SCIM or the System for Cross-domain Identity Management specification is a standard protocol to manage accounts across multiple services: add teammates, change their properties, such as name, or disable accounts to revoke access. Integrating Intercom with your identity provider makes managing teammates simple and secure.
Setting up SCIM provisioning
To enable SCIM, go to Settings > Security and make sure 'Require SAML SSO' is selected. Then toggle on 'SCIM Provisioning':
A token will be available after you save the security settings.
Add a base URL and token to configuration of Intercom app in your Identity provider.
Known limitations or important to note
Current SCI implementation doesn’t support:
assigning role to teammate / removing from role
adding teammate to a team / removing from the team
assigning/removing seats to teammates
giving default role on provisioning (adding teammate to workspace)
giving default seats on provisioning (adding teammate to workspace)
Before setting up SCIM, the workspace should have SAML SSO set up and enabled.
Each customer’s workspace should be set up as a separate app in their Identity provider.
When you hire a new employee, your IT team should add a new hire to the company's Identity provider directory. Anything that supports SCIM protocol can be used, popular examples are Okta, OneLogin and Azure ActiveDirectory.
After adding a teammate to the Identity provider, if the new teammate requires Intercom access, the IT Team then uses the Identity provider’s UI to assign Intercom to the new hire.
Identity provider makes a HTTP request to Intercom and creates a new admin in the customer's workspace at that point. By default, the new teammate receives permissions set up in Provisioning settings. If the admin with the same email already exists in Intercom, it gets access to the customer's workspace. This flow is called User Provisioning and by the end, the the new hire can log in to Intercom and work in the usual way.
When the IT Team changes the teammate’s name in Identity provider’s directory, the Identity provider sends a HTTP request to Intercom to update teammate’s name in Intercom.
When the teammate doesn’t need access to Intercom (due to role change or offboarding), the IT Team removes Intercom assignment from the employee in the company's Identity provider directory. Then the Identity provider makes an HTTP request to Intercom to remove the teammate from the workspace. Intercom reassigns all objects (conversations from the Help Desk, outbound messages, users/leads, articles) assigned to that teammate according to reassignment rules set up in Security Settings. This flow is called User Deprovisioning.
If the teammate has access to any other workspaces, that access is retained.
Configuring provisioning settings
Default teammate permissions
When your new teammate is created by your identity provider, Intercom gives them a default set of permissions that you can set up in Security Settings:
Click 'Edit' and toggle on the permissions for the new teammate:
When teammates are deprovisioned by your identity provider, Intercom reassigns all conversations, Articles, Outbound messages and contacts to another admin. You can choose who should get the ownership of each type of data in your workspace. If you choose the 'Default' option, Intercom will assign items to the first teammate in the workspace, but they can be reassigned later.
You can also choose admins that should be excluded from deprovisioning. This could help your IT Team to keep access to your Intercom workspace in case of misconfiguration or an emergency.
Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts