SCIM is a standard protocol for user provisioning with groups. Enabling SCIM with your Contentful organization allows you to provision user and team access directly from your IdP.
What is SCIM?
According to Okta, “SCIM, or System for Cross-domain Identity Management, is an open standard that allows for the automation of user provisioning. SCIM makes user data more secure and simplifies the user experience by automating the user identity lifecycle management process.“
Which Identity Providers (IdPs) do you support?
We have tested functionality of Contentful with the following Identity Providers:
Okta - see Okta user provisioning integration with SCIM
OneLogin - see OneLogin user provisioning integration with SCIM
Azure - see Azure user provisioning integration with scim
Ping Identity - see Ping user provisioning integration with scim
Please click here to leave your feedback if our SCIM functionality is incompatible with your Identity Provider.
Supported SCIM features
See our developer documentation for details.
Add a new user
This will send a Contentful invitation to the email address provided. By default, invitees will be assigned an Organization Member role and have no space access.
Remove a user
This will remove a Contentful organization member's access from the Contentful organization. For more information, read the FAQ response on deprovision.
Import users
This will retrieve all Contentful organization members in the Contentful organization.
Add a group
This will create a Contentful team in the Contentful organization.
Remove a group
This will remove a Contentful team in the Contentful organization. This will also remove this team membership from the users which were previously in the team.
Add/remove users to/from a group
This will add existing Contentful organization members to an existing Contentful team and grant all the space access which has been set up for the team.
This will remove existing Contentful organization members from an existing Contentful team and remove all the space access which has been set up for the team.
Import groups
This will retrieve all the teams in the Contentful organization.
Non-supported SCIM features
Edit a user
This endpoint is disabled for Contentful. Since users can be members of more than one organization, an organization is not allowed to manage attributes of the user (such as their name or email). If you would like to manage a user’s Organization Role, please use the Contentful web app.
Which version of the protocol does Contentful support?
Contentful currently supports version 2.0 of the SCIM protocol.
How do I set up SCIM for my organization?
Our SCIM integration is currently available to Premium/Enterprise customers who have a Scale or High Availability platform. Reach out to your Customer Success Manager to learn more about availability. Set up steps will vary between Identity Providers. Please reach out to the Contentful support team if you need more help.
For Okta - see Okta user provisioning integration with SCIM
For a custom identity provider, please refer to our our developer documentation to access the endpoints directly.
We suggest creating an administration user with an Organization Owner role user to set up SCIM. If your SCIM Administrator leaves your Contentful Organization, your Identity Provider will lose authorization to provision in Contentful.
For other identity providers:
Log in as an Organization Owner and head to Organization Settings.
On the SCIM info page, copy the SCIM base URL and Authorization token.
Head to your Identity Provider and log in as an Administrator.
In the Identity Provider, create a Contentful App (or open your existing Contentful App if you already have SSO set up).
Enable provisioning and enter the SCIM base URL and Authorization token.
Start managing your Contentful users and teams in your Identity Provider.
Why isn't my Authorization token working?
If your Authorization token is not working, you can:
Check that you are an Organization Owner or Organization Admin for the organization
Try without the prefix ‘Bearer’ i.e. CFPAT-xXxXxXxX
Try with the prefix ‘Bearer’ i.e. Bearer CFPAT-xXxXxXxX
What data do I need to configure provisioning in my Identity Provider?
You will need your SCIM base URL, found in Organization Settings > Access Tools > User Provisioning. You will also need an Authorization token.
We suggest creating an administration user with an Organization Owner role user to set up SCIM. If your SCIM Administrator leaves your Contentful Organization, your Identity Provider will lose authorization to provision in Contentful.
Can I use SCIM and SSO JIT at the same time?
SSO SAML is an authentication method to using Contentful. If you have SCIM enabled and SSO JIT set up, you can invite users using the SCIM protocol and users can accept invitations/log into Contentful using the SSO SAML authentication.
Can I add and remove users from spaces from my Identity Provider?
Not directly. You can add users into groups in your Identity Provider. If this group matches a Contentful team which has space access granted in Contentful, new team members will inherit the team space access. We suggest that you manage user access to spaces with teams for the SCIM feature to effectively streamline your onboarding process.
Can I add and remove users from teams from my Identity Provider?
Yes. You can add users into groups in your Identity Provider. If this group matches a Contentful team which has space access granted in Contentful, new team members will inherit the team space access. We suggest that you manage user access to spaces with teams for the SCIM feature to effectively streamline your onboarding process.
Can I change a user’s organization role from my Identity Provider?
No. As an Organization Manager, you can change a user’s organization role in the Contentful web app.
Can I change a user’s email address from my Identity Provider?
No. An organization is not allowed to manage attributes of the user (such as their name or email).
How many users can I provision from my Identity Provider?
There is no limit to how many users can be provisioned. However, some of our Premium/Enterprise plans will charge overages above an allowance of users. You can view your user usage within Organization Settings in the Contentful web app.
How many teams can I provision from my Identity Provider?
There is no limit to how many teams can be provisioned in a Contentful Organization.
I have added a user into a group in my Identity Provider, why don’t they have space access in Contentful?
We suggest checking that your teams in Contentful have team space access set up. When users are added to a group in your Identity Provider, if the group ('team' in Contentful) has team space memberships set up in Contentful, then the team members will inherit the team space access.
What is the difference between a group and a team?
The SCIM protocol refers to ‘groups’ as a logical grouping of users. In Contentful, we have ‘teams’ which refer to a logical grouping of Organization members.
Can I continue to add users via the Contentful web app?
Yes. We suggest using SCIM provisioning for users who exist in your Identity Provider. If external contractors are used that don’t exist within your Identity Provider you can continue to invite them via the web app.
What happens if the person who set up SCIM leaves my organization?
We suggest creating an administration user with an Organization Owner role to set up SCIM. If your SCIM Administrator leaves your Contentful Organization, your Identity Provider will lose the ability to provision users in Contentful.
Will I get charged for users that I provision via my Identity Provider?
When you provision users using SCIM, they will receive an invitation to join your organization. These users will count as seat takers when they accept the invitation.
Can I deprovision users from my Identity Provider?
Yes, SCIM’s action of “deprovisioning” removes a user’s access from the organization by removing their organization membership. This would effectively remove a user’s access to the organization and all related content inside the organization.
Do deprovision and deactivation of a user from my Identity Provider mean the same thing?
Yes. “Deactivation” is a state provided by many Identity Providers, and it means the same things as “deprovisioning” for a user in the Contentful organization. Deactivation or deprovisioning removes a user’s access from the organization by removing their organization membership.
Do deprovision and suspension of a user from my Identity Provider mean the same thing?
Yes. “Suspension” is a state provided by many Identity Providers. This means the same thing as Deprovisioning for a user in the Contentful organization. Suspension or deprovisioning removes a user’s access from the organization by removing their organization membership.
How do I manage a user invited by Contentful web app via my Identity Provider?
To manage a user that was initially invited within Contentful’s web app via the Identity Provider, you need to have that user available in the Identity Provider’s active directory. The user should be given access to Contentful’s application from the Identity Provider.
Once access is granted, the user inside Contentful will be linked to the user in Identity Provider. This means that if the user’s access in Contentful is revoked from the Identity Provider, then the user will also be deprovisioned from Contentful’s organization.
Can I manage groups permission from my Identity Provider?
No. You can export your groups as teams to Contentful. And then, within Contentful, set up space access and permissions for these teams.