.

Add a base URL and token to configuration of Intercom app in your Identity provider.

Known limitations or important to note

Current SCI implementation doesn’t support:

  • assigning role to teammate / removing from role

  • adding teammate to a team / removing from the team

  • assigning/removing seats to teammates

  • giving default role on provisioning (adding teammate to workspace)

  • giving default seats on provisioning (adding teammate to workspace)

📌 Important

  • Before setting up SCIM, the workspace should have SAML SSO set up and enabled.

  • Each customer’s workspace should be set up as a separate app in their Identity provider.

Creating teammates

When you hire a new employee, your IT team should add a new hire to the company's Identity provider directory. Anything that supports SCIM protocol can be used, popular examples are Okta, OneLogin and Azure ActiveDirectory.

After adding a teammate to the Identity provider, if the new teammate requires Intercom access, the IT Team then uses the Identity provider’s UI to assign Intercom to the new hire.

Identity provider makes a HTTP request to Intercom and creates a new admin in the customer's workspace at that point. By default, the new teammate receives permissions set up in Provisioning settings. If the admin with the same email already exists in Intercom, it gets access to the customer's workspace. This flow is called User Provisioning and by the end, the the new hire can log in to Intercom and work in the usual way.

Updating teammates

When the IT Team changes the teammate’s name in Identity provider’s directory, the Identity provider sends a HTTP request to Intercom to update teammate’s name in Intercom.

Deleting teammates

When the teammate doesn’t need access to Intercom (due to role change or offboarding), the IT Team removes Intercom assignment from the employee in the company's Identity provider directory. Then the Identity provider makes an HTTP request to Intercom to remove the teammate from the workspace. Intercom reassigns all objects (conversations from the Help Desk, outbound messages, users/leads, articles) assigned to that teammate according to reassignment rules set up in Security Settings. This flow is called User Deprovisioning.

If the teammate has access to any other workspaces, that access is retained.

Configuring provisioning settings

Default teammate permissions

When your new teammate is created by your identity provider, Intercom gives them a default set of permissions that you can set up in Security Settings:

Click 'Edit' and toggle on the permissions for the new teammate:

Deprovisioning teammates

When teammates are deprovisioned by your identity provider, Intercom reassigns all conversations, Articles, Outbound messages and contacts to another admin. You can choose who should get the ownership of each type of data in your workspace. If you choose the 'Default' option, Intercom will assign items to the first teammate in the workspace, but they can be reassigned later.

You can also choose admins that should be excluded from deprovisioning. This could help your IT Team to keep access to your Intercom workspace in case of misconfiguration or an emergency.

Note:

  • Teammates in Intercom today can be one of two states; active or deleted. Intercom does not support any soft-deleted/de-activated/archived state for teammates.

  • Where a teammate is not active in your identity provider, this teammate's account will be deleted from the Intercom workspace.

  • Intercom considers email addresses as case insensitive.

💡Tip

Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts

Related Articles
Integrate with an identity provider and log in with SAML SSO
Review actions taken in your workspace with Teammate activity logs
Create and manage multiple Help Centers
Did this answer your question?